dump

package
v0.0.0-...-7332199 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 27, 2024 License: Apache-2.0 Imports: 48 Imported by: 0

Documentation

Overview

Package dump holds dump related files

Package dump holds dump related files

Index

Constants

View Source 
const (
	// ProtobufVersion defines the protobuf version in use
	ProtobufVersion = "v1"
	// ActivityDumpSource defines the source of activity dumps
	ActivityDumpSource = "runtime-security-agent"
)

Variables

View Source 
var ActivityDumpGraphTemplate = `` /* 583-byte string literal not displayed */

ActivityDumpGraphTemplate is the template used to generate graphs

View Source 
var (
	// TracedEventTypesReductionOrder is the order by which event types are reduced
	TracedEventTypesReductionOrder = []model.EventType{model.BindEventType, model.IMDSEventType, model.DNSEventType, model.SyscallsEventType, model.FileOpenEventType}
)

Functions

func ActivityDumpToSecurityProfileProto 

func ActivityDumpToSecurityProfileProto(input *ActivityDump) (*proto.SecurityProfile, error)

ActivityDumpToSecurityProfileProto serializes an Activity Dump to a Security Profile protobuf representation

func GenerateRules 

func GenerateRules(ads []*ActivityDump, opts SECLRuleOpts) []*rules.RuleDefinition

GenerateRules return rules from activity dumps

func NewActivityDumpLoadConfig 

func NewActivityDumpLoadConfig(evt []model.EventType, timeout time.Duration, waitListTimeout time.Duration, rate int, start time.Time, resolver *stime.Resolver) *model.ActivityDumpLoadConfig

NewActivityDumpLoadConfig returns a new instance of ActivityDumpLoadConfig

Types

type ActivityDump 

type ActivityDump struct {
	sync.Mutex

	ActivityDumpHeader

	Tags            []string
	ActivityTree    *activity_tree.ActivityTree
	StorageRequests map[config.StorageFormat][]config.StorageRequest

	// Load config
	LoadConfig       *model.ActivityDumpLoadConfig
	LoadConfigCookie uint64
	// contains filtered or unexported fields
}

ActivityDump holds the activity tree for the workload defined by the provided list of tags. The encoding described by the `msg` annotation is used to generate the activity dump file while the encoding described by the `json` annotation is used to generate the activity dump metadata sent to the event platform.

func LoadActivityDumpsFromFiles 

func LoadActivityDumpsFromFiles(path string) ([]*ActivityDump, error)

LoadActivityDumpsFromFiles load ads from a file or a directory

func NewActivityDump 

func NewActivityDump(adm *ActivityDumpManager, options ...WithDumpOption) *ActivityDump

NewActivityDump returns a new instance of an ActivityDump

func NewActivityDumpFromMessage 

func NewActivityDumpFromMessage(msg *api.ActivityDumpMessage) (*ActivityDump, error)

NewActivityDumpFromMessage returns a new ActivityDump from a SecurityActivityDumpMessage.

func NewEmptyActivityDump 

func NewEmptyActivityDump(pathsReducer *activity_tree.PathsReducer) *ActivityDump

NewEmptyActivityDump returns a new zero-like instance of an ActivityDump

func (*ActivityDump) AddStorageRequest 

func (ad *ActivityDump) AddStorageRequest(request config.StorageRequest)

AddStorageRequest adds a storage request to an activity dump

func (*ActivityDump) ComputeInMemorySize 

func (ad *ActivityDump) ComputeInMemorySize() int64

ComputeInMemorySize returns the size of a dump in memory

func (*ActivityDump) Decode 

func (ad *ActivityDump) Decode(inputFile string) error

Decode decodes an activity dump from a file

func (*ActivityDump) DecodeFromReader 

func (ad *ActivityDump) DecodeFromReader(reader io.Reader, format config.StorageFormat) error

DecodeFromReader decodes an activity dump from a reader with the provided format

func (*ActivityDump) DecodeJSON 

func (ad *ActivityDump) DecodeJSON(reader io.Reader) error

DecodeJSON decodes JSON to an activity dump

func (*ActivityDump) DecodeProfileProtobuf 

func (ad *ActivityDump) DecodeProfileProtobuf(reader io.Reader) error

DecodeProfileProtobuf decodes an activity dump from a profile protobuf

func (*ActivityDump) DecodeProtobuf 

func (ad *ActivityDump) DecodeProtobuf(reader io.Reader) error

DecodeProtobuf decodes an activity dump as Protobuf

func (*ActivityDump) Encode 

func (ad *ActivityDump) Encode(format config.StorageFormat) (*bytes.Buffer, error)

