Documentation ¶
Index ¶
- Constants
- Variables
- func FindContainerID(s string) string
- func GetEventTypePerCategory() map[EventCategory][]eval.EventType
- func GetHostByteOrder() binary.ByteOrder
- func IsAlphaNumeric(r rune) bool
- func IsPrintable(s string) bool
- func IsPrintableASCII(s string) bool
- func SliceToArray(src []byte, dst unsafe.Pointer)
- func StringifyHelpersList(input []uint32) []string
- func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)
- func UnmarshalPrintableString(data []byte, size int) (string, error)
- func UnmarshalString(data []byte, size int) (string, error)
- func UnmarshalStringArray(data []byte) ([]string, error)
- type ArgsEntry
- type ArgsEnvs
- type ArgsEnvsCacheEntry
- type ArgsEnvsEvent
- type BPFAttachType
- type BPFCmd
- type BPFEvent
- type BPFHelperFunc
- type BPFMap
- type BPFMapType
- type BPFProgram
- type BPFProgramType
- type BinaryUnmarshaler
- type CapsetEvent
- type ChmodEvent
- type ChmodMode
- type ChownEvent
- type ContainerContext
- type Credentials
- type EnvsEntry
- type Event
- func (e *Event) GetEventType() EventType
- func (e *Event) GetFieldEventType(field eval.Field) (eval.EventType, error)
- func (e *Event) GetFieldType(field eval.Field) (reflect.Kind, error)
- func (e *Event) GetFieldValue(field eval.Field) (interface{}, error)
- func (e *Event) GetFields() []eval.Field
- func (e *Event) GetPointer() unsafe.Pointer
- func (e *Event) GetTags() []string
- func (e *Event) GetType() string
- func (e *Event) SetFieldValue(field eval.Field, value interface{}) error
- func (e *Event) UnmarshalBinary(data []byte) (int, error)
- type EventCategory
- type EventType
- type ExecEvent
- type FileEvent
- type FileFields
- type InvalidateDentryEvent
- type KernelCapability
- type LinkEvent
- type LoadModuleEvent
- type MMapEvent
- type MMapFlag
- type MProtectEvent
- type MkdirEvent
- type Model
- func (m *Model) GetEvaluator(field eval.Field, regID eval.RegisterID) (eval.Evaluator, error)
- func (m *Model) GetEventTypes() []eval.EventType
- func (m *Model) GetIterator(field eval.Field) (eval.Iterator, error)
- func (m *Model) NewEvent() eval.Event
- func (m *Model) ValidateField(field eval.Field, fieldValue eval.FieldValue) error
- type MountEvent
- type MountReleasedEvent
- type OpenEvent
- type OpenFlags
- type PTraceEvent
- type PTraceRequest
- type Process
- type ProcessAncestorsIterator
- type ProcessCacheEntry
- func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)
- func (pc *ProcessCacheEntry) Exit(exitTime time.Time)
- func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)
- func (e *ProcessCacheEntry) Release()
- func (e *ProcessCacheEntry) Reset()
- func (e *ProcessCacheEntry) Retain()
- func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)
- func (e *ProcessCacheEntry) SetReleaseCallback(callback func())
- type ProcessContext
- type Protection
- type RenameEvent
- type RetValError
- type RmdirEvent
- type SELinuxEvent
- type SELinuxEventKind
- type SetXAttrEvent
- type SetgidEvent
- type SetuidEvent
- type Signal
- type SignalEvent
- type SpanContext
- type SyscallEvent
- type UmountEvent
- type UnlinkEvent
- type UnlinkFlags
- type UnloadModuleEvent
- type UtimesEvent
- type VMFlag
Constants ¶
const ( // MaxSegmentLength defines the maximum length of each segment of a path MaxSegmentLength = 255 // MaxPathDepth defines the maximum depth of a path MaxPathDepth = 1500 // MaxBpfObjName defines the maximum length of a Bpf object name MaxBpfObjName = 16 // PathSuffix defines the suffix used for path fields PathSuffix = ".path" // NameSuffix defines the suffix used for name fields NameSuffix = ".name" )
const ( LowerLayer = 1 << iota UpperLayer )
File flags
Variables ¶
var ( // BPFCmdConstants is the list of BPF commands BPFCmdConstants = map[string]BPFCmd{ "BPF_MAP_CREATE": BpfMapCreateCmd, "BPF_MAP_LOOKUP_ELEM": BpfMapLookupElemCmd, "BPF_MAP_UPDATE_ELEM": BpfMapUpdateElemCmd, "BPF_MAP_DELETE_ELEM": BpfMapDeleteElemCmd, "BPF_MAP_GET_NEXT_KEY": BpfMapGetNextKeyCmd, "BPF_PROG_LOAD": BpfProgLoadCmd, "BPF_OBJ_PIN": BpfObjPinCmd, "BPF_OBJ_GET": BpfObjGetCmd, "BPF_PROG_ATTACH": BpfProgAttachCmd, "BPF_PROG_DETACH": BpfProgDetachCmd, "BPF_PROG_TEST_RUN": BpfProgTestRunCmd, "BPF_PROG_RUN": BpfProgTestRunCmd, "BPF_PROG_GET_NEXT_ID": BpfProgGetNextIDCmd, "BPF_MAP_GET_NEXT_ID": BpfMapGetNextIDCmd, "BPF_PROG_GET_FD_BY_ID": BpfProgGetFdByIDCmd, "BPF_MAP_GET_FD_BY_ID": BpfMapGetFdByIDCmd, "BPF_OBJ_GET_INFO_BY_FD": BpfObjGetInfoByFdCmd, "BPF_PROG_QUERY": BpfProgQueryCmd, "BPF_RAW_TRACEPOINT_OPEN": BpfRawTracepointOpenCmd, "BPF_BTF_LOAD": BpfBtfLoadCmd, "BPF_BTF_GET_FD_BY_ID": BpfBtfGetFdByIDCmd, "BPF_TASK_FD_QUERY": BpfTaskFdQueryCmd, "BPF_MAP_LOOKUP_AND_DELETE_ELEM": BpfMapLookupAndDeleteElemCmd, "BPF_MAP_FREEZE": BpfMapFreezeCmd, "BPF_BTF_GET_NEXT_ID": BpfBtfGetNextIDCmd, "BPF_MAP_LOOKUP_BATCH": BpfMapLookupBatchCmd, "BPF_MAP_LOOKUP_AND_DELETE_BATCH": BpfMapLookupAndDeleteBatchCmd, "BPF_MAP_UPDATE_BATCH": BpfMapUpdateBatchCmd, "BPF_MAP_DELETE_BATCH": BpfMapDeleteBatchCmd, "BPF_LINK_CREATE": BpfLinkCreateCmd, "BPF_LINK_UPDATE": BpfLinkUpdateCmd, "BPF_LINK_GET_FD_BY_ID": BpfLinkGetFdByIDCmd, "BPF_LINK_GET_NEXT_ID": BpfLinkGetNextIDCmd, "BPF_ENABLE_STATS": BpfEnableStatsCmd, "BPF_ITER_CREATE": BpfIterCreateCmd, "BPF_LINK_DETACH": BpfLinkDetachCmd, "BPF_PROG_BIND_MAP": BpfProgBindMapCmd, } // BPFHelperFuncConstants is the list of BPF helper func constants BPFHelperFuncConstants = map[string]BPFHelperFunc{}/* 166 elements not displayed */ // BPFMapTypeConstants is the list of BPF map type constants BPFMapTypeConstants = map[string]BPFMapType{ "BPF_MAP_TYPE_UNSPEC": BpfMapTypeUnspec, "BPF_MAP_TYPE_HASH": BpfMapTypeHash, "BPF_MAP_TYPE_ARRAY": BpfMapTypeArray, "BPF_MAP_TYPE_PROG_ARRAY": BpfMapTypeProgArray, "BPF_MAP_TYPE_PERF_EVENT_ARRAY": BpfMapTypePerfEventArray, "BPF_MAP_TYPE_PERCPU_HASH": BpfMapTypePercpuHash, "BPF_MAP_TYPE_PERCPU_ARRAY": BpfMapTypePercpuArray, "BPF_MAP_TYPE_STACK_TRACE": BpfMapTypeStackTrace, "BPF_MAP_TYPE_CGROUP_ARRAY": BpfMapTypeCgroupArray, "BPF_MAP_TYPE_LRU_HASH": BpfMapTypeLruHash, "BPF_MAP_TYPE_LRU_PERCPU_HASH": BpfMapTypeLruPercpuHash, "BPF_MAP_TYPE_LPM_TRIE": BpfMapTypeLpmTrie, "BPF_MAP_TYPE_ARRAY_OF_MAPS": BpfMapTypeArrayOfMaps, "BPF_MAP_TYPE_HASH_OF_MAPS": BpfMapTypeHashOfMaps, "BPF_MAP_TYPE_DEVMAP": BpfMapTypeDevmap, "BPF_MAP_TYPE_SOCKMAP": BpfMapTypeSockmap, "BPF_MAP_TYPE_CPUMAP": BpfMapTypeCPUmap, "BPF_MAP_TYPE_XSKMAP": BpfMapTypeXskmap, "BPF_MAP_TYPE_SOCKHASH": BpfMapTypeSockhash, "BPF_MAP_TYPE_CGROUP_STORAGE": BpfMapTypeCgroupStorage, "BPF_MAP_TYPE_REUSEPORT_SOCKARRAY": BpfMapTypeReuseportSockarray, "BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE": BpfMapTypePercpuCgroupStorage, "BPF_MAP_TYPE_QUEUE": BpfMapTypeQueue, "BPF_MAP_TYPE_STACK": BpfMapTypeStack, "BPF_MAP_TYPE_SK_STORAGE": BpfMapTypeSkStorage, "BPF_MAP_TYPE_DEVMAP_HASH": BpfMapTypeDevmapHash, "BPF_MAP_TYPE_STRUCT_OPS": BpfMapTypeStructOps, "BPF_MAP_TYPE_RINGBUF": BpfMapTypeRingbuf, "BPF_MAP_TYPE_INODE_STORAGE": BpfMapTypeInodeStorage, "BPF_MAP_TYPE_TASK_STORAGE": BpfMapTypeTaskStorage, } // BPFProgramTypeConstants is the list of BPF program type constants BPFProgramTypeConstants = map[string]BPFProgramType{ "BPF_PROG_TYPE_UNSPEC": BpfProgTypeUnspec, "BPF_PROG_TYPE_SOCKET_FILTER": BpfProgTypeSocketFilter, "BPF_PROG_TYPE_KPROBE": BpfProgTypeKprobe, "BPF_PROG_TYPE_SCHED_CLS": BpfProgTypeSchedCls, "BPF_PROG_TYPE_SCHED_ACT": BpfProgTypeSchedAct, "BPF_PROG_TYPE_TRACEPOINT": BpfProgTypeTracepoint, "BPF_PROG_TYPE_XDP": BpfProgTypeXdp, "BPF_PROG_TYPE_PERF_EVENT": BpfProgTypePerfEvent, "BPF_PROG_TYPE_CGROUP_SKB": BpfProgTypeCgroupSkb, "BPF_PROG_TYPE_CGROUP_SOCK": BpfProgTypeCgroupSock, "BPF_PROG_TYPE_LWT_IN": BpfProgTypeLwtIn, "BPF_PROG_TYPE_LWT_OUT": BpfProgTypeLwtOut, "BPF_PROG_TYPE_LWT_XMIT": BpfProgTypeLwtXmit, "BPF_PROG_TYPE_SOCK_OPS": BpfProgTypeSockOps, "BPF_PROG_TYPE_SK_SKB": BpfProgTypeSkSkb, "BPF_PROG_TYPE_CGROUP_DEVICE": BpfProgTypeCgroupDevice, "BPF_PROG_TYPE_SK_MSG": BpfProgTypeSkMsg, "BPF_PROG_TYPE_RAW_TRACEPOINT": BpfProgTypeRawTracepoint, "BPF_PROG_TYPE_CGROUP_SOCK_ADDR": BpfProgTypeCgroupSockAddr, "BPF_PROG_TYPE_LWT_SEG6LOCAL": BpfProgTypeLwtSeg6local, "BPF_PROG_TYPE_LIRC_MODE2": BpfProgTypeLircMode2, "BPF_PROG_TYPE_SK_REUSEPORT": BpfProgTypeSkReuseport, "BPF_PROG_TYPE_FLOW_DISSECTOR": BpfProgTypeFlowDissector, "BPF_PROG_TYPE_CGROUP_SYSCTL": BpfProgTypeCgroupSysctl, "BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE": BpfProgTypeRawTracepointWritable, "BPF_PROG_TYPE_CGROUP_SOCKOPT": BpfProgTypeCgroupSockopt, "BPF_PROG_TYPE_TRACING": BpfProgTypeTracing, "BPF_PROG_TYPE_STRUCT_OPS": BpfProgTypeStructOps, "BPF_PROG_TYPE_EXT": BpfProgTypeExt, "BPF_PROG_TYPE_LSM": BpfProgTypeLsm, "BPF_PROG_TYPE_SK_LOOKUP": BpfProgTypeSkLookup, } // BPFAttachTypeConstants is the list of BPF attach type constants BPFAttachTypeConstants = map[string]BPFAttachType{ "BPF_CGROUP_INET_INGRESS": BpfCgroupInetIngress, "BPF_CGROUP_INET_EGRESS": BpfCgroupInetEgress, "BPF_CGROUP_INET_SOCK_CREATE": BpfCgroupInetSockCreate, "BPF_CGROUP_SOCK_OPS": BpfCgroupSockOps, "BPF_SK_SKB_STREAM_PARSER": BpfSkSkbStreamParser, "BPF_SK_SKB_STREAM_VERDICT": BpfSkSkbStreamVerdict, "BPF_CGROUP_DEVICE": BpfCgroupDevice, "BPF_SK_MSG_VERDICT": BpfSkMsgVerdict, "BPF_CGROUP_INET4_BIND": BpfCgroupInet4Bind, "BPF_CGROUP_INET6_BIND": BpfCgroupInet6Bind, "BPF_CGROUP_INET4_CONNECT": BpfCgroupInet4Connect, "BPF_CGROUP_INET6_CONNECT": BpfCgroupInet6Connect, "BPF_CGROUP_INET4_POST_BIND": BpfCgroupInet4PostBind, "BPF_CGROUP_INET6_POST_BIND": BpfCgroupInet6PostBind, "BPF_CGROUP_UDP4_SENDMSG": BpfCgroupUDP4Sendmsg, "BPF_CGROUP_UDP6_SENDMSG": BpfCgroupUDP6Sendmsg, "BPF_LIRC_MODE2": BpfLircMode2, "BPF_FLOW_DISSECTOR": BpfFlowDissector, "BPF_CGROUP_SYSCTL": BpfCgroupSysctl, "BPF_CGROUP_UDP4_RECVMSG": BpfCgroupUDP4Recvmsg, "BPF_CGROUP_UDP6_RECVMSG": BpfCgroupUDP6Recvmsg, "BPF_CGROUP_GETSOCKOPT": BpfCgroupGetsockopt, "BPF_CGROUP_SETSOCKOPT": BpfCgroupSetsockopt, "BPF_TRACE_RAW_TP": BpfTraceRawTp, "BPF_TRACE_FENTRY": BpfTraceFentry, "BPF_TRACE_FEXIT": BpfTraceFexit, "BPF_MODIFY_RETURN": BpfModifyReturn, "BPF_LSM_MAC": BpfLsmMac, "BPF_TRACE_ITER": BpfTraceIter, "BPF_CGROUP_INET4_GETPEERNAME": BpfCgroupInet4Getpeername, "BPF_CGROUP_INET6_GETPEERNAME": BpfCgroupInet6Getpeername, "BPF_CGROUP_INET4_GETSOCKNAME": BpfCgroupInet4Getsockname, "BPF_CGROUP_INET6_GETSOCKNAME": BpfCgroupInet6Getsockname, "BPF_XDP_DEVMAP": BpfXdpDevmap, "BPF_CGROUP_INET_SOCK_RELEASE": BpfCgroupInetSockRelease, "BPF_XDP_CPUMAP": BpfXdpCPUmap, "BPF_SK_LOOKUP": BpfSkLookup, "BPF_XDP": BpfXdp, "BPF_SK_SKB_VERDICT": BpfSkSkbVerdict, } // SECLConstants are constants available in runtime security agent rules SECLConstants = map[string]interface{}{ "true": &eval.BoolEvaluator{Value: true}, "false": &eval.BoolEvaluator{Value: false}, } )
var ( // ErrNotEnoughData is returned when the buffer is too small to unmarshal the event ErrNotEnoughData = errors.New("not enough data") // ErrStringArrayOverflow returned when there is a string array overflow ErrStringArrayOverflow = errors.New("string array overflow") // ErrNonPrintable returned when a string contains non printable char ErrNonPrintable = errors.New("non printable") )
var ByteOrder binary.ByteOrder
ByteOrder holds the hosts byte order
var ( // KernelCapabilityConstants list of kernel capabilities KernelCapabilityConstants = map[string]uint64{ "CAP_AUDIT_CONTROL": 1 << unix.CAP_AUDIT_CONTROL, "CAP_AUDIT_READ": 1 << unix.CAP_AUDIT_READ, "CAP_AUDIT_WRITE": 1 << unix.CAP_AUDIT_WRITE, "CAP_BLOCK_SUSPEND": 1 << unix.CAP_BLOCK_SUSPEND, "CAP_BPF": 1 << unix.CAP_BPF, "CAP_CHECKPOINT_RESTORE": 1 << unix.CAP_CHECKPOINT_RESTORE, "CAP_CHOWN": 1 << unix.CAP_CHOWN, "CAP_DAC_OVERRIDE": 1 << unix.CAP_DAC_OVERRIDE, "CAP_DAC_READ_SEARCH": 1 << unix.CAP_DAC_READ_SEARCH, "CAP_FOWNER": 1 << unix.CAP_FOWNER, "CAP_FSETID": 1 << unix.CAP_FSETID, "CAP_IPC_LOCK": 1 << unix.CAP_IPC_LOCK, "CAP_IPC_OWNER": 1 << unix.CAP_IPC_OWNER, "CAP_KILL": 1 << unix.CAP_KILL, "CAP_LAST_CAP": 1 << unix.CAP_LAST_CAP, "CAP_LEASE": 1 << unix.CAP_LEASE, "CAP_LINUX_IMMUTABLE": 1 << unix.CAP_LINUX_IMMUTABLE, "CAP_MAC_ADMIN": 1 << unix.CAP_MAC_ADMIN, "CAP_MAC_OVERRIDE": 1 << unix.CAP_MAC_OVERRIDE, "CAP_MKNOD": 1 << unix.CAP_MKNOD, "CAP_NET_ADMIN": 1 << unix.CAP_NET_ADMIN, "CAP_NET_BIND_SERVICE": 1 << unix.CAP_NET_BIND_SERVICE, "CAP_NET_BROADCAST": 1 << unix.CAP_NET_BROADCAST, "CAP_NET_RAW": 1 << unix.CAP_NET_RAW, "CAP_PERFMON": 1 << unix.CAP_PERFMON, "CAP_SETFCAP": 1 << unix.CAP_SETFCAP, "CAP_SETGID": 1 << unix.CAP_SETGID, "CAP_SETPCAP": 1 << unix.CAP_SETPCAP, "CAP_SETUID": 1 << unix.CAP_SETUID, "CAP_SYSLOG": 1 << unix.CAP_SYSLOG, "CAP_SYS_ADMIN": 1 << unix.CAP_SYS_ADMIN, "CAP_SYS_BOOT": 1 << unix.CAP_SYS_BOOT, "CAP_SYS_CHROOT": 1 << unix.CAP_SYS_CHROOT, "CAP_SYS_MODULE": 1 << unix.CAP_SYS_MODULE, "CAP_SYS_NICE": 1 << unix.CAP_SYS_NICE, "CAP_SYS_PACCT": 1 << unix.CAP_SYS_PACCT, "CAP_SYS_PTRACE": 1 << unix.CAP_SYS_PTRACE, "CAP_SYS_RAWIO": 1 << unix.CAP_SYS_RAWIO, "CAP_SYS_RESOURCE": 1 << unix.CAP_SYS_RESOURCE, "CAP_SYS_TIME": 1 << unix.CAP_SYS_TIME, "CAP_SYS_TTY_CONFIG": 1 << unix.CAP_SYS_TTY_CONFIG, "CAP_WAKE_ALARM": 1 << unix.CAP_WAKE_ALARM, } )
var SECLLegacyFields = map[eval.Field]eval.Field{
"chmod.filename": "chmod.file.path",
"chmod.basename": "chmod.file.name",
"chmod.mode": "chmod.file.destination.mode",
"chown.filename": "chown.file.path",
"chown.basename": "chown.file.name",
"chown.uid": "chown.file.destination.uid",
"chown.user": "chown.file.destination.user",
"chown.gid": "chown.file.destination.gid",
"chown.group": "chown.file.destination.group",
"open.filename": "open.file.path",
"open.basename": "open.file.name",
"open.mode": "open.file.destination.mode",
"mkdir.filename": "mkdir.file.path",
"mkdir.basename": "mkdir.file.name",
"mkdir.mode": "mkdir.file.destination.mode",
"rmdir.filename": "rmdir.file.path",
"rmdir.basename": "rmdir.file.name",
"rename.old.filename": "rename.file.path",
"rename.old.basename": "rename.file.name",
"rename.new.filename": "rename.file.destination.path",
"rename.new.basename": "rename.file.destination.name",
"unlink.filename": "unlink.file.path",
"unlink.basename": "unlink.file.name",
"utimes.filename": "utimes.file.path",
"utimes.basename": "utimes.file.name",
"link.source.filename": "link.file.path",
"link.source.basename": "link.file.name",
"link.target.filename": "link.file.destination.path",
"link.target.basename": "link.file.destination.name",
"setxattr.filename": "setxattr.file.path",
"setxattr.basename": "setxattr.file.name",
"setxattr.namespace": "setxattr.file.destination.namespace",
"setxattr.name": "setxattr.file.destination.name",
"removexattr.filename": "removexattr.file.path",
"removexattr.basename": "removexattr.file.name",
"removexattr.namespace": "removexattr.file.destination.namespace",
"removexattr.name": "removexattr.file.destination.name",
"exec.filename": "exec.file.path",
"exec.overlay_numlower": "exec.file.overlay_numlower",
"exec.basename": "exec.file.name",
"exec.name": "exec.comm",
"process.filename": "process.file.path",
"process.basename": "process.file.name",
"process.name": "process.comm",
"process.ancestors.filename": "process.ancestors.file.path",
"process.ancestors.basename": "process.ancestors.file.name",
"process.ancestors.name": "process.ancestors.comm",
}
SECLLegacyFields contains the list of the legacy attributes we need to support
var ( // SECLVariables set of variables SECLVariables = map[string]eval.VariableValue{ "process.pid": eval.NewIntVariable(func(ctx *eval.Context) int { return int((*Event)(ctx.Object).ProcessContext.Process.Pid) }, nil), } )
Functions ¶
func FindContainerID ¶
FindContainerID extracts the first sub string that matches the pattern of a container ID
func GetEventTypePerCategory ¶
func GetEventTypePerCategory() map[EventCategory][]eval.EventType
