activitytree

package
v0.0.0-...-c27a53e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 21, 2024 License: Apache-2.0 Imports: 34 Imported by: 0

Documentation

Overview

Package activitytree holds activitytree related files

Package activitytree holds activitytree related files

Index

Constants

View Source 
const CookieToProcessNodeCacheSize = 128

CookieToProcessNodeCacheSize defines the "cookie to process" node cache size

View Source 
const MaxMmapedFiles = 128

MaxMmapedFiles defines the max mmaped files

Variables

View Source 
var (
	// ErrBrokenLineage is returned when the given process don't have a full lineage
	ErrBrokenLineage = errors.New("broken lineage")
	// ErrNotValidRootNode is returned when trying to insert a process with an invalide root node
	ErrNotValidRootNode = errors.New("root node not valid")
)

Functions

func AppendIfNotPresent 

func AppendIfNotPresent(slice []string, toAdd string) ([]string, bool)

AppendIfNotPresent append a token to a slice only if the token is not already present

func ExtractFirstParent 

func ExtractFirstParent(path string) (string, int)

ExtractFirstParent extracts first parent

func GetNextAncestorBinaryOrArgv0 

func GetNextAncestorBinaryOrArgv0(entry *model.ProcessContext) *model.ProcessCacheEntry

GetNextAncestorBinaryOrArgv0 returns the first ancestor with a different binary, or a different argv0 in the case of busybox processes

func ProtoDecodeActivityTree 

func ProtoDecodeActivityTree(dest *ActivityTree, nodes []*adproto.ProcessActivityNode)

ProtoDecodeActivityTree decodes an ActivityTree structure

func ProtoDecodeTimestamp 

func ProtoDecodeTimestamp(nanos uint64) time.Time

ProtoDecodeTimestamp decodes a nanosecond representation of a timestamp

func TimestampToProto 

func TimestampToProto(t *time.Time) uint64

TimestampToProto encode a timestamp

func ToProto 

func ToProto(at *ActivityTree) []*adproto.ProcessActivityNode

ToProto encodes an activity tree to its protobuf representation

Types

type ActivityTree 

type ActivityTree struct {
	Stats *Stats

	DNSMatchMaxDepth int

	CookieToProcessNode *simplelru.LRU[cookieSelector, *ProcessNode]
	ProcessNodes        []*ProcessNode `json:"-"`

	// top level lists used to summarize the content of the tree
	DNSNames     *utils.StringKeys
	SyscallsMask map[int]int
	// contains filtered or unexported fields
}

ActivityTree contains a process tree and its activities. This structure has no locks.

func NewActivityTree 

func NewActivityTree(validator Owner, pathsReducer *PathsReducer, treeType string) *ActivityTree

NewActivityTree returns a new ActivityTree instance

func (*ActivityTree) AppendChild 

func (at *ActivityTree) AppendChild(node *ProcessNode)

AppendChild appends a new root node in the ActivityTree

func (*ActivityTree) AppendImageTag 

func (at *ActivityTree) AppendImageTag(_ string)

AppendImageTag appends the given image tag

func (*ActivityTree) ComputeActivityTreeStats 

func (at *ActivityTree) ComputeActivityTreeStats()

ComputeActivityTreeStats computes the initial counts of the activity tree stats

func (*ActivityTree) ComputeSyscallsList 

func (at *ActivityTree) ComputeSyscallsList() []uint32

ComputeSyscallsList computes the top level list of syscalls

func (*ActivityTree) Contains 

func (at *ActivityTree) Contains(event *model.Event, insertMissingProcesses bool, imageTag string, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (bool, error)

Contains looks up the event in the activity tree

func (*ActivityTree) CreateProcessNode 

func (at *ActivityTree) CreateProcessNode(entry *model.ProcessCacheEntry, imageTag string, generationType NodeGenerationType, dryRun bool, resolvers *resolvers.EBPFResolvers) (*ProcessNode, bool, error)

CreateProcessNode looks up or inserts the provided entry in the tree

func (*ActivityTree) Debug 

func (at *ActivityTree) Debug(w io.Writer)

Debug dumps the content of an activity tree

func (*ActivityTree) DifferentiateArgs 

func (at *ActivityTree) DifferentiateArgs()

DifferentiateArgs enables the args differentiation feature

func (*ActivityTree) EvictImageTag 

func (at *ActivityTree) EvictImageTag(imageTag string)

