activitytree

package
v0.0.0-...-0715958 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 2, 2025 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Overview

Package activitytree holds activitytree related files

Package activitytree holds activitytree related files

Index

Constants

View Source
const CookieToProcessNodeCacheSize = 128

CookieToProcessNodeCacheSize defines the "cookie to process" node cache size

View Source
const MaxMmapedFiles = 128

MaxMmapedFiles defines the max mmaped files

Variables

View Source
var (
	// ErrBrokenLineage is returned when the given process don't have a full lineage
	ErrBrokenLineage = errors.New("broken lineage")
	// ErrNotValidRootNode is returned when trying to insert a process with an invalide root node
	ErrNotValidRootNode = errors.New("root node not valid")
)

Functions

func AppendIfNotPresent

func AppendIfNotPresent(slice []string, toAdd string) ([]string, bool)

AppendIfNotPresent append a token to a slice only if the token is not already present

func ExtractFirstParent

func ExtractFirstParent(path string) (string, int)

ExtractFirstParent extracts first parent

func GetNextAncestorBinaryOrArgv0

func GetNextAncestorBinaryOrArgv0(entry *model.ProcessContext) *model.ProcessCacheEntry

GetNextAncestorBinaryOrArgv0 returns the first ancestor with a different binary, or a different argv0 in the case of busybox processes

func ProtoDecodeActivityTree

func ProtoDecodeActivityTree(dest *ActivityTree, nodes []*adproto.ProcessActivityNode)

ProtoDecodeActivityTree decodes an ActivityTree structure

func ProtoDecodeTimestamp

func ProtoDecodeTimestamp(nanos uint64) time.Time

ProtoDecodeTimestamp decodes a nanosecond representation of a timestamp

func TimestampToProto

func TimestampToProto(t *time.Time) uint64

TimestampToProto encode a timestamp

func ToProto

ToProto encodes an activity tree to its protobuf representation

Types

type ActivityTree

type ActivityTree struct {
	Stats *Stats

	DNSMatchMaxDepth int

	CookieToProcessNode *simplelru.LRU[cookieSelector, *ProcessNode]
	ProcessNodes        []*ProcessNode `json:"-"`

	// top level lists used to summarize the content of the tree
	DNSNames     *utils.StringKeys
	SyscallsMask map[int]int
	// contains filtered or unexported fields
}

ActivityTree contains a process tree and its activities. This structure has no locks.

func NewActivityTree

func NewActivityTree(validator Owner, pathsReducer *PathsReducer, treeType string) *ActivityTree

NewActivityTree returns a new ActivityTree instance

func (*ActivityTree) AppendChild

func (at *ActivityTree) AppendChild(node *ProcessNode)

AppendChild appends a new root node in the ActivityTree

func (*ActivityTree) AppendImageTag

func (at *ActivityTree) AppendImageTag(_ string)

AppendImageTag appends the given image tag

func (*ActivityTree) ComputeActivityTreeStats

func (at *ActivityTree) ComputeActivityTreeStats()

ComputeActivityTreeStats computes the initial counts of the activity tree stats

func (*ActivityTree) ComputeSyscallsList

func (at *ActivityTree) ComputeSyscallsList() []uint32

ComputeSyscallsList computes the top level list of syscalls

func (*ActivityTree) Contains

func (at *ActivityTree) Contains(event *model.Event, insertMissingProcesses bool, imageTag string, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (bool, error)

Contains looks up the event in the activity tree

func (*ActivityTree) CreateProcessNode

func (at *ActivityTree) CreateProcessNode(entry *model.ProcessCacheEntry, imageTag string, generationType NodeGenerationType, dryRun bool, resolvers *resolvers.EBPFResolvers) (*ProcessNode, bool, error)

CreateProcessNode looks up or inserts the provided entry in the tree

func (*ActivityTree) Debug

func (at *ActivityTree) Debug(w io.Writer)

Debug dumps the content of an activity tree

func (*ActivityTree) DifferentiateArgs

func (at *ActivityTree) DifferentiateArgs()

DifferentiateArgs enables the args differentiation feature

func (*ActivityTree) EvictImageTag

func (at *ActivityTree) EvictImageTag(imageTag string)

EvictImageTag will remove every trace of the given image tag from the tree

func (*ActivityTree) ExtractPaths

func (at *ActivityTree) ExtractPaths(_, fimEnabled, lineageEnabled bool) (map[string][]string, map[string][]string)