GetEventTypePerCategory returns the event types per category
func GetHostByteOrder ¶
GetHostByteOrder guesses the hosts byte order
func IsAlphaNumeric ¶
IsAlphaNumeric returns whether a character is either a digit or a letter
func IsPrintable ¶
IsPrintable returns whether the string does contain only unicode printable
func IsPrintableASCII ¶
IsPrintableASCII returns whether the string does contain only ASCII char
func SliceToArray ¶
SliceToArray copy src bytes to dst. Destination should have enough space
func StringifyHelpersList ¶
StringifyHelpersList returns a string list representation of a list of helpers
func UnmarshalBinary ¶
func UnmarshalBinary(data []byte, binaryUnmarshalers ...BinaryUnmarshaler) (int, error)
UnmarshalBinary calls a series of BinaryUnmarshaler
func UnmarshalPrintableString ¶
UnmarshalPrintableString unmarshal printable string
func UnmarshalString ¶
UnmarshalString unmarshal string
func UnmarshalStringArray ¶
UnmarshalStringArray extract array of string for array of byte
Types ¶
type ArgsEntry ¶
type ArgsEntry struct { *ArgsEnvsCacheEntry Values []string Truncated bool // contains filtered or unexported fields }
ArgsEntry defines a args cache entry
type ArgsEnvsCacheEntry ¶
type ArgsEnvsCacheEntry struct { ArgsEnvs // contains filtered or unexported fields }
ArgsEnvsCacheEntry defines a args/envs base entry
func NewArgsEnvsCacheEntry ¶
func NewArgsEnvsCacheEntry(onRelease func(_ *ArgsEnvsCacheEntry)) *ArgsEnvsCacheEntry
NewArgsEnvsCacheEntry returns a new args/env cache entry
func (*ArgsEnvsCacheEntry) Append ¶
func (p *ArgsEnvsCacheEntry) Append(entry *ArgsEnvsCacheEntry)
Append an entry to the list
func (*ArgsEnvsCacheEntry) Release ¶
func (p *ArgsEnvsCacheEntry) Release()
Release decrement and eventually release the entry
func (*ArgsEnvsCacheEntry) Retain ¶
func (p *ArgsEnvsCacheEntry) Retain()
Retain increment ref counter
type ArgsEnvsEvent ¶
type ArgsEnvsEvent struct {
ArgsEnvs
}
ArgsEnvsEvent defines a args/envs event
func (*ArgsEnvsEvent) UnmarshalBinary ¶
func (e *ArgsEnvsEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type BPFAttachType ¶
type BPFAttachType uint32
BPFAttachType is used to define attach type constants
const ( // BpfCgroupInetIngress attach type BpfCgroupInetIngress BPFAttachType = iota + 1 // BpfCgroupInetEgress attach type BpfCgroupInetEgress // BpfCgroupInetSockCreate attach type BpfCgroupInetSockCreate // BpfCgroupSockOps attach type BpfCgroupSockOps // BpfSkSkbStreamParser attach type BpfSkSkbStreamParser // BpfSkSkbStreamVerdict attach type BpfSkSkbStreamVerdict // BpfCgroupDevice attach type BpfCgroupDevice // BpfSkMsgVerdict attach type BpfSkMsgVerdict // BpfCgroupInet4Bind attach type BpfCgroupInet4Bind // BpfCgroupInet6Bind attach type BpfCgroupInet6Bind // BpfCgroupInet4Connect attach type BpfCgroupInet4Connect // BpfCgroupInet6Connect attach type BpfCgroupInet6Connect // BpfCgroupInet4PostBind attach type BpfCgroupInet4PostBind // BpfCgroupInet6PostBind attach type BpfCgroupInet6PostBind // BpfCgroupUDP4Sendmsg attach type BpfCgroupUDP4Sendmsg // BpfCgroupUDP6Sendmsg attach type BpfCgroupUDP6Sendmsg // BpfLircMode2 attach type BpfLircMode2 // BpfFlowDissector attach type BpfFlowDissector // BpfCgroupSysctl attach type BpfCgroupSysctl // BpfCgroupUDP4Recvmsg attach type BpfCgroupUDP4Recvmsg // BpfCgroupUDP6Recvmsg attach type BpfCgroupUDP6Recvmsg // BpfCgroupGetsockopt attach type BpfCgroupGetsockopt // BpfCgroupSetsockopt attach type BpfCgroupSetsockopt // BpfTraceRawTp attach type BpfTraceRawTp // BpfTraceFentry attach type BpfTraceFentry // BpfTraceFexit attach type BpfTraceFexit // BpfModifyReturn attach type BpfModifyReturn // BpfLsmMac attach type BpfLsmMac // BpfTraceIter attach type BpfTraceIter // BpfCgroupInet4Getpeername attach type BpfCgroupInet4Getpeername // BpfCgroupInet6Getpeername attach type BpfCgroupInet6Getpeername // BpfCgroupInet4Getsockname attach type BpfCgroupInet4Getsockname // BpfCgroupInet6Getsockname attach type BpfCgroupInet6Getsockname // BpfXdpDevmap attach type BpfXdpDevmap // BpfCgroupInetSockRelease attach type BpfCgroupInetSockRelease // BpfXdpCPUmap attach type BpfXdpCPUmap // BpfSkLookup attach type BpfSkLookup // BpfXdp attach type BpfXdp // BpfSkSkbVerdict attach type BpfSkSkbVerdict )
func (BPFAttachType) String ¶
func (t BPFAttachType) String() string
type BPFCmd ¶
type BPFCmd uint64
BPFCmd represents a BPF command
const ( // BpfMapCreateCmd command BpfMapCreateCmd BPFCmd = iota // BpfMapLookupElemCmd command BpfMapLookupElemCmd // BpfMapUpdateElemCmd command BpfMapUpdateElemCmd // BpfMapDeleteElemCmd command BpfMapDeleteElemCmd // BpfMapGetNextKeyCmd command BpfMapGetNextKeyCmd // BpfProgLoadCmd command BpfProgLoadCmd // BpfObjPinCmd command BpfObjPinCmd // BpfObjGetCmd command BpfObjGetCmd // BpfProgAttachCmd command BpfProgAttachCmd // BpfProgDetachCmd command BpfProgDetachCmd // BpfProgTestRunCmd command BpfProgTestRunCmd // BpfProgGetNextIDCmd command BpfProgGetNextIDCmd // BpfMapGetNextIDCmd command BpfMapGetNextIDCmd // BpfProgGetFdByIDCmd command BpfProgGetFdByIDCmd // BpfMapGetFdByIDCmd command BpfMapGetFdByIDCmd // BpfObjGetInfoByFdCmd command BpfObjGetInfoByFdCmd // BpfProgQueryCmd command BpfProgQueryCmd // BpfRawTracepointOpenCmd command BpfRawTracepointOpenCmd // BpfBtfLoadCmd command BpfBtfLoadCmd // BpfBtfGetFdByIDCmd command BpfBtfGetFdByIDCmd // BpfTaskFdQueryCmd command BpfTaskFdQueryCmd // BpfMapLookupAndDeleteElemCmd command BpfMapLookupAndDeleteElemCmd // BpfMapFreezeCmd command BpfMapFreezeCmd // BpfBtfGetNextIDCmd command BpfBtfGetNextIDCmd // BpfMapLookupBatchCmd command BpfMapLookupBatchCmd // BpfMapLookupAndDeleteBatchCmd command BpfMapLookupAndDeleteBatchCmd // BpfMapUpdateBatchCmd command BpfMapUpdateBatchCmd // BpfMapDeleteBatchCmd command BpfMapDeleteBatchCmd // BpfLinkCreateCmd command BpfLinkCreateCmd // BpfLinkUpdateCmd command BpfLinkUpdateCmd // BpfLinkGetFdByIDCmd command BpfLinkGetFdByIDCmd // BpfLinkGetNextIDCmd command BpfLinkGetNextIDCmd // BpfEnableStatsCmd command BpfEnableStatsCmd // BpfIterCreateCmd command BpfIterCreateCmd // BpfLinkDetachCmd command BpfLinkDetachCmd // BpfProgBindMapCmd command BpfProgBindMapCmd )
type BPFEvent ¶
type BPFEvent struct { SyscallEvent Map BPFMap `field:"map"` // eBPF map involved in the BPF command Program BPFProgram `field:"prog"` // eBPF program involved in the BPF command Cmd uint32 `field:"cmd"` // BPF command name }
BPFEvent represents a BPF event
type BPFHelperFunc ¶
type BPFHelperFunc uint32
BPFHelperFunc represents a BPF helper function
const ( // BpfUnspec helper function BpfUnspec BPFHelperFunc = iota // BpfMapLookupElem helper function BpfMapLookupElem // BpfMapUpdateElem helper function BpfMapUpdateElem // BpfMapDeleteElem helper function BpfMapDeleteElem // BpfProbeRead helper function BpfProbeRead // BpfKtimeGetNs helper function BpfKtimeGetNs // BpfTracePrintk helper function BpfTracePrintk // BpfGetPrandomU32 helper function BpfGetPrandomU32 // BpfGetSmpProcessorID helper function BpfGetSmpProcessorID // BpfSkbStoreBytes helper function BpfSkbStoreBytes // BpfL3CsumReplace helper function BpfL3CsumReplace // BpfL4CsumReplace helper function BpfL4CsumReplace // BpfTailCall helper function BpfTailCall // BpfCloneRedirect helper function BpfCloneRedirect // BpfGetCurrentPidTgid helper function BpfGetCurrentPidTgid // BpfGetCurrentUIDGid helper function BpfGetCurrentUIDGid // BpfGetCurrentComm helper function BpfGetCurrentComm // BpfGetCgroupClassid helper function BpfGetCgroupClassid // BpfSkbVlanPush helper function BpfSkbVlanPush // BpfSkbVlanPop helper function BpfSkbVlanPop // BpfSkbGetTunnelKey helper function BpfSkbGetTunnelKey // BpfSkbSetTunnelKey helper function BpfSkbSetTunnelKey // BpfPerfEventRead helper function BpfPerfEventRead // BpfRedirect helper function BpfRedirect // BpfGetRouteRealm helper function BpfGetRouteRealm // BpfPerfEventOutput