EvictImageTag will remove every trace of the given image tag from the tree

func (*ActivityTree) ExtractPaths 

func (at *ActivityTree) ExtractPaths(_, fimEnabled, lineageEnabled bool) (map[string][]string, map[string][]string)

ExtractPaths returns the exec / fim, exec / parent paths

func (*ActivityTree) ExtractSyscalls 

func (at *ActivityTree) ExtractSyscalls(arch string) []string

ExtractSyscalls return the syscalls present in an activity tree

func (*ActivityTree) FindMatchingRootNodes 

func (at *ActivityTree) FindMatchingRootNodes(arg0 string) []*ProcessNode

FindMatchingRootNodes finds and returns the matching root nodes

func (*ActivityTree) GetChildren 

func (at *ActivityTree) GetChildren() *[]*ProcessNode

GetChildren returns the list of root ProcessNodes from the ActivityTree

func (*ActivityTree) GetParent 

func (at *ActivityTree) GetParent() ProcessNodeParent

GetParent returns nil for the ActivityTree

func (*ActivityTree) GetSiblings 

func (at *ActivityTree) GetSiblings() *[]*ProcessNode

GetSiblings returns the list of siblings of the current node

func (*ActivityTree) Insert 

func (at *ActivityTree) Insert(event *model.Event, insertMissingProcesses bool, imageTag string, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (bool, error)

Insert inserts the event in the activity tree

func (*ActivityTree) IsEmpty 

func (at *ActivityTree) IsEmpty() bool

IsEmpty returns true if the tree is empty

func (*ActivityTree) PrepareGraphData 

func (at *ActivityTree) PrepareGraphData(title string, resolver *process.EBPFResolver) utils.Graph

PrepareGraphData returns a graph from the activity tree

func (*ActivityTree) ScrubProcessArgsEnvs 

func (at *ActivityTree) ScrubProcessArgsEnvs(resolver *process.EBPFResolver)

ScrubProcessArgsEnvs scrubs and retains process args and envs

func (*ActivityTree) SendStats 

func (at *ActivityTree) SendStats(client statsd.ClientInterface) error

SendStats sends the tree statistics

func (*ActivityTree) Snapshot 

func (at *ActivityTree) Snapshot(newEvent func() *model.Event)

Snapshot uses procfs to snapshot the nodes of the tree

func (*ActivityTree) TagAllNodes 

func (at *ActivityTree) TagAllNodes(imageTag string)

TagAllNodes tags all the activity tree's nodes with the given image tag

type BindNode 

type BindNode struct {
	MatchedRules []*model.MatchedRule
	ImageTags    []string

	GenerationType NodeGenerationType
	Port           uint16
	IP             string
}

BindNode is used to store a bind node

func (*BindNode) Matches 

func (bn *BindNode) Matches(toMatch *BindNode) bool

Matches returns true if BindNodes matches

type DNSNode 

type DNSNode struct {
	MatchedRules []*model.MatchedRule
	ImageTags    []string

	GenerationType NodeGenerationType
	Requests       []model.DNSEvent
}

DNSNode is used to store a DNS node

func NewDNSNode 

func NewDNSNode(event *model.DNSEvent, rules []*model.MatchedRule, generationType NodeGenerationType, imageTag string) *DNSNode

NewDNSNode returns a new DNSNode instance

type FileNode 

type FileNode struct {
	MatchedRules   []*model.MatchedRule
	Name           string
	ImageTags      []string
	IsPattern      bool
	File           *model.FileEvent
	GenerationType NodeGenerationType
	FirstSeen      time.Time

	Open *OpenNode

	Children map[string]*FileNode
}

FileNode holds a tree representation of a list of files

func NewFileNode 

func NewFileNode(fileEvent *model.FileEvent, event *model.Event, name string, imageTag string, generationType NodeGenerationType, reducedFilePath string, resolvers *resolvers.EBPFResolvers) *FileNode

NewFileNode returns a new FileActivityNode instance

func (*FileNode) InsertFileEvent 

func (fn *FileNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, remainingPath string, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool, reducedPath string, resolvers *resolvers.EBPFResolvers) bool

InsertFileEvent inserts an event in a FileNode. This function returns true if a new entry was added, false if the event was dropped.

type IMDSNode 

type IMDSNode struct {
	MatchedRules   []*model.MatchedRule
	ImageTags      []string
	GenerationType NodeGenerationType

