Documentation ¶
Overview ¶
Package probes holds probes related files
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files ¶
Package probes holds probes related files
Index ¶
- Constants
- Variables
- func AllBPFProbeWriteUserProgramFunctions() []string
- func AllMapSpecEditors(numCPU int, opts MapSpecEditorOpts) map[string]manager.MapSpecEditor
- func AllMaps() []*manager.Map
- func AllPerfMaps() []*manager.PerfMap
- func AllProbes(fentry bool) []*manager.Probe
- func AllRingBuffers() []*manager.RingBuffer
- func AllTailRoutes(eRPCDentryResolutionEnabled, networkEnabled, rawPacketEnabled, ... bool) []manager.TailCallRoute
- func ExpandSyscallProbes(probe *manager.Probe, fentry bool, flag int, compat ...bool) []*manager.Probe
- func ExpandSyscallProbesSelector(UID string, section string, fentry bool, flag int, compat ...bool) []manager.ProbesSelector
- func GetAllTCProgramFunctions() []string
- func GetOnDemandProbes() []*manager.Probe
- func GetOnDemandRegularProbe() *manager.Probe
- func GetOnDemandSyscallProbe() *manager.Probe
- func GetPerfBufferStatisticsMaps() map[string]string
- func GetRawPacketTCProgramFunctions() []string
- func GetRingBufferStatisticsMaps() map[string]string
- func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSelector
- func GetSyscallFnName(name string) string
- func GetTCProbes(withNetworkIngress bool, withRawPacket bool) []*manager.Probe
- func NetworkNFNatSelectors() []manager.ProbesSelector
- func NetworkSelectors() []manager.ProbesSelector
- func NetworkVethSelectors() []manager.ProbesSelector
- func ShouldUseModuleLoadTracepoint() bool
- func ShouldUseSyscallExitTracepoints() bool
- func SnapshotSelectors() []manager.ProbesSelector
- type MapSpecEditorOpts
Constants ¶
const ( // DentryResolverKernKey is the key to the kernel dentry resolver tail call program DentryResolverKernKey uint32 = iota // ActivityDumpFilterKey is the key to the kernel activity dump filter tail call program ActivityDumpFilterKey // DentryResolverKernInputs is the key to the kernel dentry segment resolver tail call program without full syscall context DentryResolverKernInputs // DentryResolverERPCKey is the key to the eRPC dentry resolver tail call program DentryResolverERPCKey // DentryResolverParentERPCKey is the key to the eRPC dentry parent resolver tail call program DentryResolverParentERPCKey // DentryResolverSegmentERPCKey is the key to the eRPC dentry segment resolver tail call program DentryResolverSegmentERPCKey )
const ( // DentryResolverOpenCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an open event DentryResolverOpenCallbackKprobeKey uint32 = iota + 1 // DentryResolverSetAttrCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an setattr event DentryResolverSetAttrCallbackKprobeKey // DentryResolverMkdirCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an mkdir event DentryResolverMkdirCallbackKprobeKey // DentryResolverMountStageOneCallbackKprobeKey is the key to the callback program to execute after resolving the root dentry of a new mount DentryResolverMountStageOneCallbackKprobeKey // DentryResolverMountStageTwoCallbackKprobeKey is the key to the callback program to execute after resolving the mountpoint dentry a new mount DentryResolverMountStageTwoCallbackKprobeKey // DentryResolverSecurityInodeRmdirCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an rmdir or unlink event DentryResolverSecurityInodeRmdirCallbackKprobeKey // DentryResolverSetXAttrCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an setxattr event DentryResolverSetXAttrCallbackKprobeKey // DentryResolverUnlinkCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an unlink event DentryResolverUnlinkCallbackKprobeKey // DentryResolverLinkSrcCallbackKprobeKey is the key to the callback program to execute after resolving the source dentry of a link event DentryResolverLinkSrcCallbackKprobeKey // DentryResolverLinkDstCallbackKprobeKey is the key to the callback program to execute after resolving the destination dentry of a link event DentryResolverLinkDstCallbackKprobeKey // DentryResolverRenameCallbackKprobeKey is the key to the callback program to execute after resolving the destination dentry of a rename event DentryResolverRenameCallbackKprobeKey // DentryResolverSELinuxCallbackKprobeKey is the key to the callback program to execute after resolving the destination dentry of a selinux event DentryResolverSELinuxCallbackKprobeKey // DentryResolverChdirCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an chdir event DentryResolverChdirCallbackKprobeKey // DentryResolverCGroupWriteCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of a newly created cgroup DentryResolverCGroupWriteCallbackKprobeKey )
const ( // DentryResolverOpenCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of an open event DentryResolverOpenCallbackTracepointKey uint32 = iota + 1 // DentryResolverMkdirCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of an mkdir event DentryResolverMkdirCallbackTracepointKey // DentryResolverMountStageOneCallbackTracepointKey is the key to the callback program to execute after resolving the root dentry of a new mount DentryResolverMountStageOneCallbackTracepointKey // DentryResolverMountStageTwoCallbackTracepointKey is the key to the callback program to execute after resolving the mountpoint dentry a new mount DentryResolverMountStageTwoCallbackTracepointKey // DentryResolverLinkDstCallbackTracepointKey is the key to the callback program to execute after resolving the destination dentry of a link event DentryResolverLinkDstCallbackTracepointKey // DentryResolverRenameCallbackTracepointKey is the key to the callback program to execute after resolving the destination dentry of a rename event DentryResolverRenameCallbackTracepointKey // DentryResolverChdirCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of an chdir event DentryResolverChdirCallbackTracepointKey // DentryResolverCGroupWriteCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of a newly created cgroup DentryResolverCGroupWriteCallbackTracepointKey )
const ( // TCDNSRequestKey is the key to the DNS request program TCDNSRequestKey uint32 = iota + 1 // TCDNSRequestParserKey is the key to the DNS request parser program TCDNSRequestParserKey // TCIMDSRequestParserKey is the key to the IMDS request program TCIMDSRequestParserKey )
const ( // TCRawPacketFilterKey is the key to the raw packet filter program // reserve 5 tail calls for the filtering TCRawPacketFilterKey uint32 = iota // TCRawPacketParserSenderKey is the key to the raw packet sender program TCRawPacketParserSenderKey = TCRawPacketFilterKey + RawPacketFilterMaxTailCall // reserved key for filter tail calls )
const ( // ExecGetEnvsOffsetKey is the key to the program that computes the environment variables offset ExecGetEnvsOffsetKey uint32 = iota // ExecParseArgsEnvsSplitKey is the key to the program that splits the parsing of arguments and environment variables between tailcalls ExecParseArgsEnvsSplitKey // ExecParseArgsEnvsKey is the key to the program that parses arguments and then environment variables ExecParseArgsEnvsKey )
const ( // Entry indicates that the entry kprobe should be expanded Entry = 1 << 0 // Exit indicates that the exit kretprobe should be expanded Exit = 1 << 1 // ExpandTime32 indicates that the _time32 suffix should be added to the provided probe if needed ExpandTime32 = 1 << 2 // EntryAndExit indicates that both the entry kprobe and exit kretprobe should be expanded EntryAndExit = Entry | Exit )
const (
// RawPacketFilterMaxTailCall defines the maximum of tail calls
RawPacketFilterMaxTailCall = 5
)
const (
// SecurityAgentUID is the UID used for all the runtime security module probes
SecurityAgentUID = "security"
)
Variables ¶
var ( // EventsPerfRingBufferSize is the buffer size of the perf buffers used for events. // PLEASE NOTE: for the perf ring buffer usage metrics to be accurate, the provided value must have the // following form: (1 + 2^n) * pages. Checkout https://github.com/DataDog/ebpf for more. EventsPerfRingBufferSize = 256 * os.Getpagesize() )
var RawPacketTCProgram = []string{
"classifier_raw_packet_egress",
"classifier_raw_packet_ingress",
}
RawPacketTCProgram returns the list of TC classifier sections
var RuntimeArch string
RuntimeArch holds the CPU architecture of the running machine
var SyscallMonitorSelectors = []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFFuncName: "sys_enter"}}, }
SyscallMonitorSelectors is the list of probes that should be activated for the syscall monitor feature
Functions ¶
func AllBPFProbeWriteUserProgramFunctions ¶
func AllBPFProbeWriteUserProgramFunctions() []string
AllBPFProbeWriteUserProgramFunctions returns the list of program functions that use the bpf_probe_write_user helper
func AllMapSpecEditors ¶
func AllMapSpecEditors(numCPU int, opts MapSpecEditorOpts) map[string]manager.MapSpecEditor
AllMapSpecEditors returns the list of map editors
func AllPerfMaps ¶
AllPerfMaps returns the list of perf maps of the runtime security module
func AllRingBuffers ¶
func AllRingBuffers() []*manager.RingBuffer
AllRingBuffers returns the list of ring buffers of the runtime security module
func AllTailRoutes ¶
func AllTailRoutes(eRPCDentryResolutionEnabled, networkEnabled, rawPacketEnabled, supportMmapableMaps bool) []manager.TailCallRoute
AllTailRoutes returns the list of all the tail call routes
func ExpandSyscallProbes ¶
func ExpandSyscallProbes(probe *manager.Probe, fentry bool, flag int, compat ...bool) []*manager.Probe
ExpandSyscallProbes returns the list of available hook probes for the syscall func name of the provided probe
func ExpandSyscallProbesSelector ¶
func ExpandSyscallProbesSelector(UID string, section string, fentry bool, flag int, compat ...bool) []manager.ProbesSelector
ExpandSyscallProbesSelector returns the list of a ProbesSelector required to query all the probes available for a syscall
func GetAllTCProgramFunctions ¶
func GetAllTCProgramFunctions() []string
GetAllTCProgramFunctions returns the list of TC classifier sections
func GetOnDemandProbes ¶
GetOnDemandProbes returns all the on-demand probes
func GetOnDemandRegularProbe ¶
GetOnDemandRegularProbe returns the on-demand probe used for regular (non-sycall) function hooking
func GetOnDemandSyscallProbe ¶
GetOnDemandSyscallProbe returns the on-demand probe used for sycall function hooking
func GetPerfBufferStatisticsMaps ¶
GetPerfBufferStatisticsMaps returns the list of maps used to monitor the performances of each perf buffers
func GetRawPacketTCProgramFunctions ¶
func GetRawPacketTCProgramFunctions() []string
GetRawPacketTCProgramFunctions returns the raw packet functions
func GetRingBufferStatisticsMaps ¶
GetRingBufferStatisticsMaps returns the list of maps used to monitor the performances of each ring buffer
func GetSelectorsPerEventType ¶
func GetSelectorsPerEventType(fentry bool) map[eval.EventType][]manager.ProbesSelector
GetSelectorsPerEventType returns the list of probes that should be activated for each event
func GetSyscallFnName ¶
GetSyscallFnName returns the hook point for the provided syscall name
func GetTCProbes ¶
GetTCProbes returns the list of TCProbes
func NetworkNFNatSelectors ¶
func NetworkNFNatSelectors() []manager.ProbesSelector
NetworkNFNatSelectors is the list of probes that should be activated if the `nf_nat` module is loaded
func NetworkSelectors ¶
func NetworkSelectors() []manager.ProbesSelector
NetworkSelectors is the list of probes that should be activated when the network is enabled
func NetworkVethSelectors ¶
func NetworkVethSelectors() []manager.ProbesSelector
NetworkVethSelectors is the list of probes that should be activated if the `veth` module is loaded
func ShouldUseModuleLoadTracepoint ¶
func ShouldUseModuleLoadTracepoint() bool
ShouldUseModuleLoadTracepoint returns true if we should use module load tracepoint
func ShouldUseSyscallExitTracepoints ¶
func ShouldUseSyscallExitTracepoints() bool
ShouldUseSyscallExitTracepoints returns true if the kernel version is old and we need to use tracepoints to handle syscall exits instead of kretprobes
func SnapshotSelectors ¶
func SnapshotSelectors() []manager.ProbesSelector
SnapshotSelectors selectors required during the snapshot
Types ¶
Source Files ¶
- accept.go
- all.go
- attr.go
- bind.go
- bpf.go
- builder.go
- chdir.go
- connect.go
- const.go
- dentry.go
- event_types.go
- exec.go
- flow.go
- ioctl.go
- iouring.go
- link.go
- mkdir.go
- mmap.go
- module.go
- mount.go
- mprotect.go
- net_device.go
- ondemand.go
- open.go
- ptrace.go
- raw_packet.go
- raw_sys_exit.go
- rename.go
- rmdir.go
- selinux.go
- shared.go
- signal.go
- splice.go
- syscall_helpers.go
- syscall_monitor.go
- tc.go
- unlink.go
- xattr.go