helper function BpfPerfEventOutput // BpfSkbLoadBytes helper function BpfSkbLoadBytes // BpfGetStackid helper function BpfGetStackid // BpfCsumDiff helper function BpfCsumDiff // BpfSkbGetTunnelOpt helper function BpfSkbGetTunnelOpt // BpfSkbSetTunnelOpt helper function BpfSkbSetTunnelOpt // BpfSkbChangeProto helper function BpfSkbChangeProto // BpfSkbChangeType helper function BpfSkbChangeType // BpfSkbUnderCgroup helper function BpfSkbUnderCgroup // BpfGetHashRecalc helper function BpfGetHashRecalc // BpfGetCurrentTask helper function BpfGetCurrentTask // BpfProbeWriteUser helper function BpfProbeWriteUser // BpfCurrentTaskUnderCgroup helper function BpfCurrentTaskUnderCgroup // BpfSkbChangeTail helper function BpfSkbChangeTail // BpfSkbPullData helper function BpfSkbPullData // BpfCsumUpdate helper function BpfCsumUpdate // BpfSetHashInvalid helper function BpfSetHashInvalid // BpfGetNumaNodeID helper function BpfGetNumaNodeID // BpfSkbChangeHead helper function BpfSkbChangeHead // BpfXdpAdjustHead helper function BpfXdpAdjustHead // BpfProbeReadStr helper function BpfProbeReadStr // BpfGetSocketCookie helper function BpfGetSocketCookie // BpfGetSocketUID helper function BpfGetSocketUID // BpfSetHash helper function BpfSetHash // BpfSetsockopt helper function BpfSetsockopt // BpfSkbAdjustRoom helper function BpfSkbAdjustRoom // BpfRedirectMap helper function BpfRedirectMap // BpfSkRedirectMap helper function BpfSkRedirectMap // BpfSockMapUpdate helper function BpfSockMapUpdate // BpfXdpAdjustMeta helper function BpfXdpAdjustMeta // BpfPerfEventReadValue helper function BpfPerfEventReadValue // BpfPerfProgReadValue helper function BpfPerfProgReadValue // BpfGetsockopt helper function BpfGetsockopt // BpfOverrideReturn helper function BpfOverrideReturn // BpfSockOpsCbFlagsSet helper function BpfSockOpsCbFlagsSet // BpfMsgRedirectMap helper function BpfMsgRedirectMap // BpfMsgApplyBytes helper function BpfMsgApplyBytes // BpfMsgCorkBytes helper function BpfMsgCorkBytes // BpfMsgPullData helper function BpfMsgPullData // BpfBind helper function BpfBind // BpfXdpAdjustTail helper function BpfXdpAdjustTail // BpfSkbGetXfrmState helper function BpfSkbGetXfrmState // BpfGetStack helper function BpfGetStack // BpfSkbLoadBytesRelative helper function BpfSkbLoadBytesRelative // BpfFibLookup helper function BpfFibLookup // BpfSockHashUpdate helper function BpfSockHashUpdate // BpfMsgRedirectHash helper function BpfMsgRedirectHash // BpfSkRedirectHash helper function BpfSkRedirectHash // BpfLwtPushEncap helper function BpfLwtPushEncap // BpfLwtSeg6StoreBytes helper function BpfLwtSeg6StoreBytes // BpfLwtSeg6AdjustSrh helper function BpfLwtSeg6AdjustSrh // BpfLwtSeg6Action helper function BpfLwtSeg6Action // BpfRcRepeat helper function BpfRcRepeat // BpfRcKeydown helper function BpfRcKeydown // BpfSkbCgroupID helper function BpfSkbCgroupID // BpfGetCurrentCgroupID helper function BpfGetCurrentCgroupID // BpfGetLocalStorage helper function BpfGetLocalStorage // BpfSkSelectReuseport helper function BpfSkSelectReuseport // BpfSkbAncestorCgroupID helper function BpfSkbAncestorCgroupID // BpfSkLookupTCP helper function BpfSkLookupTCP // BpfSkLookupUDP helper function BpfSkLookupUDP // BpfSkRelease helper function BpfSkRelease // BpfMapPushElem helper function BpfMapPushElem // BpfMapPopElem helper function BpfMapPopElem // BpfMapPeekElem helper function BpfMapPeekElem // BpfMsgPushData helper function BpfMsgPushData // BpfMsgPopData helper function BpfMsgPopData // BpfRcPointerRel helper function BpfRcPointerRel // BpfSpinLock helper function BpfSpinLock // BpfSpinUnlock helper function BpfSpinUnlock // BpfSkFullsock helper function BpfSkFullsock // BpfTCPSock helper function BpfTCPSock // BpfSkbEcnSetCe helper function BpfSkbEcnSetCe // BpfGetListenerSock helper function BpfGetListenerSock // BpfSkcLookupTCP helper function BpfSkcLookupTCP BpfTCPCheckSyncookie // BpfSysctlGetName helper function BpfSysctlGetName // BpfSysctlGetCurrentValue helper function BpfSysctlGetCurrentValue // BpfSysctlGetNewValue helper function BpfSysctlGetNewValue // BpfSysctlSetNewValue helper function BpfSysctlSetNewValue // BpfStrtol helper function BpfStrtol // BpfStrtoul helper function BpfStrtoul // BpfSkStorageGet helper function BpfSkStorageGet // BpfSkStorageDelete helper function BpfSkStorageDelete // BpfSendSignal helper function BpfSendSignal BpfTCPGenSyncookie // BpfSkbOutput helper function BpfSkbOutput // BpfProbeReadUser helper function BpfProbeReadUser // BpfProbeReadKernel helper function BpfProbeReadKernel // BpfProbeReadUserStr helper function BpfProbeReadUserStr // BpfProbeReadKernelStr helper function BpfProbeReadKernelStr // BpfTCPSendAck helper function BpfTCPSendAck // BpfSendSignalThread helper function BpfSendSignalThread // BpfJiffies64 helper function BpfJiffies64 // BpfReadBranchRecords helper function BpfReadBranchRecords // BpfGetNsCurrentPidTgid helper function BpfGetNsCurrentPidTgid // BpfXdpOutput helper function BpfXdpOutput // BpfGetNetnsCookie helper function BpfGetNetnsCookie // BpfGetCurrentAncestorCgroupID helper function BpfGetCurrentAncestorCgroupID // BpfSkAssign helper function BpfSkAssign // BpfKtimeGetBootNs helper function BpfKtimeGetBootNs // BpfSeqPrintf helper function BpfSeqPrintf // BpfSeqWrite helper function BpfSeqWrite // BpfSkCgroupID helper function BpfSkCgroupID // BpfSkAncestorCgroupID helper function BpfSkAncestorCgroupID // BpfRingbufOutput helper function BpfRingbufOutput // BpfRingbufReserve helper function BpfRingbufReserve // BpfRingbufSubmit helper function BpfRingbufSubmit // BpfRingbufDiscard helper function BpfRingbufDiscard // BpfRingbufQuery helper function BpfRingbufQuery // BpfCsumLevel helper function BpfCsumLevel // BpfSkcToTCP6Sock helper function BpfSkcToTCP6Sock // BpfSkcToTCPSock helper function BpfSkcToTCPSock // BpfSkcToTCPTimewaitSock helper function BpfSkcToTCPTimewaitSock // BpfSkcToTCPRequestSock helper function BpfSkcToTCPRequestSock // BpfSkcToUDP6Sock helper function BpfSkcToUDP6Sock // BpfGetTaskStack helper function BpfGetTaskStack // BpfLoadHdrOpt helper function BpfLoadHdrOpt // BpfStoreHdrOpt helper function BpfStoreHdrOpt // BpfReserveHdrOpt helper function BpfReserveHdrOpt // BpfInodeStorageGet helper function BpfInodeStorageGet // BpfInodeStorageDelete helper function BpfInodeStorageDelete // BpfDPath helper function BpfDPath // BpfCopyFromUser helper function BpfCopyFromUser // BpfSnprintfBtf helper function BpfSnprintfBtf // BpfSeqPrintfBtf helper function BpfSeqPrintfBtf // BpfSkbCgroupClassid helper function BpfSkbCgroupClassid // BpfRedirectNeigh helper function BpfRedirectNeigh // BpfPerCPUPtr helper function BpfPerCPUPtr // BpfThisCPUPtr helper function BpfThisCPUPtr // BpfRedirectPeer helper function BpfRedirectPeer // BpfTaskStorageGet helper function BpfTaskStorageGet // BpfTaskStorageDelete helper function BpfTaskStorageDelete // BpfGetCurrentTaskBtf helper function BpfGetCurrentTaskBtf // BpfBprmOptsSet helper function BpfBprmOptsSet // BpfKtimeGetCoarseNs helper function BpfKtimeGetCoarseNs // BpfImaInodeHash helper function BpfImaInodeHash // BpfSockFromFile helper function BpfSockFromFile // BpfCheckMtu helper function BpfCheckMtu // BpfForEachMapElem helper function BpfForEachMapElem // BpfSnprintf helper function BpfSnprintf )
func (BPFHelperFunc) String ¶
func (f BPFHelperFunc) String() string
type BPFMap ¶
type BPFMap struct { ID uint32 `field:"-"` // ID of the eBPF map Type uint32 `field:"type"` // Type of the eBPF map Name string `field:"name"` // Name of the eBPF map (added in 7.35) }
BPFMap represents a BPF map
type BPFMapType ¶
type BPFMapType uint32
BPFMapType is used to define map type constants