	Event model.IMDSEvent
}

IMDSNode is used to store a IMDS node

func NewIMDSNode 

func NewIMDSNode(event *model.IMDSEvent, rules []*model.MatchedRule, generationType NodeGenerationType, imageTag string) *IMDSNode

NewIMDSNode returns a new IMDSNode instance

type NodeDroppedReason 

type NodeDroppedReason byte

NodeDroppedReason is used to list the reasons to drop a node

func (NodeDroppedReason) String 

func (reason NodeDroppedReason) String() string

func (NodeDroppedReason) Tag 

func (reason NodeDroppedReason) Tag() string

Tag returns the metric tag associated with this dropped reason, it's basically fmt.Sprintf("reason:%s", reason)

type NodeGenerationType 

type NodeGenerationType byte

NodeGenerationType is used to indicate if a node was generated by a runtime or snapshot event IMPORTANT: IT MUST STAY IN SYNC WITH `adproto.GenerationType` 

const (
	// Unknown is a node that was added at an unknown time
	Unknown NodeGenerationType = 0
	// Runtime is a node that was added at runtime
	Runtime NodeGenerationType = 1
	// Snapshot is a node that was added during the snapshot
	Snapshot NodeGenerationType = 2
	// ProfileDrift is a node that was added because of a drift from a security profile
	ProfileDrift NodeGenerationType = 3
	// WorkloadWarmup is a node that was added of a drift in a warming up profile
	WorkloadWarmup NodeGenerationType = 4
	// MaxNodeGenerationType is the maximum node type
	MaxNodeGenerationType NodeGenerationType = 4
)

func (NodeGenerationType) String 

func (genType NodeGenerationType) String() string

func (NodeGenerationType) Tag 

func (genType NodeGenerationType) Tag() string

Tag returns the metric tag associated with this generation type, it's basically fmt.Sprintf("generation_type:%s", genType)

type OpenNode 

type OpenNode struct {
	model.SyscallEvent
	Flags uint32
	Mode  uint32
}

OpenNode contains the relevant fields of an Open event on which we might want to write a profiling rule

type Owner 

type Owner interface {
	MatchesSelector(entry *model.ProcessCacheEntry) bool
	IsEventTypeValid(evtType model.EventType) bool
	NewProcessNodeCallback(p *ProcessNode)
}

Owner is used to communicate with the owner of the activity tree

type PathsReducer 

type PathsReducer struct {
	// contains filtered or unexported fields
}

PathsReducer is used to reduce the paths in an activity tree according to predefined heuristics

func NewPathsReducer 

func NewPathsReducer() *PathsReducer

NewPathsReducer returns a new PathsReducer

func (*PathsReducer) ReducePath 

func (r *PathsReducer) ReducePath(path string, fileEvent *model.FileEvent, node *ProcessNode) string

ReducePath reduces a path according to the predefined heuristics

type PatternReducer 

type PatternReducer struct {
	Pattern  *regexp.Regexp
	Hint     string
	PreCheck func(fileEvent *model.FileEvent) bool
	Callback func(ctx *callbackContext)
}

PatternReducer is used to reduce the paths in an activity tree according to a given pattern

type ProcessNode 

type ProcessNode struct {
	Process        model.Process
	Parent         ProcessNodeParent
	GenerationType NodeGenerationType
	ImageTags      []string
	MatchedRules   []*model.MatchedRule

	Files      map[string]*FileNode
	DNSNames   map[string]*DNSNode
	IMDSEvents map[model.IMDSEvent]*IMDSNode

	Sockets  []*SocketNode
	Syscalls []*SyscallNode
	Children []*ProcessNode
}

ProcessNode holds the activity of a process

func NewProcessNode 

func NewProcessNode(entry *model.ProcessCacheEntry, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) *ProcessNode

NewProcessNode returns a new ProcessNode instance

func (*ProcessNode) AppendChild 

func (pn *ProcessNode) AppendChild(node *ProcessNode)

AppendChild appends a new root node in the ActivityTree

func (*ProcessNode) AppendImageTag 

func (pn *ProcessNode) AppendImageTag(imageTag string)

AppendImageTag appends the given image tag to the list

func (*ProcessNode) EvictImageTag 

func (pn *ProcessNode) EvictImageTag(imageTag string, DNSNames *utils.StringKeys, SyscallsMask map[int]int) bool

EvictImageTag will remmove every trace of this image tag, and returns true if the process node should be removed also, recompute the list of dnsnames and syscalls

func (*ProcessNode) GetChildren 

func (pn *ProcessNode) GetChildren() *[]*ProcessNode

GetChildren returns the list of children from the ProcessNode

func (*ProcessNode) GetParent 

func (pn *ProcessNode) GetParent() ProcessNodeParent

GetParent returns nil for the ActivityTree

func (*ProcessNode) GetSiblings 

func (pn *ProcessNode) GetSiblings() *[]*ProcessNode

GetSiblings returns the list of siblings of the current node

func (*ProcessNode) InsertBindEvent 

func (pn *ProcessNode) InsertBindEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool) bool

InsertBindEvent inserts a bind event in a process node

func (*ProcessNode) InsertDNSEvent 

func (pn *ProcessNode) InsertDNSEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, DNSNames *utils.StringKeys, dryRun bool, dnsMatchMaxDepth int) bool

InsertDNSEvent inserts a DNS event in a process node

func (*ProcessNode) InsertFileEvent 

func (pn *ProcessNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool, reducer *PathsReducer, resolvers *resolvers.EBPFResolvers) bool

InsertFileEvent inserts the provided file event in the current node. This function returns true if a new entry was added, false if the event was dropped.

func (*ProcessNode) InsertIMDSEvent 

func (pn *ProcessNode) InsertIMDSEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool) bool

InsertIMDSEvent inserts an IMDS event in a process node

func (*ProcessNode) InsertSyscalls 

func (pn *ProcessNode) InsertSyscalls(e *model.Event, imageTag string, syscallMask map[int]int, stats *Stats, dryRun bool) bool

InsertSyscalls inserts the syscall of the process in the dump

func (*ProcessNode) Matches 

func (pn *ProcessNode) Matches(entry *model.Process, matchArgs bool, normalize bool) bool

Matches return true if the process fields used to generate the dump are identical with the provided model.Process

func (*ProcessNode) TagAllNodes 

func (pn *ProcessNode) TagAllNodes(imageTag string)

TagAllNodes tags this process, its files/dns/socks and childrens with the given image tag

type ProcessNodeParent 

type ProcessNodeParent interface {
	GetParent() ProcessNodeParent
	GetChildren() *[]*ProcessNode
	GetSiblings() *[]*ProcessNode
	AppendChild(node *ProcessNode)
	AppendImageTag(imageTag string)
}

ProcessNodeParent is an interface used to identify the parent of a process node

type SocketNode 

type SocketNode struct {
	Family         string
	GenerationType NodeGenerationType
	Bind           []*BindNode
}

SocketNode is used to store a Socket node and associated events

func NewSocketNode 

func NewSocketNode(family string, generationType NodeGenerationType) *SocketNode

NewSocketNode returns a new SocketNode instance

func (*SocketNode) InsertBindEvent 

func (sn *SocketNode) InsertBindEvent(evt *model.BindEvent, imageTag string, generationType NodeGenerationType, rules []*model.MatchedRule, dryRun bool) bool

InsertBindEvent inserts a bind even inside a socket node

func (*SocketNode) Matches 

func (sn *SocketNode) Matches(toMatch *SocketNode) bool

Matches returns true if BindNodes matches

type Stats 

type Stats struct {
	ProcessNodes int64
	FileNodes    int64
	DNSNodes     int64
	SocketNodes  int64
	IMDSNodes    int64
	SyscallNodes int64
	// contains filtered or unexported fields
}

Stats represents the node counts in an activity dump

func NewActivityTreeNodeStats 

func NewActivityTreeNodeStats() *Stats

NewActivityTreeNodeStats returns a new activity tree stats

func (*Stats) ApproximateSize 

func (stats *Stats) ApproximateSize() int64

ApproximateSize returns an approximation of the size of the tree

func (*Stats) SendStats 

func (stats *Stats) SendStats(client statsd.ClientInterface, treeType string) error

SendStats sends metrics to Datadog

type SyscallNode 

type SyscallNode struct {
	ImageTags      []string
	GenerationType NodeGenerationType

	Syscall int
}

SyscallNode is used to store a syscall node

func NewSyscallNode 

func NewSyscallNode(syscall int, imageTag string, generationType NodeGenerationType) *SyscallNode

NewSyscallNode returns a new SyscallNode instance

Source Files

View all Source files

Directories

Path Synopsis
Package metadata holds metadata related files
 Package metadata holds metadata related files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.