ExtractPaths returns the exec / fim, exec / parent paths

func (*ActivityTree) ExtractSyscalls

func (at *ActivityTree) ExtractSyscalls(arch string) []string

ExtractSyscalls return the syscalls present in an activity tree

func (*ActivityTree) FindMatchingRootNodes

func (at *ActivityTree) FindMatchingRootNodes(arg0 string) []*ProcessNode

FindMatchingRootNodes finds and returns the matching root nodes

func (*ActivityTree) GetChildren

func (at *ActivityTree) GetChildren() *[]*ProcessNode

GetChildren returns the list of root ProcessNodes from the ActivityTree

func (*ActivityTree) GetParent

func (at *ActivityTree) GetParent() ProcessNodeParent

GetParent returns nil for the ActivityTree

func (*ActivityTree) GetSiblings

func (at *ActivityTree) GetSiblings() *[]*ProcessNode

GetSiblings returns the list of siblings of the current node

func (*ActivityTree) Insert

func (at *ActivityTree) Insert(event *model.Event, insertMissingProcesses bool, imageTag string, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (bool, error)

Insert inserts the event in the activity tree

func (*ActivityTree) IsEmpty

func (at *ActivityTree) IsEmpty() bool

IsEmpty returns true if the tree is empty

func (*ActivityTree) PrepareGraphData

func (at *ActivityTree) PrepareGraphData(title string, resolver *process.EBPFResolver) utils.Graph

PrepareGraphData returns a graph from the activity tree

func (*ActivityTree) ScrubProcessArgsEnvs

func (at *ActivityTree) ScrubProcessArgsEnvs(resolver *process.EBPFResolver)

ScrubProcessArgsEnvs scrubs and retains process args and envs

func (*ActivityTree) SendStats

func (at *ActivityTree) SendStats(client statsd.ClientInterface) error

SendStats sends the tree statistics

func (*ActivityTree) Snapshot

func (at *ActivityTree) Snapshot(newEvent func() *model.Event)

Snapshot uses procfs to snapshot the nodes of the tree

func (*ActivityTree) TagAllNodes

func (at *ActivityTree) TagAllNodes(imageTag string)

TagAllNodes tags all the activity tree's nodes with the given image tag

type BindNode

type BindNode struct {
	MatchedRules []*model.MatchedRule
	ImageTags    []string

	GenerationType NodeGenerationType
	Port           uint16
	IP             string
	Protocol       uint16
}

BindNode is used to store a bind node

func (*BindNode) Matches

func (bn *BindNode) Matches(toMatch *BindNode) bool

Matches returns true if BindNodes matches

type DNSNode

type DNSNode struct {
	MatchedRules []*model.MatchedRule
	ImageTags    []string

	GenerationType NodeGenerationType
	Requests       []model.DNSEvent
}

DNSNode is used to store a DNS node

func NewDNSNode

func NewDNSNode(event *model.DNSEvent, rules []*model.MatchedRule, generationType NodeGenerationType, imageTag string) *DNSNode

NewDNSNode returns a new DNSNode instance

type FileNode

type FileNode struct {
	MatchedRules   []*model.MatchedRule
	Name           string
	ImageTags      []string
	IsPattern      bool
	File           *model.FileEvent
	GenerationType NodeGenerationType
	FirstSeen      time.Time

	Open *OpenNode

	Children map[string]*FileNode
}

FileNode holds a tree representation of a list of files

func NewFileNode

func NewFileNode(fileEvent *model.FileEvent, event *model.Event, name string, imageTag string, generationType NodeGenerationType, reducedFilePath string, resolvers *resolvers.EBPFResolvers) *FileNode

NewFileNode returns a new FileActivityNode instance

func (*FileNode) InsertFileEvent

func (fn *FileNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, remainingPath string, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool, reducedPath string, resolvers *resolvers.EBPFResolvers) bool

InsertFileEvent inserts an event in a FileNode. This function returns true if a new entry was added, false if the event was dropped.

type IMDSNode

type IMDSNode struct {
	MatchedRules   []*model.MatchedRule
	ImageTags      []string
	GenerationType NodeGenerationType