const ( // BpfMapTypeUnspec map type BpfMapTypeUnspec BPFMapType = iota // BpfMapTypeHash map type BpfMapTypeHash // BpfMapTypeArray map type BpfMapTypeArray // BpfMapTypeProgArray map type BpfMapTypeProgArray // BpfMapTypePerfEventArray map type BpfMapTypePerfEventArray // BpfMapTypePercpuHash map type BpfMapTypePercpuHash // BpfMapTypePercpuArray map type BpfMapTypePercpuArray // BpfMapTypeStackTrace map type BpfMapTypeStackTrace // BpfMapTypeCgroupArray map type BpfMapTypeCgroupArray // BpfMapTypeLruHash map type BpfMapTypeLruHash // BpfMapTypeLruPercpuHash map type BpfMapTypeLruPercpuHash // BpfMapTypeLpmTrie map type BpfMapTypeLpmTrie // BpfMapTypeArrayOfMaps map type BpfMapTypeArrayOfMaps // BpfMapTypeHashOfMaps map type BpfMapTypeHashOfMaps // BpfMapTypeDevmap map type BpfMapTypeDevmap // BpfMapTypeSockmap map type BpfMapTypeSockmap // BpfMapTypeCPUmap map type BpfMapTypeCPUmap // BpfMapTypeXskmap map type BpfMapTypeXskmap // BpfMapTypeSockhash map type BpfMapTypeSockhash // BpfMapTypeCgroupStorage map type BpfMapTypeCgroupStorage // BpfMapTypeReuseportSockarray map type BpfMapTypeReuseportSockarray // BpfMapTypePercpuCgroupStorage map type BpfMapTypePercpuCgroupStorage // BpfMapTypeQueue map type BpfMapTypeQueue // BpfMapTypeStack map type BpfMapTypeStack // BpfMapTypeSkStorage map type BpfMapTypeSkStorage // BpfMapTypeDevmapHash map type BpfMapTypeDevmapHash // BpfMapTypeStructOps map type BpfMapTypeStructOps // BpfMapTypeRingbuf map type BpfMapTypeRingbuf // BpfMapTypeInodeStorage map type BpfMapTypeInodeStorage // BpfMapTypeTaskStorage map type BpfMapTypeTaskStorage )
func (BPFMapType) String ¶
func (t BPFMapType) String() string
type BPFProgram ¶
type BPFProgram struct { ID uint32 `field:"-"` // ID of the eBPF program Type uint32 `field:"type"` // Type of the eBPF program AttachType uint32 `field:"attach_type"` // Attach type of the eBPF program Helpers []uint32 `field:"helpers,ResolveHelpers"` // eBPF helpers used by the eBPF program (added in 7.35) Name string `field:"name"` // Name of the eBPF program (added in 7.35) Tag string `field:"tag"` // Hash (sha1) of the eBPF program (added in 7.35) }
BPFProgram represents a BPF program
func (*BPFProgram) UnmarshalBinary ¶
func (p *BPFProgram) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type BPFProgramType ¶
type BPFProgramType uint32
BPFProgramType is used to define program type constants
const ( // BpfProgTypeUnspec program type BpfProgTypeUnspec BPFProgramType = iota // BpfProgTypeSocketFilter program type BpfProgTypeSocketFilter // BpfProgTypeKprobe program type BpfProgTypeKprobe // BpfProgTypeSchedCls program type BpfProgTypeSchedCls // BpfProgTypeSchedAct program type BpfProgTypeSchedAct // BpfProgTypeTracepoint program type BpfProgTypeTracepoint // BpfProgTypeXdp program type BpfProgTypeXdp // BpfProgTypePerfEvent program type BpfProgTypePerfEvent // BpfProgTypeCgroupSkb program type BpfProgTypeCgroupSkb // BpfProgTypeCgroupSock program type BpfProgTypeCgroupSock // BpfProgTypeLwtIn program type BpfProgTypeLwtIn // BpfProgTypeLwtOut program type BpfProgTypeLwtOut // BpfProgTypeLwtXmit program type BpfProgTypeLwtXmit // BpfProgTypeSockOps program type BpfProgTypeSockOps // BpfProgTypeSkSkb program type BpfProgTypeSkSkb // BpfProgTypeCgroupDevice program type BpfProgTypeCgroupDevice // BpfProgTypeSkMsg program type BpfProgTypeSkMsg // BpfProgTypeRawTracepoint program type BpfProgTypeRawTracepoint // BpfProgTypeCgroupSockAddr program type BpfProgTypeCgroupSockAddr // BpfProgTypeLwtSeg6local program type BpfProgTypeLwtSeg6local // BpfProgTypeLircMode2 program type BpfProgTypeLircMode2 // BpfProgTypeSkReuseport program type BpfProgTypeSkReuseport // BpfProgTypeFlowDissector program type BpfProgTypeFlowDissector // BpfProgTypeCgroupSysctl program type BpfProgTypeCgroupSysctl // BpfProgTypeRawTracepointWritable program type BpfProgTypeRawTracepointWritable // BpfProgTypeCgroupSockopt program type BpfProgTypeCgroupSockopt // BpfProgTypeTracing program type BpfProgTypeTracing // BpfProgTypeStructOps program type BpfProgTypeStructOps // BpfProgTypeExt program type BpfProgTypeExt // BpfProgTypeLsm program type BpfProgTypeLsm // BpfProgTypeSkLookup program type BpfProgTypeSkLookup )
func (BPFProgramType) String ¶
func (t BPFProgramType) String() string
type BinaryUnmarshaler ¶
BinaryUnmarshaler interface implemented by every event type
type CapsetEvent ¶
type CapsetEvent struct { CapEffective uint64 `field:"cap_effective"` // Effective capability set of the process CapPermitted uint64 `field:"cap_permitted"` // Permitted capability set of the process }
CapsetEvent represents a capset event
func (*CapsetEvent) UnmarshalBinary ¶
func (e *CapsetEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type ChmodEvent ¶
type ChmodEvent struct { SyscallEvent File FileEvent `field:"file"` Mode uint32 `field:"file.destination.mode" field:"file.destination.rights"` // New mode/rights of the chmod-ed file }
ChmodEvent represents a chmod event
func (*ChmodEvent) UnmarshalBinary ¶
func (e *ChmodEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type ChownEvent ¶
type ChownEvent struct { SyscallEvent File FileEvent `field:"file"` UID int64 `field:"file.destination.uid"` // New UID of the chown-ed file's owner User string `field:"file.destination.user,ResolveChownUID"` // New user of the chown-ed file's owner GID int64 `field:"file.destination.gid"` // New GID of the chown-ed file's owner Group string `field:"file.destination.group,ResolveChownGID"` // New group of the chown-ed file's owner }
ChownEvent represents a chown event
func (*ChownEvent) UnmarshalBinary ¶
func (e *ChownEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type ContainerContext ¶
type ContainerContext struct { ID string `field:"id,ResolveContainerID"` // ID of the container Tags []string `field:"tags,ResolveContainerTags:9999"` // Tags of the container }
ContainerContext holds the container context of an event
func (*ContainerContext) UnmarshalBinary ¶
func (e *ContainerContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type Credentials ¶
type Credentials struct { UID uint32 `field:"uid"` // UID of the process GID uint32 `field:"gid"` // GID of the process User string `field:"user"` // User of the process Group string `field:"group"` // Group of the process EUID uint32 `field:"euid"` // Effective UID of the process EGID uint32 `field:"egid"` // Effective GID of the process EUser string `field:"euser"` // Effective user of the process EGroup string `field:"egroup"` // Effective group of the process FSUID uint32 `field:"fsuid"` // FileSystem-uid of the process FSGID uint32 `field:"fsgid"` // FileSystem-gid of the process FSUser string `field:"fsuser"` // FileSystem-user of the process FSGroup string `field:"fsgroup"` // FileSystem-group of the process CapEffective uint64 `field:"cap_effective"` // Effective capability set of the process CapPermitted uint64 `field:"cap_permitted"` // Permitted capability set of the process }
Credentials represents the kernel credentials of a process
func (*Credentials) UnmarshalBinary ¶
func (e *Credentials) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type EnvsEntry ¶
type EnvsEntry struct { *ArgsEnvsCacheEntry Values []string Truncated bool // contains filtered or unexported fields }
EnvsEntry defines a args cache entry
type Event ¶
type Event struct { ID string `field:"-"` Type uint64 `field:"-"` TimestampRaw uint64 `field:"-"` Timestamp time.Time `field:"timestamp"` // Timestamp of the event ProcessContext ProcessContext `field:"process" event:"*"` SpanContext SpanContext `field:"-"` ContainerContext ContainerContext `field:"container"` Chmod ChmodEvent `field:"chmod" event:"chmod"` // [7.27] [File] A file’s permissions were changed Chown ChownEvent `field:"chown" event:"chown"` // [7.27] [File] A file’s owner was changed Open OpenEvent `field:"open" event:"open"` // [7.27] [File] A file was opened Mkdir MkdirEvent `field:"mkdir" event:"mkdir"` // [7.27] [File] A directory was created Rmdir RmdirEvent `field:"rmdir" event:"rmdir"` // [7.27] [File] A directory was removed Rename RenameEvent `field:"rename" event:"rename"` // [7.27] [File] A file/directory was renamed Unlink UnlinkEvent `field:"unlink" event:"unlink"` // [7.27] [File] A file was deleted Utimes UtimesEvent `field:"utimes" event:"utimes"` // [7.27] [File] Change file access/modification times Link LinkEvent `field:"link" event:"link"` // [7.27] [File] Create a new name/alias for a file SetXAttr SetXAttrEvent `field:"setxattr" event:"setxattr"` // [7.27] [File] Set exteneded attributes RemoveXAttr SetXAttrEvent `field:"removexattr" event:"removexattr"` // [7.27] [File] Remove extended attributes Exec ExecEvent `field:"exec" event:"exec"` // [7.27] [Process] A process was executed or forked SetUID SetuidEvent `field:"setuid" event:"setuid"` // [7.27] [Process] A process changed its effective uid SetGID SetgidEvent `field:"setgid" event:"setgid"` // [7.27] [Process] A process changed its effective gid Capset CapsetEvent `field:"capset" event:"capset"` // [7.27] [Process] A process changed its capacity set Signal SignalEvent `field:"signal" event:"signal"` // [7.35] [Process] A signal was sent SELinux SELinuxEvent `field:"selinux" event:"selinux"` // [7.30] [Kernel] An SELinux operation was run BPF BPFEvent `field:"bpf" event:"bpf"` // [7.33] [Kernel] A BPF command was executed PTrace PTraceEvent `field:"ptrace" event:"ptrace"` // [7.35] [Kernel] A ptrace command was executed MMap MMapEvent `field:"mmap" event:"mmap"` // [7.35] [Kernel] A mmap command was executed MProtect MProtectEvent `field:"mprotect" event:"mprotect"` // [7.35] [Kernel] A mprotect command was executed LoadModule LoadModuleEvent `field:"load_module" event:"load_module"` // [7.35] [Kernel] A new kernel module was loaded UnloadModule UnloadModuleEvent `field:"unload_module" event:"unload_module"` // [7.35] [Kernel] A kernel module was deleted Mount MountEvent `field:"-"` Umount UmountEvent `field:"-"` InvalidateDentry InvalidateDentryEvent `field:"-"` ArgsEnvs ArgsEnvsEvent `field:"-"` MountReleased MountReleasedEvent `field:"-"` }
Event represents an event sent from the kernel genaccessors
func (*Event) GetEventType ¶
GetEventType returns the event type of the event
func (*Event) GetFieldEventType ¶
func (*Event) GetPointer ¶
GetPointer return an unsafe.Pointer of the Event
func (*Event) SetFieldValue ¶
type EventCategory ¶
type EventCategory = string
EventCategory category type
const ( // FIMCategory FIM events FIMCategory EventCategory = "File Activity" // ProcessCategory process events ProcessCategory EventCategory = "Process Activity" // KernelCategory Kernel events KernelCategory EventCategory = "Kernel Activity" )
Event categories
func GetAllCategories ¶ added in v0.34.0
func GetAllCategories() []EventCategory
GetAllCategories returns all categories
func GetEventTypeCategory ¶
func GetEventTypeCategory(eventType eval.EventType) EventCategory
GetEventTypeCategory returns the category for the given event type
type EventType ¶
type EventType uint64
EventType describes the type of an event sent from the kernel
const ( // UnknownEventType unknow event UnknownEventType EventType = iota // FileOpenEventType File open event FileOpenEventType // FileMkdirEventType Folder creation event FileMkdirEventType // FileLinkEventType Hard link creation event FileLinkEventType // FileRenameEventType File or folder rename event FileRenameEventType // FileUnlinkEventType Unlink event FileUnlinkEventType // FileRmdirEventType Rmdir event FileRmdirEventType // FileChmodEventType Chmod event FileChmodEventType // FileChownEventType Chown event FileChownEventType // FileUtimesEventType Utime event FileUtimesEventType // FileSetXAttrEventType Setxattr event FileSetXAttrEventType // FileRemoveXAttrEventType Removexattr event FileRemoveXAttrEventType // FileMountEventType Mount event FileMountEventType // FileUmountEventType Umount event FileUmountEventType // ForkEventType Fork event ForkEventType // ExecEventType Exec event ExecEventType // ExitEventType Exit event ExitEventType // InvalidateDentryEventType Dentry invalidated event InvalidateDentryEventType // SetuidEventType setuid event SetuidEventType // SetgidEventType setgid event SetgidEventType // CapsetEventType capset event CapsetEventType // ArgsEnvsEventType args and envs event ArgsEnvsEventType // MountReleasedEventType sent when a mount point is released MountReleasedEventType // SELinuxEventType selinux event SELinuxEventType // BPFEventType bpf event BPFEventType // PTraceEventType PTrace event PTraceEventType // MMapEventType MMap event MMapEventType // MProtectEventType MProtect event MProtectEventType // LoadModuleEventType LoadModule event LoadModuleEventType // UnloadModuleEventType UnloadModule evnt UnloadModuleEventType // SignalEventType Signal event SignalEventType // MaxEventType is used internally to get the maximum number of kernel events. MaxEventType // FirstDiscarderEventType first event that accepts discarders FirstDiscarderEventType = FileOpenEventType // LastDiscarderEventType last event that accepts discarders LastDiscarderEventType = FileRemoveXAttrEventType // CustomLostReadEventType is the custom event used to report lost events detected in user space CustomLostReadEventType EventType = iota // CustomLostWriteEventType is the custom event used to report lost events detected in kernel space CustomLostWriteEventType // CustomRulesetLoadedEventType is the custom event used to report that a new ruleset was loaded CustomRulesetLoadedEventType // CustomNoisyProcessEventType is the custom event used to report the detection of a noisy process CustomNoisyProcessEventType // CustomForkBombEventType is the custom event used to report the detection of a fork bomb CustomForkBombEventType // CustomTruncatedParentsEventType is the custom event used to report that the parents of a path were truncated CustomTruncatedParentsEventType )
func ParseEvalEventType ¶
ParseEvalEventType convert a eval.EventType (string) to its uint64 representation the current algorithm is not efficient but allows us to reduce the number of conversion functions
type FileEvent ¶
type FileEvent struct { FileFields PathnameStr string `field:"path,ResolveFilePath"` // File's path BasenameStr string `field:"name,ResolveFileBasename"` // File's basename Filesytem string `field:"filesystem,ResolveFileFilesystem"` // File's filesystem PathResolutionError error `field:"-"` }
FileEvent is the common file event type
func (*FileEvent) GetPathResolutionError ¶
GetPathResolutionError returns the path resolution error as a string if there is one
type FileFields ¶
type FileFields struct { UID uint32 `field:"uid"` // UID of the file's owner User string `field:"user,ResolveFileFieldsUser"` // User of the file's owner GID uint32 `field:"gid"` // GID of the file's owner Group string `field:"group,ResolveFileFieldsGroup"` // Group of the file's owner Mode uint16 `field:"mode" field:"rights,ResolveRights"` // Mode/rights of the file CTime uint64 `field:"change_time"` // Change time of the file MTime uint64 `field:"modification_time"` // Modification time of the file MountID uint32 `field:"mount_id"` // Mount ID of the file Inode uint64 `field:"inode"` // Inode of the file InUpperLayer bool `field:"in_upper_layer,ResolveFileFieldsInUpperLayer"` // Indicator of the file layer, in an OverlayFS for example NLink uint32 `field:"-"` PathID uint32 `field:"-"` Flags int32 `field:"-"` }
FileFields holds the information required to identify a file
func (*FileFields) GetInLowerLayer ¶
func (f *FileFields) GetInLowerLayer() bool
GetInLowerLayer returns whether a file is in a lower layer
func (*FileFields) GetInUpperLayer ¶
func (f *FileFields) GetInUpperLayer() bool
GetInUpperLayer returns whether a file is in the upper layer
func (*FileFields) HasHardLinks ¶
func (f *FileFields) HasHardLinks() bool
HasHardLinks returns whether the file has hardlink
func (*FileFields) UnmarshalBinary ¶
func (e *FileFields) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type InvalidateDentryEvent ¶
InvalidateDentryEvent defines a invalidate dentry event
func (*InvalidateDentryEvent) UnmarshalBinary ¶
func (e *InvalidateDentryEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type KernelCapability ¶
type KernelCapability uint64
KernelCapability represents a kernel capability bitmask value
func (KernelCapability) String ¶
func (kc KernelCapability) String() string
func (KernelCapability) StringArray ¶
func (kc KernelCapability) StringArray() []string
StringArray returns the kernel capabilities as an array of strings
type LinkEvent ¶
type LinkEvent struct { SyscallEvent Source FileEvent `field:"file"` Target FileEvent `field:"file.destination"` }
LinkEvent represents a link event
type LoadModuleEvent ¶ added in v0.35.0
type LoadModuleEvent struct { SyscallEvent File FileEvent `field:"file"` // Path to the kernel module file LoadedFromMemory bool `field:"loaded_from_memory"` // Indicates if the kernel module was loaded from memory Name string `field:"name"` // Name of the new kernel module }
LoadModuleEvent represents a load_module event
func (*LoadModuleEvent) UnmarshalBinary ¶ added in v0.35.0
func (e *LoadModuleEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type MMapEvent ¶ added in v0.34.0
type MMapEvent struct { SyscallEvent File FileEvent `field:"file"` Addr uint64 `field:"-"` Offset uint64 `field:"-"` Len uint32 `field:"-"` Protection int `field:"protection"` // memory segment protection Flags int `field:"flags"` // memory segment flags }
MMapEvent represents a mmap event
type MProtectEvent ¶ added in v0.34.0
type MProtectEvent struct { SyscallEvent VMStart uint64 `field:"-"` VMEnd uint64 `field:"-"` VMProtection int `field:"vm_protection"` // initial memory segment protection ReqProtection int `field:"req_protection"` // new memory segment protection }
MProtectEvent represents a mprotect event
func (*MProtectEvent) UnmarshalBinary ¶ added in v0.34.0
func (e *MProtectEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type MkdirEvent ¶
type MkdirEvent struct { SyscallEvent File FileEvent `field:"file"` Mode uint32 `field:"file.destination.mode" field:"file.destination.rights"` // Mode/rights of the new directory }
MkdirEvent represents a mkdir event
func (*MkdirEvent) UnmarshalBinary ¶
func (e *MkdirEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type Model ¶
type Model struct{}
Model describes the data model for the runtime security agent events
func (*Model) GetEvaluator ¶
func (*Model) GetEventTypes ¶
func (*Model) ValidateField ¶
ValidateField validates the value of a field
type MountEvent ¶
type MountEvent struct { SyscallEvent MountID uint32 GroupID uint32 Device uint32 ParentMountID uint32 ParentInode uint64 FSType string MountPointStr string MountPointPathResolutionError error RootMountID uint32 RootInode uint64 RootStr string RootPathResolutionError error FSTypeRaw [16]byte }
MountEvent represents a mount event
func (*MountEvent) GetFSType ¶
func (m *MountEvent) GetFSType() string
GetFSType returns the filesystem type of the mountpoint
func (*MountEvent) GetMountPointPathResolutionError ¶
func (m *MountEvent) GetMountPointPathResolutionError() string
GetMountPointPathResolutionError returns the mount point path resolution error as a string if there is one
func (*MountEvent) GetRootPathResolutionError ¶
func (m *MountEvent) GetRootPathResolutionError() string
GetRootPathResolutionError returns the root path resolution error as a string if there is one
func (*MountEvent) IsOverlayFS ¶
func (m *MountEvent) IsOverlayFS() bool
IsOverlayFS returns whether it is an overlay fs
func (*MountEvent) UnmarshalBinary ¶
func (e *MountEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type MountReleasedEvent ¶
MountReleasedEvent defines a mount released event
func (*MountReleasedEvent) UnmarshalBinary ¶
func (e *MountReleasedEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type OpenEvent ¶
type OpenEvent struct { SyscallEvent File FileEvent `field:"file"` Flags uint32 `field:"flags"` // Flags used when opening the file Mode uint32 `field:"file.destination.mode"` // Mode of the created file }
OpenEvent represents an open event
type OpenFlags ¶
type OpenFlags int
OpenFlags represents an open flags bitmask value
func (OpenFlags) StringArray ¶
StringArray returns the open flags as an array of strings
type PTraceEvent ¶ added in v0.34.0
type PTraceEvent struct { SyscallEvent Request uint32 `field:"request"` // ptrace request PID uint32 `field:"-"` Address uint64 `field:"-"` Tracee ProcessContext `field:"tracee"` // process context of the tracee TraceeProcessCacheEntry *ProcessCacheEntry `field:"-"` }
PTraceEvent represents a ptrace event
func (*PTraceEvent) UnmarshalBinary ¶ added in v0.34.0
func (e *PTraceEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type PTraceRequest ¶ added in v0.34.0
type PTraceRequest uint32
PTraceRequest represents a ptrace request value
func (PTraceRequest) String ¶ added in v0.34.0
func (f PTraceRequest) String() string
type Process ¶
type Process struct { // proc_cache_t FileFields FileFields `field:"file"` Pid uint32 `field:"pid"` // Process ID of the process (also called thread group ID) Tid uint32 `field:"tid"` // Thread ID of the thread PathnameStr string `field:"file.path"` // Path of the process executable BasenameStr string `field:"file.name"` // Basename of the path of the process executable Filesystem string `field:"file.filesystem"` // FileSystem of the process executable PathResolutionError error `field:"-"` ContainerID string `field:"container.id"` // Container ID TTYName string `field:"tty_name"` // Name of the TTY associated with the process Comm string `field:"comm"` // Comm attribute of the process // pid_cache_t ForkTime time.Time `field:"-"` ExitTime time.Time `field:"-"` ExecTime time.Time `field:"-"` CreatedAt uint64 `field:"created_at,ResolveProcessCreatedAt"` // Timestamp of the creation of the process Cookie uint32 `field:"cookie"` // Cookie of the process PPid uint32 `field:"ppid"` // Parent process ID // credentials_t section of pid_cache_t Credentials ArgsID uint32 `field:"-"` EnvsID uint32 `field:"-"` ArgsEntry *ArgsEntry `field:"-"` EnvsEntry *EnvsEntry `field:"-"` // defined to generate accessors, ArgsTruncated and EnvsTruncated are used during by unmarshaller Argv0 string `field:"argv0,ResolveProcessArgv0:100"` // First argument of the process Args string `field:"args,ResolveProcessArgs:100"` // Arguments of the process (as a string) Argv []string `field:"argv,ResolveProcessArgv:100" field:"args_flags,ResolveProcessArgsFlags" field:"args_options,ResolveProcessArgsOptions"` // Arguments of the process (as an array) ArgsTruncated bool `field:"args_truncated,ResolveProcessArgsTruncated"` // Indicator of arguments truncation Envs []string `field:"envs,ResolveProcessEnvs:100"` // Environment variable names of the process Envp []string `field:"envp,ResolveProcessEnvp:100"` // Environment variables of the process EnvsTruncated bool `field:"envs_truncated,ResolveProcessEnvsTruncated"` // Indicator of environment variables truncation // cache version ScrubbedArgvResolved bool `field:"-"` ScrubbedArgv []string `field:"-"` ScrubbedArgsTruncated bool `field:"-"` Variables eval.Variables `field:"-"` }
Process represents a process
func (*Process) GetPathResolutionError ¶
GetPathResolutionError returns the path resolution error as a string if there is one
type ProcessAncestorsIterator ¶
type ProcessAncestorsIterator struct {
// contains filtered or unexported fields
}
ProcessAncestorsIterator defines an iterator of ancestors
func (*ProcessAncestorsIterator) Front ¶
func (it *ProcessAncestorsIterator) Front(ctx *eval.Context) unsafe.Pointer
Front returns the first element
func (*ProcessAncestorsIterator) Next ¶
func (it *ProcessAncestorsIterator) Next() unsafe.Pointer
Next returns the next element
type ProcessCacheEntry ¶
type ProcessCacheEntry struct { ProcessContext // contains filtered or unexported fields }
ProcessCacheEntry this struct holds process context kept in the process tree
func NewProcessCacheEntry ¶
func NewProcessCacheEntry(onRelease func(_ *ProcessCacheEntry)) *ProcessCacheEntry
NewProcessCacheEntry returns a new process cache entry
func (*ProcessCacheEntry) Exec ¶
func (pc *ProcessCacheEntry) Exec(entry *ProcessCacheEntry)
Exec replace a process
func (*ProcessCacheEntry) Exit ¶
func (pc *ProcessCacheEntry) Exit(exitTime time.Time)
Exit a process
func (*ProcessCacheEntry) Fork ¶
func (pc *ProcessCacheEntry) Fork(childEntry *ProcessCacheEntry)
Fork returns a copy of the current ProcessCacheEntry
func (*ProcessCacheEntry) Release ¶
func (e *ProcessCacheEntry) Release()
Release decrement and eventually release the entry
func (*ProcessCacheEntry) Retain ¶
func (e *ProcessCacheEntry) Retain()
Retain increment ref counter
func (*ProcessCacheEntry) SetAncestor ¶
func (pc *ProcessCacheEntry) SetAncestor(parent *ProcessCacheEntry)
SetAncestor set the ancestor
func (*ProcessCacheEntry) SetReleaseCallback ¶ added in v0.35.0
func (e *ProcessCacheEntry) SetReleaseCallback(callback func())
SetReleaseCallback set the callback called when the entry is released
type ProcessContext ¶
type ProcessContext struct { Process Ancestor *ProcessCacheEntry `field:"ancestors,,ProcessAncestorsIterator"` }
ProcessContext holds the process context of an event
func (*ProcessContext) UnmarshalBinary ¶
func (p *ProcessContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type Protection ¶ added in v0.34.0
type Protection int
Protection represents a virtual memory protection bitmask value
func (Protection) String ¶ added in v0.34.0
func (p Protection) String() string
type RenameEvent ¶
type RenameEvent struct { SyscallEvent Old FileEvent `field:"file"` New FileEvent `field:"file.destination"` DiscarderRevision uint32 `field:"-"` }
RenameEvent represents a rename event
func (*RenameEvent) UnmarshalBinary ¶
func (e *RenameEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type RetValError ¶
type RetValError int
RetValError represents a syscall return error value
func (RetValError) String ¶
func (f RetValError) String() string
type RmdirEvent ¶
type RmdirEvent struct { SyscallEvent File FileEvent `field:"file"` DiscarderRevision uint32 `field:"-"` }
RmdirEvent represents a rmdir event
func (*RmdirEvent) UnmarshalBinary ¶
func (e *RmdirEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type SELinuxEvent ¶
type SELinuxEvent struct { File FileEvent `field:"-"` EventKind SELinuxEventKind `field:"-"` BoolName string `field:"bool.name,ResolveSELinuxBoolName"` // SELinux boolean name BoolChangeValue string `field:"bool.state"` // SELinux boolean new value BoolCommitValue bool `field:"bool_commit.state"` // Indicator of a SELinux boolean commit operation EnforceStatus string `field:"enforce.status"` // SELinux enforcement status (one of "enforcing", "permissive", "disabled"") }
SELinuxEvent represents a selinux event
func (*SELinuxEvent) UnmarshalBinary ¶
func (e *SELinuxEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type SELinuxEventKind ¶
type SELinuxEventKind uint32
SELinuxEventKind represents the event kind for SELinux events
const ( // SELinuxBoolChangeEventKind represents SELinux boolean change events SELinuxBoolChangeEventKind SELinuxEventKind = iota // SELinuxStatusChangeEventKind represents SELinux status change events SELinuxStatusChangeEventKind // SELinuxBoolCommitEventKind represents SELinux boolean commit events SELinuxBoolCommitEventKind )
type SetXAttrEvent ¶
type SetXAttrEvent struct { SyscallEvent File FileEvent `field:"file"` Namespace string `field:"file.destination.namespace,ResolveXAttrNamespace"` // Namespace of the extended attribute Name string `field:"file.destination.name,ResolveXAttrName"` // Name of the extended attribute NameRaw [200]byte }
SetXAttrEvent represents an extended attributes event
func (*SetXAttrEvent) UnmarshalBinary ¶
func (e *SetXAttrEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type SetgidEvent ¶
type SetgidEvent struct { GID uint32 `field:"gid"` // New GID of the process Group string `field:"group,ResolveSetgidGroup"` // New group of the process EGID uint32 `field:"egid"` // New effective GID of the process EGroup string `field:"egroup,ResolveSetgidEGroup"` // New effective group of the process FSGID uint32 `field:"fsgid"` // New FileSystem GID of the process FSGroup string `field:"fsgroup,ResolveSetgidFSGroup"` // New FileSystem group of the process }
SetgidEvent represents a setgid event
func (*SetgidEvent) UnmarshalBinary ¶
func (e *SetgidEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type SetuidEvent ¶
type SetuidEvent struct { UID uint32 `field:"uid"` // New UID of the process User string `field:"user,ResolveSetuidUser"` // New user of the process EUID uint32 `field:"euid"` // New effective UID of the process EUser string `field:"euser,ResolveSetuidEUser"` // New effective user of the process FSUID uint32 `field:"fsuid"` // New FileSystem UID of the process FSUser string `field:"fsuser,ResolveSetuidFSUser"` // New FileSystem user of the process }
SetuidEvent represents a setuid event
func (*SetuidEvent) UnmarshalBinary ¶
func (e *SetuidEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type Signal ¶ added in v0.35.0
type Signal int
Signal represents a type of unix signal (ie, SIGKILL, SIGSTOP etc)
type SignalEvent ¶ added in v0.35.0
type SignalEvent struct { SyscallEvent Type uint32 `field:"type"` // Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc) PID uint32 `field:"pid"` // Target PID Target ProcessContext `field:"target"` // Target process context TargetProcessCacheEntry *ProcessCacheEntry `field:"-"` }
SignalEvent represents a signal event
func (*SignalEvent) UnmarshalBinary ¶ added in v0.35.0
func (e *SignalEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type SpanContext ¶
SpanContext describes a span context
func (*SpanContext) UnmarshalBinary ¶
func (s *SpanContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type SyscallEvent ¶
type SyscallEvent struct {
Retval int64 `field:"retval"` // Return value of the syscall
}
SyscallEvent contains common fields for all the event
func (*SyscallEvent) UnmarshalBinary ¶
func (e *SyscallEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type UmountEvent ¶
type UmountEvent struct { SyscallEvent MountID uint32 }
UmountEvent represents an umount event
func (*UmountEvent) UnmarshalBinary ¶
func (e *UmountEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type UnlinkEvent ¶
type UnlinkEvent struct { SyscallEvent File FileEvent `field:"file"` Flags uint32 `field:"-"` DiscarderRevision uint32 `field:"-"` }
UnlinkEvent represents an unlink event
func (*UnlinkEvent) UnmarshalBinary ¶
func (e *UnlinkEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type UnlinkFlags ¶
type UnlinkFlags int
UnlinkFlags represents an unlink flags bitmask value
func (UnlinkFlags) String ¶
func (f UnlinkFlags) String() string
func (UnlinkFlags) StringArray ¶
func (f UnlinkFlags) StringArray() []string
StringArray returns the unlink flags as an array of strings
type UnloadModuleEvent ¶ added in v0.35.0
type UnloadModuleEvent struct { SyscallEvent Name string `field:"name"` // Name of the kernel module that was deleted }
UnloadModuleEvent represents an unload_module event
func (*UnloadModuleEvent) UnmarshalBinary ¶ added in v0.35.0
func (e *UnloadModuleEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshals a binary representation of itself
type UtimesEvent ¶
type UtimesEvent struct { SyscallEvent File FileEvent `field:"file"` Atime time.Time `field:"-"` Mtime time.Time `field:"-"` }
UtimesEvent represents a utime event
func (*UtimesEvent) UnmarshalBinary ¶
func (e *UtimesEvent) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself