process

package
v0.0.0-...-c27a53e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 21, 2024 License: Apache-2.0 Imports: 36 Imported by: 0

Documentation

Overview

Package process holds process related files

Package process holds process related files

Index

Constants

View Source 
const (
	Snapshotting = iota // Snapshotting describes the state where resolvers are being populated
	Snapshotted         // Snapshotted describes the state where resolvers are fully populated
)

Variables

This section is empty.

Functions

func GetProcessArgv 

func GetProcessArgv(pr *model.Process) ([]string, bool)

GetProcessArgv returns the unscrubbed args of the event as an array. Use with caution.

func GetProcessArgv0 

func GetProcessArgv0(pr *model.Process) (string, bool)

GetProcessArgv0 returns the first arg of the event and whether the process arguments are truncated

func IsBusybox 

func IsBusybox(pathname string) bool

IsBusybox returns true if the pathname matches busybox

func IsKThread 

func IsKThread(ppid, pid uint32) bool

IsKThread returns whether given pids are from kthreads

Types

type CacheResolverKey 

type CacheResolverKey struct {
	Pid  uint32 // Pid of the related process (namespaced)
	NSID uint64 // NSID represents the pids namespace ID of the related container
}

CacheResolverKey is used to store and retrieve processes from the cache

type EBPFLessResolver 

type EBPFLessResolver struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

EBPFLessResolver defines a resolver

func NewEBPFLessResolver 

func NewEBPFLessResolver(_ *config.Config, statsdClient statsd.ClientInterface, scrubber *procutil.DataScrubber, opts *ResolverOpts) (*EBPFLessResolver, error)

NewEBPFLessResolver returns a new process resolver

func (*EBPFLessResolver) AddExecEntry 

func (p *EBPFLessResolver) AddExecEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
	envs []string, envsTruncated bool, ctrID string, ts uint64, tty string) *model.ProcessCacheEntry

AddExecEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFLessResolver) AddForkEntry 

func (p *EBPFLessResolver) AddForkEntry(key CacheResolverKey, ppid uint32, ts uint64) *model.ProcessCacheEntry

AddForkEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFLessResolver) AddProcFSEntry 

func (p *EBPFLessResolver) AddProcFSEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
	envs []string, envsTruncated bool, ctrID string, ts uint64, tty string) *model.ProcessCacheEntry

AddProcFSEntry add a procfs entry

func (*EBPFLessResolver) DeleteEntry 

func (p *EBPFLessResolver) DeleteEntry(key CacheResolverKey, exitTime time.Time)

DeleteEntry tries to delete an entry in the process cache

func (*EBPFLessResolver) Dump 

func (p *EBPFLessResolver) Dump(_ bool) (string, error)

Dump create a temp file and dump the cache

func (*EBPFLessResolver) GetProcessArgvScrubbed 

func (p *EBPFLessResolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool)

GetProcessArgvScrubbed returns the scrubbed args of the event as an array

func (*EBPFLessResolver) GetProcessEnvp 

func (p *EBPFLessResolver) GetProcessEnvp(pr *model.Process) ([]string, bool)

GetProcessEnvp returns the unscrubbed envs of the event with their values. Use with caution.

func (*EBPFLessResolver) GetProcessEnvs 

func (p *EBPFLessResolver) GetProcessEnvs(pr *model.Process) ([]string, bool)

GetProcessEnvs returns the envs of the event

func (*EBPFLessResolver) NewEntry 

func (p *EBPFLessResolver) NewEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
	envs []string, envsTruncated bool, ctrID string, ts uint64, tty string, source uint64) *model.ProcessCacheEntry

NewEntry returns a new entry

func (*EBPFLessResolver) Resolve 

func (p *EBPFLessResolver) Resolve(key CacheResolverKey) *model.ProcessCacheEntry

Resolve returns the cache entry for the given pid

func (*EBPFLessResolver) SendStats 

func (p *EBPFLessResolver) SendStats() error

SendStats sends process resolver metrics

func (*EBPFLessResolver) Snapshot 

func (p *EBPFLessResolver) Snapshot()

Snapshot snapshot existing entryCache

func (*EBPFLessResolver) Start 

func (p *EBPFLessResolver) Start(_ context.Context) error

Start starts the resolver

func (*EBPFLessResolver) UpdateGID 

func (p *EBPFLessResolver) UpdateGID(key CacheResolverKey, gid int32, egid int32)

UpdateGID updates the credentials of the provided pid

func (*EBPFLessResolver) UpdateUID 

func (p *EBPFLessResolver) UpdateUID(key CacheResolverKey, uid int32, euid int32)

UpdateUID updates the credentials of the provided pid

func (*EBPFLessResolver) Walk 

func (p *EBPFLessResolver) Walk(callback func(entry *model.ProcessCacheEntry))

Walk iterates through the entire tree and call the provided callback on each entry

type EBPFResolver 

type EBPFResolver struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

EBPFResolver resolved process context

func NewEBPFResolver 

func NewEBPFResolver(manager *manager.Manager, config *config.Config, statsdClient statsd.ClientInterface,
	scrubber *procutil.DataScrubber, containerResolver *container.Resolver, mountResolver mount.ResolverInterface,
	cgroupResolver *cgroup.Resolver, userGroupResolver *usergroup.Resolver, timeResolver *stime.Resolver,
	pathResolver spath.ResolverInterface, envVarsResolver *envvars.Resolver, opts *ResolverOpts) (*EBPFResolver, error)

NewEBPFResolver returns a new process resolver

func (*EBPFResolver) AddExecEntry 

func (p *EBPFResolver) AddExecEntry(entry *model.ProcessCacheEntry, inode uint64)

AddExecEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFResolver) AddForkEntry 

func (p *EBPFResolver) AddForkEntry(entry *model.ProcessCacheEntry, inode uint64, newEntryCb func(*model.ProcessCacheEntry, error))

AddForkEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFResolver) ApplyBootTime 

func (p *EBPFResolver) ApplyBootTime(entry *model.ProcessCacheEntry)

ApplyBootTime realign timestamp from the boot time

func (*EBPFResolver) CountBrokenLineage 

func (p *EBPFResolver) CountBrokenLineage()

CountBrokenLineage increments the counter of broken lineage

func (*EBPFResolver) DeleteEntry 

func (p *EBPFResolver) DeleteEntry(pid uint32, exitTime time.Time)

DeleteEntry tries to delete an entry in the process cache

func (*EBPFResolver) DequeueExited 

func (p *EBPFResolver) DequeueExited()

DequeueExited dequeue exited process

func (*EBPFResolver) FetchAWSSecurityCredentials 

func (p *EBPFResolver) FetchAWSSecurityCredentials(e *model.Event) []model.AWSSecurityCredentials

FetchAWSSecurityCredentials returns the list of AWS Security Credentials valid at the time of the event, and prunes expired entries

func (*EBPFResolver) Get 

func (p *EBPFResolver) Get(pid uint32) *model.ProcessCacheEntry

Get returns the cache entry for a specified pid

func (*EBPFResolver) GetProcessArgvScrubbed 

func (p *EBPFResolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool)

GetProcessArgvScrubbed returns the scrubbed args of the event as an array

func (*EBPFResolver) GetProcessEnvp 

func (p *EBPFResolver) GetProcessEnvp(pr *model.Process) ([]string, bool)

GetProcessEnvp returns the unscrubbed envs of the event with their values. Use with caution.

func (*EBPFResolver) GetProcessEnvs 

func (p *EBPFResolver) GetProcessEnvs(pr *model.Process) ([]string, bool)

GetProcessEnvs returns the envs of the event

func (*EBPFResolver) NewProcessCacheEntry 

func (p *EBPFResolver) NewProcessCacheEntry(pidContext model.PIDContext) *model.ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*EBPFResolver) Resolve 

func (p *EBPFResolver) Resolve(pid, tid uint32, inode uint64, useProcFS bool, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry

Resolve returns the cache entry for the given pid

func (*EBPFResolver) ResolveFromCache 

func (p *EBPFResolver) ResolveFromCache(pid, tid uint32, inode uint64) *model.ProcessCacheEntry

ResolveFromCache resolves cache entry from the cache

func (*EBPFResolver) ResolveFromKernelMaps 

func (p *EBPFResolver) ResolveFromKernelMaps(pid, tid uint32, inode uint64, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry

ResolveFromKernelMaps resolves the entry from the kernel maps

func (*EBPFResolver) ResolveFromProcfs 

func (p *EBPFResolver) ResolveFromProcfs(pid uint32, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry

ResolveFromProcfs resolves the entry from procfs

func (*EBPFResolver) ResolveNewProcessCacheEntry 

func (p *EBPFResolver) ResolveNewProcessCacheEntry(entry *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) error

ResolveNewProcessCacheEntry resolves the context fields of a new process cache entry parsed from kernel data

func (*EBPFResolver) SendStats 

func (p *EBPFResolver) SendStats() error

SendStats sends process resolver metrics

func (*EBPFResolver) SetProcessArgs 

func (p *EBPFResolver) SetProcessArgs(pce *model.ProcessCacheEntry)

SetProcessArgs set arguments to cache entry

func (*EBPFResolver) SetProcessEnvs 

func (p *EBPFResolver) SetProcessEnvs(pce *model.ProcessCacheEntry)

SetProcessEnvs set envs to cache entry

func (*EBPFResolver) SetProcessFilesystem 

func (p *EBPFResolver) SetProcessFilesystem(entry *model.ProcessCacheEntry) (string, error)

SetProcessFilesystem resolves process file system

func (*EBPFResolver) SetProcessPath 

func (p *EBPFResolver) SetProcessPath(fileEvent *model.FileEvent, pce *model.ProcessCacheEntry, ctrCtx *model.ContainerContext) (string, error)

SetProcessPath resolves process file path 

func (p *EBPFResolver) SetProcessSymlink(entry *model.ProcessCacheEntry)

SetProcessSymlink resolves process file symlink path

func (*EBPFResolver) SetProcessTTY 

func (p *EBPFResolver) SetProcessTTY(pce *model.ProcessCacheEntry) string

SetProcessTTY resolves TTY and cache the result

func (*EBPFResolver) SetProcessUsersGroups 

func (p *EBPFResolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry)

SetProcessUsersGroups resolves and set users and groups

func (*EBPFResolver) SetState 

func (p *EBPFResolver) SetState(state int64)

SetState sets the process resolver state

func (*EBPFResolver) Start 

func (p *EBPFResolver) Start(ctx context.Context) error

Start starts the resolver

func (*EBPFResolver) SyncCache 

func (p *EBPFResolver) SyncCache(proc *process.Process)

SyncCache snapshots /proc for the provided pid.

func (*EBPFResolver) ToDot 

func (p *EBPFResolver) ToDot(withArgs bool) (string, error)

ToDot create a temp file and dump the cache

func (*EBPFResolver) ToJSON 

func (p *EBPFResolver) ToJSON(raw bool) ([]byte, error)

ToJSON return a json version of the cache

func (*EBPFResolver) UpdateAWSSecurityCredentials 

func (p *EBPFResolver) UpdateAWSSecurityCredentials(pid uint32, e *model.Event)

UpdateAWSSecurityCredentials updates the list of AWS Security Credentials

func (*EBPFResolver) UpdateArgsEnvs 

func (p *EBPFResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent)

UpdateArgsEnvs updates arguments or environment variables of the given id

func (*EBPFResolver) UpdateCapset 

func (p *EBPFResolver) UpdateCapset(pid uint32, e *model.Event)

UpdateCapset updates the credentials of the provided pid

func (*EBPFResolver) UpdateGID 

func (p *EBPFResolver) UpdateGID(pid uint32, e *model.Event)

UpdateGID updates the credentials of the provided pid

func (*EBPFResolver) UpdateLoginUID 

func (p *EBPFResolver) UpdateLoginUID(pid uint32, e *model.Event)

UpdateLoginUID updates the AUID of the provided pid

func (*EBPFResolver) UpdateUID 

func (p *EBPFResolver) UpdateUID(pid uint32, e *model.Event)

UpdateUID updates the credentials of the provided pid

func (*EBPFResolver) Walk 

func (p *EBPFResolver) Walk(callback func(entry *model.ProcessCacheEntry))

Walk iterates through the entire tree and call the provided callback on each entry

type Pool 

type Pool struct {
	// contains filtered or unexported fields
}

Pool defines a pool for process entry allocations

func NewProcessCacheEntryPool 

func NewProcessCacheEntryPool(onRelease func()) *Pool

NewProcessCacheEntryPool returns a new Pool

func (*Pool) Get 

func (p *Pool) Get() *model.ProcessCacheEntry

Get returns a cache entry

func (*Pool) Put 

func (p *Pool) Put(pce *model.ProcessCacheEntry)

Put returns a cache entry

type ResolverOpts 

type ResolverOpts struct {
	// contains filtered or unexported fields
}

ResolverOpts options of resolver

func NewResolverOpts 

func NewResolverOpts() *ResolverOpts

NewResolverOpts returns a new set of process resolver options

func (*ResolverOpts) WithEnvsResolutionEnabled 

func (o *ResolverOpts) WithEnvsResolutionEnabled() *ResolverOpts

WithEnvsResolutionEnabled enables the envs resolution

func (*ResolverOpts) WithEnvsValue 

func (o *ResolverOpts) WithEnvsValue(envsWithValue []string) *ResolverOpts

WithEnvsValue specifies envs with value

func (*ResolverOpts) WithTTYFallbackEnabled 

func (o *ResolverOpts) WithTTYFallbackEnabled() *ResolverOpts

WithTTYFallbackEnabled enables the TTY fallback

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.