Encode encodes an activity dump in the provided format

func (*ActivityDump) EncodeDOT 

func (ad *ActivityDump) EncodeDOT() (*bytes.Buffer, error)

EncodeDOT encodes an activity dump in the DOT format

func (*ActivityDump) EncodeJSON 

func (ad *ActivityDump) EncodeJSON(indent string) (*bytes.Buffer, error)

EncodeJSON encodes an activity dump in the ProtoJSON format

func (*ActivityDump) EncodeProfile 

func (ad *ActivityDump) EncodeProfile() (*bytes.Buffer, error)

EncodeProfile encodes an activity dump in the Security Profile protobuf format

func (*ActivityDump) EncodeProtobuf 

func (ad *ActivityDump) EncodeProtobuf() (*bytes.Buffer, error)

EncodeProtobuf encodes an activity dump in the Protobuf format

func (*ActivityDump) Finalize 

func (ad *ActivityDump) Finalize(releaseTracedCgroupSpot bool)

Finalize finalizes an active dump: envs and args are scrubbed, tags, service and container ID are set. If a cgroup spot can be released, the dump will be fully stopped.

func (*ActivityDump) FindMatchingRootNodes 

func (ad *ActivityDump) FindMatchingRootNodes(basename string) []*activity_tree.ProcessNode

FindMatchingRootNodes return the matching nodes of requested comm

func (*ActivityDump) GetImageNameTag 

func (ad *ActivityDump) GetImageNameTag() (string, string)

GetImageNameTag returns the image name and tag for the profiled container

func (*ActivityDump) GetSelectorStr 

func (ad *ActivityDump) GetSelectorStr() string

GetSelectorStr returns a string representation of the profile selector

func (*ActivityDump) GetWorkloadSelector 

func (ad *ActivityDump) GetWorkloadSelector() *cgroupModel.WorkloadSelector

GetWorkloadSelector returns the workload selector of the dump

func (*ActivityDump) Insert 

func (ad *ActivityDump) Insert(event *model.Event)

Insert inserts the provided event in the active ActivityDump. This function returns true if a new entry was added, false if the event was dropped.

func (*ActivityDump) IsEmpty 

func (ad *ActivityDump) IsEmpty() bool

IsEmpty return true if the dump did not contain any nodes

func (*ActivityDump) IsEventTypeValid 

func (ad *ActivityDump) IsEventTypeValid(event model.EventType) bool

IsEventTypeValid returns true if the provided event type is traced by the activity dump

func (*ActivityDump) MatchesSelector 

func (ad *ActivityDump) MatchesSelector(entry *model.ProcessCacheEntry) bool

MatchesSelector returns true if the provided list of tags match the current ActivityDump

func (*ActivityDump) NewProcessNodeCallback 

func (ad *ActivityDump) NewProcessNodeCallback(p *activity_tree.ProcessNode)

NewProcessNodeCallback is a callback function used to propagate the fact that a new process node was added to the activity tree

func (*ActivityDump) ResolveTags 

func (ad *ActivityDump) ResolveTags() error

ResolveTags tries to resolve the activity dump tags

func (*ActivityDump) SendStats 

func (ad *ActivityDump) SendStats() error

SendStats sends activity dump stats

func (*ActivityDump) SetLoadConfig 

func (ad *ActivityDump) SetLoadConfig(cookie uint64, config model.ActivityDumpLoadConfig)

SetLoadConfig set the load config of the current activity dump

func (*ActivityDump) SetState 

func (ad *ActivityDump) SetState(state ActivityDumpStatus)

SetState sets the status of the activity dump

func (*ActivityDump) SetTimeout 

func (ad *ActivityDump) SetTimeout(timeout time.Duration)

SetTimeout updates the activity dump timeout

func (*ActivityDump) Snapshot 

func (ad *ActivityDump) Snapshot() error

Snapshot snapshots the processes in the activity dump to capture all the

func (*ActivityDump) ToGraph 

func (ad *ActivityDump) ToGraph() utils.Graph

ToGraph convert the dump to a graph

func (*ActivityDump) ToSecurityActivityDumpMessage 

func (ad *ActivityDump) ToSecurityActivityDumpMessage() *api.ActivityDumpMessage

ToSecurityActivityDumpMessage returns a pointer to a SecurityActivityDumpMessage

func (*ActivityDump) ToTranscodingRequestMessage 

func (ad *ActivityDump) ToTranscodingRequestMessage() *api.TranscodingRequestMessage

ToTranscodingRequestMessage returns a pointer to a TranscodingRequestMessage

func (*ActivityDump) Unzip 

func (ad *ActivityDump) Unzip(inputFile string, ext string) (string, error)

Unzip decompresses a compressed input file

type ActivityDumpHandler 

type ActivityDumpHandler interface {
	HandleActivityDump(dump *api.ActivityDumpStreamMessage)
}

ActivityDumpHandler represents an handler for the activity dumps sent by the probe

type ActivityDumpHeader 

type ActivityDumpHeader struct {
	// standard attributes used by the intake
	Host    string `json:"host,omitempty"`
	Service string `json:"service,omitempty"`
	Source  string `json:"ddsource,omitempty"`

	DDTags string `json:"ddtags,omitempty"`

	// Dump metadata
	mtdt.Metadata

	// Used to store the global list of DNS names contained in this dump
	// this is a hack used to provide this global list to the backend in the JSON header
	// instead of in the protobuf payload.
	DNSNames *utils.StringKeys `json:"dns_names"`
}

ActivityDumpHeader holds the header of an activity dump

type ActivityDumpLoadController 

type ActivityDumpLoadController struct {
	// contains filtered or unexported fields
}

ActivityDumpLoadController is a load controller allowing dynamic change of Activity Dump configuration

func NewActivityDumpLoadController 

func NewActivityDumpLoadController(adm *ActivityDumpManager) (*ActivityDumpLoadController, error)

NewActivityDumpLoadController returns a new activity dump load controller

func (*ActivityDumpLoadController) NextPartialDump 

func (lc *ActivityDumpLoadController) NextPartialDump(ad *ActivityDump) *ActivityDump

NextPartialDump returns a new dump with the same parameters as the current one, or with reduced load config parameters when applicable

func (*ActivityDumpLoadController) PushCurrentConfig 

func (lc *ActivityDumpLoadController) PushCurrentConfig() error

PushCurrentConfig pushes the current load controller config to kernel space

type ActivityDumpLocalStorage 

type ActivityDumpLocalStorage struct {
	sync.Mutex
	// contains filtered or unexported fields
}

ActivityDumpLocalStorage is used to manage ActivityDumps storage

func (*ActivityDumpLocalStorage) GetStorageType 

func (storage *ActivityDumpLocalStorage) GetStorageType() config.StorageType

GetStorageType returns the storage type of the ActivityDumpLocalStorage

func (*ActivityDumpLocalStorage) Persist 

func (storage *ActivityDumpLocalStorage) Persist(request config.StorageRequest, ad *ActivityDump, raw *bytes.Buffer) error

Persist saves the provided buffer to the persistent storage

func (*ActivityDumpLocalStorage) SendTelemetry 

func (storage *ActivityDumpLocalStorage) SendTelemetry(sender statsd.ClientInterface)

SendTelemetry sends telemetry for the current storage

type ActivityDumpManager 

type ActivityDumpManager struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

ActivityDumpManager is used to manage ActivityDumps

func NewActivityDumpManager 

func NewActivityDumpManager(config *config.Config, statsdClient statsd.ClientInterface, newEvent func() *model.Event, resolvers *resolvers.EBPFResolvers,
	kernelVersion *kernel.Version, manager *manager.Manager) (*ActivityDumpManager, error)

NewActivityDumpManager returns a new ActivityDumpManager instance

func (*ActivityDumpManager) AddActivityDumpHandler 

func (adm *ActivityDumpManager) AddActivityDumpHandler(handler ActivityDumpHandler)

AddActivityDumpHandler set the probe activity dump handler

func (*ActivityDumpManager) AddContextTags 

func (adm *ActivityDumpManager) AddContextTags(ad *ActivityDump)

AddContextTags adds context tags to the activity dump

func (*ActivityDumpManager) DumpActivity 

func (adm *ActivityDumpManager) DumpActivity(params *api.ActivityDumpParams) (*api.ActivityDumpMessage, error)

DumpActivity handles an activity dump request

func (*ActivityDumpManager) FakeDumpOverweight 

func (adm *ActivityDumpManager) FakeDumpOverweight(name string)

FakeDumpOverweight fakes a dump stats to force triggering the load controller. For unitary tests purpose only.

func (*ActivityDumpManager) HandleActivityDump 

func (adm *ActivityDumpManager) HandleActivityDump(dump *api.ActivityDumpStreamMessage)

HandleActivityDump sends an activity dump to the backend

func (*ActivityDumpManager) HandleCGroupTracingEvent 

func (adm *ActivityDumpManager) HandleCGroupTracingEvent(event *model.CgroupTracingEvent)

HandleCGroupTracingEvent handles a cgroup tracing event

func (*ActivityDumpManager) HasActiveActivityDump 

func (adm *ActivityDumpManager) HasActiveActivityDump(event *model.Event) bool

HasActiveActivityDump returns true if the given event has an active dump

func (*ActivityDumpManager) ListActivityDumps 

func (adm *ActivityDumpManager) ListActivityDumps(_ *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error)

ListActivityDumps returns the list of active activity dumps

func (*ActivityDumpManager) ProcessEvent 

func (adm *ActivityDumpManager) ProcessEvent(event *model.Event)

ProcessEvent processes a new event and insert it in an activity dump if applicable

func (*ActivityDumpManager) SendStats 

func (adm *ActivityDumpManager) SendStats() error

SendStats sends the activity dump manager stats

func (*ActivityDumpManager) SetSecurityProfileManager 

func (adm *ActivityDumpManager) SetSecurityProfileManager(manager SecurityProfileManager)

SetSecurityProfileManager sets the security profile manager

func (*ActivityDumpManager) SnapshotTracedCgroups 

func (adm *ActivityDumpManager) SnapshotTracedCgroups()

SnapshotTracedCgroups snapshots the kernel space map of cgroups

func (*ActivityDumpManager) Start 

func (adm *ActivityDumpManager) Start(ctx context.Context, wg *sync.WaitGroup)

Start runs the ActivityDumpManager

func (*ActivityDumpManager) StopActivityDump 

func (adm *ActivityDumpManager) StopActivityDump(params *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error)

StopActivityDump stops an active activity dump

func (*ActivityDumpManager) StopDumpsWithSelector 

func (adm *ActivityDumpManager) StopDumpsWithSelector(selector cgroupModel.WorkloadSelector)

StopDumpsWithSelector stops the active dumps for the given selector and prevent a workload with the provided selector from ever being dumped again

func (*ActivityDumpManager) TranscodingRequest 

func (adm *ActivityDumpManager) TranscodingRequest(params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error)

TranscodingRequest executes the requested transcoding operation

type ActivityDumpRemoteStorage 

type ActivityDumpRemoteStorage struct {
	// contains filtered or unexported fields
}

ActivityDumpRemoteStorage is a remote storage that forwards dumps to the backend

func (*ActivityDumpRemoteStorage) GetStorageType 

func (storage *ActivityDumpRemoteStorage) GetStorageType() config.StorageType

GetStorageType returns the storage type of the ActivityDumpLocalStorage

func (*ActivityDumpRemoteStorage) Persist 

func (storage *ActivityDumpRemoteStorage) Persist(request config.StorageRequest, ad *ActivityDump, raw *bytes.Buffer) error

Persist saves the provided buffer to the persistent storage

func (*ActivityDumpRemoteStorage) SendTelemetry 

func (storage *ActivityDumpRemoteStorage) SendTelemetry(sender statsd.ClientInterface)

SendTelemetry sends telemetry for the current storage

type ActivityDumpRemoteStorageForwarder 

type ActivityDumpRemoteStorageForwarder struct {
	// contains filtered or unexported fields
}

ActivityDumpRemoteStorageForwarder is a remote storage that forwards dumps to the security-agent

func (*ActivityDumpRemoteStorageForwarder) GetStorageType 

func (storage *ActivityDumpRemoteStorageForwarder) GetStorageType() config.StorageType

GetStorageType returns the storage type of the ActivityDumpRemoteStorage

func (*ActivityDumpRemoteStorageForwarder) Persist 

func (storage *ActivityDumpRemoteStorageForwarder) Persist(request config.StorageRequest, ad *ActivityDump, raw *bytes.Buffer) error

Persist saves the provided buffer to the persistent storage

func (*ActivityDumpRemoteStorageForwarder) SendTelemetry 

func (storage *ActivityDumpRemoteStorageForwarder) SendTelemetry(_ statsd.ClientInterface)

SendTelemetry sends telemetry for the current storage

type ActivityDumpStatus 

type ActivityDumpStatus int

ActivityDumpStatus defines the state of an activity dump 

const (
	// Stopped means that the ActivityDump is not active
	Stopped ActivityDumpStatus = iota
	// Disabled means that the ActivityDump is ready to be in running state, but we're missing the kernel space filters
	// to start retrieving events from kernel space
	Disabled
	// Paused means that the ActivityDump is ready to be in running state, but the kernel space filters have been configured
	// to prevent from being sent over the perf map
	Paused
	// Running means that the ActivityDump is active
	Running
)

type ActivityDumpStorage 

type ActivityDumpStorage interface {
	// GetStorageType returns the storage type
	GetStorageType() config.StorageType
	// Persist saves the provided buffer to the persistent storage
	Persist(request config.StorageRequest, ad *ActivityDump, raw *bytes.Buffer) error
	// SendTelemetry sends metrics using the provided metrics sender
	SendTelemetry(sender statsd.ClientInterface)
}

ActivityDumpStorage defines the interface implemented by all activity dump storages

func NewActivityDumpLocalStorage 

func NewActivityDumpLocalStorage(cfg *config.Config, m *ActivityDumpManager) (ActivityDumpStorage, error)

NewActivityDumpLocalStorage creates a new ActivityDumpLocalStorage instance

func NewActivityDumpRemoteStorage 

func NewActivityDumpRemoteStorage() (ActivityDumpStorage, error)

NewActivityDumpRemoteStorage returns a new instance of ActivityDumpRemoteStorage

func NewActivityDumpRemoteStorageForwarder 

func NewActivityDumpRemoteStorageForwarder(handler ActivityDumpHandler) (ActivityDumpStorage, error)

NewActivityDumpRemoteStorageForwarder returns a new instance of ActivityDumpRemoteStorageForwarder

type ActivityDumpStorageManager 

type ActivityDumpStorageManager struct {
	// contains filtered or unexported fields
}

ActivityDumpStorageManager is used to manage activity dump storages

func NewActivityDumpStorageManager 

func NewActivityDumpStorageManager(cfg *config.Config, statsdClient statsd.ClientInterface, handler ActivityDumpHandler, m *ActivityDumpManager) (*ActivityDumpStorageManager, error)

NewActivityDumpStorageManager returns a new instance of ActivityDumpStorageManager

func NewAgentCommandStorageManager 

func NewAgentCommandStorageManager(cfg *config.Config) (*ActivityDumpStorageManager, error)

NewAgentCommandStorageManager returns a new instance of ActivityDumpStorageManager

func NewAgentStorageManager 

func NewAgentStorageManager() (*ActivityDumpStorageManager, error)

NewAgentStorageManager returns a new instance of ActivityDumpStorageManager

func (*ActivityDumpStorageManager) Persist 

func (manager *ActivityDumpStorageManager) Persist(ad *ActivityDump) error

Persist saves the provided dump to the requested storages

func (*ActivityDumpStorageManager) PersistRaw 

func (manager *ActivityDumpStorageManager) PersistRaw(requests []config.StorageRequest, ad *ActivityDump, raw *bytes.Buffer) error

PersistRaw saves the provided dump to the requested storages

func (*ActivityDumpStorageManager) SendTelemetry 

func (manager *ActivityDumpStorageManager) SendTelemetry()

SendTelemetry send telemetry of all storages

type SECLRuleOpts 

type SECLRuleOpts struct {
	EnableKill bool
	AllowList  bool
	Lineage    bool
	ImageName  string
	ImageTag   string
	Service    string
	FIM        bool
}

SECLRuleOpts defines SECL rules options

type SeccompProfile 

type SeccompProfile struct {
	DefaultAction string          `yaml:"defaultAction" json:"defaultAction"`
	Syscalls      []SyscallPolicy `yaml:"syscalls" json:"syscalls"`
}

SeccompProfile represents a Seccomp profile

func GenerateSeccompProfile 

func GenerateSeccompProfile(ads []*ActivityDump) *SeccompProfile

GenerateSeccompProfile returns a seccomp a profile

type SecurityProfileManager 

type SecurityProfileManager interface {
	FetchSilentWorkloads() map[cgroupModel.WorkloadSelector][]*cgroupModel.CacheEntry
	OnLocalStorageCleanup(files []string)
}

SecurityProfileManager is a generic interface used to communicate with the Security Profile manager

type SyscallPolicy 

type SyscallPolicy struct {
	Names  []string `yaml:"names" json:"names"`
	Action string   `yaml:"action" json:"action"`
}

SyscallPolicy represents the policy in a seccomp profile

type WithDumpOption 

type WithDumpOption func(ad *ActivityDump)

WithDumpOption can be used to configure an ActivityDump

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.