	Event model.IMDSEvent
}

IMDSNode is used to store a IMDS node

func NewIMDSNode

func NewIMDSNode(event *model.IMDSEvent, rules []*model.MatchedRule, generationType NodeGenerationType, imageTag string) *IMDSNode

NewIMDSNode returns a new IMDSNode instance

type NodeDroppedReason

type NodeDroppedReason byte

NodeDroppedReason is used to list the reasons to drop a node

func (NodeDroppedReason) String

func (reason NodeDroppedReason) String() string

func (NodeDroppedReason) Tag

func (reason NodeDroppedReason) Tag() string

Tag returns the metric tag associated with this dropped reason, it's basically fmt.Sprintf("reason:%s", reason)

type NodeGenerationType

type NodeGenerationType byte

NodeGenerationType is used to indicate if a node was generated by a runtime or snapshot event IMPORTANT: IT MUST STAY IN SYNC WITH `adproto.GenerationType`

const (
	// Unknown is a node that was added at an unknown time
	Unknown NodeGenerationType = 0
	// Runtime is a node that was added at runtime
	Runtime NodeGenerationType = 1
	// Snapshot is a node that was added during the snapshot
	Snapshot NodeGenerationType = 2
	// ProfileDrift is a node that was added because of a drift from a security profile
	ProfileDrift NodeGenerationType = 3
	// WorkloadWarmup is a node that was added of a drift in a warming up profile
	WorkloadWarmup NodeGenerationType = 4
	// MaxNodeGenerationType is the maximum node type
	MaxNodeGenerationType NodeGenerationType = 4
)

func (NodeGenerationType) String

func (genType NodeGenerationType) String() string

func (NodeGenerationType) Tag

func (genType NodeGenerationType) Tag() string

Tag returns the metric tag associated with this generation type, it's basically fmt.Sprintf("generation_type:%s", genType)

type OpenNode

type OpenNode struct {
	model.SyscallEvent
	Flags uint32
	Mode  uint32
}

OpenNode contains the relevant fields of an Open event on which we might want to write a profiling rule

type Owner

type Owner interface {
	MatchesSelector(entry *model.ProcessCacheEntry) bool
	IsEventTypeValid(evtType model.EventType) bool
	NewProcessNodeCallback(p *ProcessNode)
}

Owner is used to communicate with the owner of the activity tree

type PathsReducer

type PathsReducer struct {
	// contains filtered or unexported fields
}

PathsReducer is used to reduce the paths in an activity tree according to predefined heuristics

func NewPathsReducer

func NewPathsReducer() *PathsReducer

NewPathsReducer returns a new PathsReducer

func (*PathsReducer) ReducePath

func (r *PathsReducer) ReducePath(path string, fileEvent *model.FileEvent, node *ProcessNode) string

ReducePath reduces a path according to the predefined heuristics

type PatternReducer

type PatternReducer struct {
	Pattern  *regexp.Regexp
	Hint     string
	PreCheck func(fileEvent *model.FileEvent) bool
	Callback func(ctx *callbackContext)
}

PatternReducer is used to reduce the paths in an activity tree according to a given pattern

type ProcessNode

type ProcessNode struct {
	Process        model.Process
	Parent         ProcessNodeParent
	GenerationType NodeGenerationType
	ImageTags      []string
	MatchedRules   []*model.MatchedRule

	Files      map[string]*FileNode
	DNSNames   map[string]*DNSNode
	IMDSEvents map[model.IMDSEvent]*IMDSNode

	Sockets  []*SocketNode
	Syscalls []*SyscallNode
	Children []*ProcessNode
}

ProcessNode holds the activity of a process

func NewProcessNode

func NewProcessNode(entry *model.ProcessCacheEntry, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) *ProcessNode

NewProcessNode returns a new ProcessNode instance

func (*ProcessNode) AppendChild

func (pn *ProcessNode) AppendChild(node *ProcessNode)

AppendChild appends a new root node in the ActivityTree

func (*ProcessNode) AppendImageTag

func (pn *ProcessNode) AppendImageTag(imageTag string)

AppendImageTag appends the given image tag to the list

func (*ProcessNode) EvictImageTag

func (pn *ProcessNode) EvictImageTag(imageTag string, DNSNames *utils.StringKeys, SyscallsMask map[int]int) bool

EvictImageTag will remmove every trace of this image tag, and returns true if the process node should be removed also, recompute the list of dnsnames and syscalls

func (*ProcessNode) GetChildren

func (pn *ProcessNode) GetChildren() *[]*ProcessNode

GetChildren returns the list of children from the ProcessNode

func (*ProcessNode) GetParent

func (pn *ProcessNode) GetParent() ProcessNodeParent

GetParent returns nil for the ActivityTree

func (*ProcessNode) GetSiblings

func (pn *ProcessNode) GetSiblings() *[]*ProcessNode

GetSiblings returns the list of siblings of the current node

func (*ProcessNode) InsertBindEvent

func (pn *ProcessNode) InsertBindEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool) bool

InsertBindEvent inserts a bind event in a process node

func (*ProcessNode) InsertDNSEvent

func (pn *ProcessNode) InsertDNSEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, DNSNames *utils.StringKeys, dryRun bool, dnsMatchMaxDepth int) bool

InsertDNSEvent inserts a DNS event in a process node

func (*ProcessNode) InsertFileEvent

func (pn *ProcessNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool, reducer *PathsReducer, resolvers *resolvers.EBPFResolvers) bool

InsertFileEvent inserts the provided file event in the current node. This function returns true if a new entry was added, false if the event was dropped.

func (*ProcessNode) InsertIMDSEvent

func (pn *ProcessNode) InsertIMDSEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool) bool

InsertIMDSEvent inserts an IMDS event in a process node

func (*ProcessNode) InsertSyscalls

func (pn *ProcessNode) InsertSyscalls(e *model.Event, imageTag string, syscallMask map[int]int, stats *Stats, dryRun bool) bool

InsertSyscalls inserts the syscall of the process in the dump

func (*ProcessNode) Matches

func (pn *ProcessNode) Matches(entry *model.Process, matchArgs bool, normalize bool) bool

Matches return true if the process fields used to generate the dump are identical with the provided model.Process

func (*ProcessNode) TagAllNodes

func (pn *ProcessNode) TagAllNodes(imageTag string)

TagAllNodes tags this process, its files/dns/socks and childrens with the given image tag

type ProcessNodeParent

type ProcessNodeParent interface {
	GetParent() ProcessNodeParent
	GetChildren() *[]*ProcessNode
	GetSiblings() *[]*ProcessNode
	AppendChild(node *ProcessNode)
	AppendImageTag(imageTag string)
}

ProcessNodeParent is an interface used to identify the parent of a process node

type SocketNode

type SocketNode struct {
	Family         string
	GenerationType NodeGenerationType
	Bind           []*BindNode
}

SocketNode is used to store a Socket node and associated events

func NewSocketNode

func NewSocketNode(family string, generationType NodeGenerationType) *SocketNode

NewSocketNode returns a new SocketNode instance

func (*SocketNode) InsertBindEvent

func (sn *SocketNode) InsertBindEvent(evt *model.BindEvent, imageTag string, generationType NodeGenerationType, rules []*model.MatchedRule, dryRun bool) bool

InsertBindEvent inserts a bind even inside a socket node

func (*SocketNode) Matches

func (sn *SocketNode) Matches(toMatch *SocketNode) bool

Matches returns true if SocketNodes matches

type Stats

type Stats struct {
	ProcessNodes int64
	FileNodes    int64
	DNSNodes     int64
	SocketNodes  int64
	IMDSNodes    int64
	SyscallNodes int64
	// contains filtered or unexported fields
}

Stats represents the node counts in an activity dump

func NewActivityTreeNodeStats

func NewActivityTreeNodeStats() *Stats

NewActivityTreeNodeStats returns a new activity tree stats

func (*Stats) ApproximateSize

func (stats *Stats) ApproximateSize() int64

ApproximateSize returns an approximation of the size of the tree

func (*Stats) SendStats

func (stats *Stats) SendStats(client statsd.ClientInterface, treeType string) error

SendStats sends metrics to Datadog

type SyscallNode

type SyscallNode struct {
	ImageTags      []string
	GenerationType NodeGenerationType

	Syscall int
}

SyscallNode is used to store a syscall node

func NewSyscallNode

func NewSyscallNode(syscall int, imageTag string, generationType NodeGenerationType) *SyscallNode

NewSyscallNode returns a new SyscallNode instance

Directories

Path Synopsis
Package metadata holds metadata related files
Package metadata holds metadata related files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL