ptracer

package
v0.0.0-...-45a9bcf Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 3, 2024 License: Apache-2.0 Imports: 41 Imported by: 0

Documentation

Overview

Package ptracer holds the start command of CWS injector

Package ptracer holds the start command of CWS injector

Package ptracer holds the start command of CWS injector

Package ptracer holds the start command of CWS injector

Package ptracer holds the start command of CWS injector

Package ptracer holds the start command of CWS injector

Index

Constants

View Source
const (

	// EnvPasswdPathOverride define the env to set to override the default passwd file path
	EnvPasswdPathOverride = "TEST_DD_PASSWD_PATH"
	// EnvGroupPathOverride define the env to set to override the default group file path
	EnvGroupPathOverride = "TEST_DD_GROUP_PATH"
)
View Source
const (
	// RPCCmd defines the ioctl CMD magic used by APM to register span TLS
	RPCCmd uint64 = 0xdeadc001
	// RegisterSpanTLSOp defines the span TLS register op code
	RegisterSpanTLSOp uint8 = 6
)
View Source
const (
	OpenNr           = unix.SYS_OPEN              // OpenNr defines the syscall ID for amd64
	OpenatNr         = unix.SYS_OPENAT            // OpenatNr defines the syscall ID for amd64
	Openat2Nr        = unix.SYS_OPENAT2           // Openat2Nr defines the syscall ID for amd64
	CreatNr          = unix.SYS_CREAT             // CreatNr defines the syscall ID for amd64
	NameToHandleAtNr = unix.SYS_NAME_TO_HANDLE_AT // NameToHandleAtNr defines the syscall ID for amd64
	OpenByHandleAtNr = unix.SYS_OPEN_BY_HANDLE_AT // OpenByHandleAtNr defines the syscall ID for amd64
	ExecveNr         = unix.SYS_EXECVE            // ExecveNr defines the syscall ID for amd64
	ExecveatNr       = unix.SYS_EXECVEAT          // ExecveatNr defines the syscall ID for amd64
	CloneNr          = unix.SYS_CLONE             // CloneNr defines the syscall ID for amd64
	Clone3Nr         = unix.SYS_CLONE3            // Clone3Nr defines the syscall ID for amd64
	ForkNr           = unix.SYS_FORK              // ForkNr defines the syscall ID for amd64
	VforkNr          = unix.SYS_VFORK             // VforkNr defines the syscall ID for amd64
	ExitNr           = unix.SYS_EXIT              // ExitNr defines the syscall ID for amd64
	FcntlNr          = unix.SYS_FCNTL             // FcntlNr defines the syscall ID for amd64
	DupNr            = unix.SYS_DUP               // DupNr defines the syscall ID for amd64
	Dup2Nr           = unix.SYS_DUP2              // Dup2Nr defines the syscall ID for amd64
	Dup3Nr           = unix.SYS_DUP3              // Dup3Nr defines the syscall ID for amd64
	ChdirNr          = unix.SYS_CHDIR             // ChdirNr defines the syscall ID for amd64
	FchdirNr         = unix.SYS_FCHDIR            // FchdirNr defines the syscall ID for amd64
	SetuidNr         = unix.SYS_SETUID            // SetuidNr defines the syscall ID for amd64
	SetgidNr         = unix.SYS_SETGID            // SetgidNr defines the syscall ID for amd64
	SetreuidNr       = unix.SYS_SETREUID          // SetreuidNr defines the syscall ID for amd64
	SetregidNr       = unix.SYS_SETREGID          // SetregidNr defines the syscall ID for amd64
	SetresuidNr      = unix.SYS_SETRESUID         // SetresuidNr defines the syscall ID for amd64
	SetresgidNr      = unix.SYS_SETRESGID         // SetresgidNr defines the syscall ID for amd64
	SetfsuidNr       = unix.SYS_SETFSUID          // SetfsuidNr defines the syscall ID for amd64
	SetfsgidNr       = unix.SYS_SETFSGID          // SetfsgidNr defines the syscall ID for amd64
	CloseNr          = unix.SYS_CLOSE             // CloseNr defines the syscall ID for amd64
	MemfdCreateNr    = unix.SYS_MEMFD_CREATE      // MemfdCreateNr defines the syscall ID for amd64
	CapsetNr         = unix.SYS_CAPSET            // CapsetNr defines the syscall ID for amd64
	UnlinkNr         = unix.SYS_UNLINK            // UnlinkNr defines the syscall ID for amd64
	UnlinkatNr       = unix.SYS_UNLINKAT          // UnlinkatNr defines the syscall ID for amd64
	RmdirNr          = unix.SYS_RMDIR             // RmdirNr defines the syscall ID for amd64
	RenameNr         = unix.SYS_RENAME            // RenameNr defines the syscall ID for amd64
	RenameAtNr       = unix.SYS_RENAMEAT          // RenameAtNr defines the syscall ID for amd64
	RenameAt2Nr      = unix.SYS_RENAMEAT2         // RenameAt2Nr defines the syscall ID for amd64
	MkdirNr          = unix.SYS_MKDIR             // MkdirNr defines the syscall ID for amd64
	MkdirAtNr        = unix.SYS_MKDIRAT           // MkdirAtNr defines the syscall ID for amd64
	UtimeNr          = unix.SYS_UTIME             // UtimeNr defines the syscall ID for amd64
	UtimesNr         = unix.SYS_UTIMES            // UtimesNr defines the syscall ID for amd64
	UtimensAtNr      = unix.SYS_UTIMENSAT         // UtimensAtNr defines the syscall ID for amd64
	FutimesAtNr      = unix.SYS_FUTIMESAT         // FutimesAtNr defines the syscall ID for amd64
	LinkNr           = unix.SYS_LINK              // LinkNr defines the syscall ID for amd64
	LinkAtNr         = unix.SYS_LINKAT            // LinkAtNr defines the syscall ID for amd64
	SymlinkNr        = unix.SYS_SYMLINK           // SymlinkNr defines the syscall ID for amd64
	SymlinkAtNr      = unix.SYS_SYMLINKAT         // SymlinkAtNr defines the syscall ID for amd64
	ChmodNr          = unix.SYS_CHMOD             // ChmodNr defines the syscall ID for amd64
	FchmodNr         = unix.SYS_FCHMOD            // FchmodNr defines the syscall ID for amd64
	FchmodAtNr       = unix.SYS_FCHMODAT          // FchmodAtNr defines the syscall ID for amd64
	FchmodAt2Nr      = unix.SYS_FCHMODAT2         // FchmodAt2Nr defines the syscall ID for amd64
	ChownNr          = unix.SYS_CHOWN             // ChownNr defines the syscall ID for amd64
	FchownNr         = unix.SYS_FCHOWN            // FchownNr defines the syscall ID for amd64
	FchownAtNr       = unix.SYS_FCHOWNAT          // FchownAtNr defines the syscall ID for amd64
	LchownNr         = unix.SYS_LCHOWN            // LchownNr defines the syscall ID for amd64
	InitModuleNr     = unix.SYS_INIT_MODULE       // InitModuleNr defines the syscall ID for amd64
	FInitModuleNr    = unix.SYS_FINIT_MODULE      // FInitModuleNr defines the syscall ID for amd64
	DeleteModuleNr   = unix.SYS_DELETE_MODULE     // DeleteModuleNr defines the syscall ID for amd64
	IoctlNr          = unix.SYS_IOCTL             // IoctlNr defines the syscall ID for amd64
	MountNr          = unix.SYS_MOUNT             // MountNr defines the syscall ID for amd64
	Umount2Nr        = unix.SYS_UMOUNT2           // Umount2Nr defines the syscall ID for amd64
	PipeNr           = unix.SYS_PIPE              // PipeNr defines the syscall ID for arm64
	Pipe2Nr          = unix.SYS_PIPE2             // Pipe2Nr defines the syscall ID for arm64
)

Variables

This section is empty.

Functions

func Attach

func Attach(pids []int, probeAddr string, opts Opts) error

Attach attach the ptracer

func GetSyscallNr

func GetSyscallNr(regs syscall.PtraceRegs) int

GetSyscallNr returns the given syscall number

func Wrap

func Wrap(args []string, envs []string, probeAddr string, opts Opts) (int, error)

Wrap the executable

Types

type CWSPtracerCtx

type CWSPtracerCtx struct {
	Tracer
	// contains filtered or unexported fields
}

CWSPtracerCtx holds the ptracer internal needed variables

func (*CWSPtracerCtx) AttachTracer

func (ctx *CWSPtracerCtx) AttachTracer() error

AttachTracer attach the tracer to the given pid

func (*CWSPtracerCtx) CWSCleanup

func (ctx *CWSPtracerCtx) CWSCleanup()

CWSCleanup cleans up the ptracer

func (*CWSPtracerCtx) NewTracer

func (ctx *CWSPtracerCtx) NewTracer() error

NewTracer returns a tracer

func (*CWSPtracerCtx) StartCWSPtracer

func (ctx *CWSPtracerCtx) StartCWSPtracer() (int, error)

StartCWSPtracer start the ptracer

func (*CWSPtracerCtx) Trace

func (ctx *CWSPtracerCtx) Trace() (int, error)

Trace traces a process

type CallbackType

type CallbackType = int

CallbackType represents a callback type

const (
	// CallbackPreType defines a callback called in pre stage
	CallbackPreType CallbackType = iota
	// CallbackPostType defines a callback called in post stage
	CallbackPostType
	// CallbackExitType defines a callback called at exit
	CallbackExitType

	// MaxStringSize defines the max read size
	MaxStringSize = 4096
)

type Creds

type Creds struct {
	UID *uint32
	GID *uint32
}

Creds defines credentials

type ECSMetadata

type ECSMetadata struct {
	DockerID string `json:"DockerId"`
}

ECSMetadata defines ECS metadata https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html

type FSResources

type FSResources struct {
	Cwd string
}

FSResources defines shared process resources

type FdResources

type FdResources struct {
	Fd              map[int32]string
	FileHandleCache map[fileHandleKey]*fileHandleVal
}

FdResources defines shared process resources

type Logger

type Logger struct {
	Verbose bool
	Debug   bool
}

Logger defines a logger

func (*Logger) Debugf

func (l *Logger) Debugf(fmt string, args ...any)

Debugf print if verbose

func (*Logger) Errorf

func (l *Logger) Errorf(fmt string, args ...any)

Errorf print the error

func (*Logger) Logf

func (l *Logger) Logf(fmt string, args ...any)

Logf print if verbose

type Opts

type Opts struct {
	Creds            Creds
	Verbose          bool
	Debug            bool
	Async            bool
	StatsDisabled    bool
	ProcScanDisabled bool
	ScanProcEvery    time.Duration
	SeccompDisabled  bool
	AttachedCb       func()
	// contains filtered or unexported fields
}

Opts defines ptracer options

type ProcProcess

type ProcProcess struct {
	*process.Process
	CreateTime int64
}

ProcProcess defines a process from procfs

type Process

type Process struct {
	Pid   int
	Tgid  int
	Nr    map[int]*ebpfless.SyscallMsg
	FdRes *FdResources
	FsRes *FSResources
}

Process represents a process context

func NewProcess

func NewProcess(pid int) *Process

NewProcess returns a new process

func (*Process) GetFilenameFromFd

func (p *Process) GetFilenameFromFd(fd int32) (string, error)

GetFilenameFromFd returns the filename for the given fd

type ProcessCache

type ProcessCache struct {
	// contains filtered or unexported fields
}

ProcessCache defines a thread cache

func NewProcessCache

func NewProcessCache() *ProcessCache

NewProcessCache returns a new thread cache

func (*ProcessCache) Add

func (tc *ProcessCache) Add(pid int, process *Process)

Add a process

func (*ProcessCache) Get

func (tc *ProcessCache) Get(pid int) *Process

Get return the process entry for the given pid

func (*ProcessCache) GetSpan

func (tc *ProcessCache) GetSpan(tgid int) *SpanTLS

GetSpan returns the span TLS entry for the given pid

func (*ProcessCache) Remove

func (tc *ProcessCache) Remove(process *Process)

Remove a pid

func (*ProcessCache) SetSpanTLS

func (tc *ProcessCache) SetSpanTLS(tgid int, span *SpanTLS)

SetSpanTLS sets the span TLS entry for the given pid

func (*ProcessCache) UnsetSpan

func (tc *ProcessCache) UnsetSpan(tgid int)

UnsetSpan unsets the span TLS entry for the given pid

type SpanTLS

type SpanTLS struct {
	// contains filtered or unexported fields
}

SpanTLS holds the needed informations to retrieve spans on a TLS

type StringArrayIterator

type StringArrayIterator struct {
	// contains filtered or unexported fields
}

StringArrayIterator defines a string array iterator

func NewStringArrayIterator

func NewStringArrayIterator(array []string) *StringArrayIterator

NewStringArrayIterator returns a new string array iterator

func (*StringArrayIterator) Next

func (s *StringArrayIterator) Next() bool

Next returns true if there is a next element

func (*StringArrayIterator) Reset

func (s *StringArrayIterator) Reset()

Reset reset the iterator

func (*StringArrayIterator) Text

func (s *StringArrayIterator) Text() string

Text return the current element

type StringIterator

type StringIterator interface {
	Next() bool
	Text() string
	Reset()
}

StringIterator defines a string iterator

type SyscallState

type SyscallState struct {
	Entry bool
	Exec  bool
}

SyscallState defines the state of the syscall

type SyscallStateTracker

type SyscallStateTracker struct {
	// contains filtered or unexported fields
}

SyscallStateTracker defines a syscall state tracker

func NewSyscallStateTracker

func NewSyscallStateTracker() *SyscallStateTracker

NewSyscallStateTracker returns a new syscall state tracker

func (*SyscallStateTracker) Exit

func (st *SyscallStateTracker) Exit(pid int)

Exit delete the pid from the tracker

func (*SyscallStateTracker) NextStop

func (st *SyscallStateTracker) NextStop(pid int) *SyscallState

NextStop update the state for the given pid

func (*SyscallStateTracker) PeekState

func (st *SyscallStateTracker) PeekState(pid int) *SyscallState

PeekState return the state of the given pid

type TextScannerIterator

type TextScannerIterator struct {
	// contains filtered or unexported fields
}

TextScannerIterator defines a text scanner iterator

func NewTextScannerIterator

func NewTextScannerIterator(file *os.File) *TextScannerIterator

NewTextScannerIterator returns a new text scanner iterator

func (*TextScannerIterator) Next

func (t *TextScannerIterator) Next() bool

Next returns true if there is a next element

func (*TextScannerIterator) Reset

func (t *TextScannerIterator) Reset()

Reset the iterator

func (*TextScannerIterator) Text

func (t *TextScannerIterator) Text() string

Text returns the current element

type Tracer

type Tracer struct {
	PtracedSyscalls []string

	PIDs []int

	Args []string
	Envs []string
	// contains filtered or unexported fields
}

Tracer represents a tracer

func (*Tracer) GetSyscallName

func (t *Tracer) GetSyscallName(regs syscall.PtraceRegs) string

GetSyscallName returns the given syscall name

func (*Tracer) PeekString

func (t *Tracer) PeekString(pid int, ptr uint64) (string, error)

PeekString peeks and returns a string from a pid at a given addr ptr

func (*Tracer) ReadArgData

func (t *Tracer) ReadArgData(pid int, regs syscall.PtraceRegs, arg int, size uint) ([]byte, error)

ReadArgData reads the regs and returns the wanted arg as byte array

func (*Tracer) ReadArgInt32

func (t *Tracer) ReadArgInt32(regs syscall.PtraceRegs, arg int) int32

ReadArgInt32 reads the regs and returns the wanted arg as int32

func (*Tracer) ReadArgInt32Ptr

func (t *Tracer) ReadArgInt32Ptr(pid int, regs syscall.PtraceRegs, arg int) (int32, error)

ReadArgInt32Ptr reads the regs and returns the wanted arg as int32

func (*Tracer) ReadArgInt64

func (t *Tracer) ReadArgInt64(regs syscall.PtraceRegs, arg int) int64

ReadArgInt64 reads the regs and returns the wanted arg as int64

func (*Tracer) ReadArgString

func (t *Tracer) ReadArgString(pid int, regs syscall.PtraceRegs, arg int) (string, error)

ReadArgString reads the regs and returns the wanted arg as string

func (*Tracer) ReadArgStringArray

func (t *Tracer) ReadArgStringArray(pid int, regs syscall.PtraceRegs, arg int) ([]string, error)

ReadArgStringArray reads and returns the wanted arg as string array

func (*Tracer) ReadArgUint32

func (t *Tracer) ReadArgUint32(regs syscall.PtraceRegs, arg int) uint32

ReadArgUint32 reads the regs and returns the wanted arg as uint32

func (*Tracer) ReadArgUint64

func (t *Tracer) ReadArgUint64(regs syscall.PtraceRegs, arg int) uint64

ReadArgUint64 reads the regs and returns the wanted arg as uint64

func (*Tracer) ReadRet

func (t *Tracer) ReadRet(regs syscall.PtraceRegs) int64

ReadRet reads and returns the return value

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL