Documentation ¶
Index ¶
- Constants
- Variables
- func AllBPFProbeWriteUserSections() []string
- func AllMapSpecEditors(numCPU int) map[string]manager.MapSpecEditor
- func AllMaps() []*manager.Map
- func AllPerfMaps() []*manager.PerfMap
- func AllProbes() []*manager.Probe
- func AllTailRoutes(ERPCDentryResolutionEnabled bool) []manager.TailCallRoute
- func ExpandSyscallProbes(probe *manager.Probe, flag int, compat ...bool) []*manager.Probe
- func ExpandSyscallProbesSelector(id manager.ProbeIdentificationPair, flag int, compat ...bool) []manager.ProbesSelector
- func GetPerfBufferStatisticsMaps() map[string]string
- func ShouldUseSyscallExitTracepoints() bool
Constants ¶
const ( // DentryResolverERPCKey is the key to the eRPC dentry resolver tail call program DentryResolverERPCKey uint32 = iota // DentryResolverParentERPCKey is the key to the eRPC dentry parent resolver tail call program DentryResolverParentERPCKey // DentryResolverSegmentERPCKey is the key to the eRPC dentry segment resolver tail call program DentryResolverSegmentERPCKey // DentryResolverKernKprobeKey is the key to the kernel dentry resolver tail call program DentryResolverKernKprobeKey )
const ( // DentryResolverOpenCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an open event DentryResolverOpenCallbackKprobeKey uint32 = iota + 1 // DentryResolverSetAttrCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an setattr event DentryResolverSetAttrCallbackKprobeKey // DentryResolverMkdirCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an mkdir event DentryResolverMkdirCallbackKprobeKey // DentryResolverMountCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an mount event DentryResolverMountCallbackKprobeKey // DentryResolverSecurityInodeRmdirCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an rmdir or unlink event DentryResolverSecurityInodeRmdirCallbackKprobeKey // DentryResolverSetXAttrCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an setxattr event DentryResolverSetXAttrCallbackKprobeKey // DentryResolverUnlinkCallbackKprobeKey is the key to the callback program to execute after resolving the dentry of an unlink event DentryResolverUnlinkCallbackKprobeKey // DentryResolverLinkSrcCallbackKprobeKey is the key to the callback program to execute after resolving the source dentry of a link event DentryResolverLinkSrcCallbackKprobeKey // DentryResolverLinkDstCallbackKprobeKey is the key to the callback program to execute after resolving the destination dentry of a link event DentryResolverLinkDstCallbackKprobeKey // DentryResolverRenameCallbackKprobeKey is the key to the callback program to execute after resolving the destination dentry of a rename event DentryResolverRenameCallbackKprobeKey // DentryResolverSELinuxCallbackKprobeKey is the key to the callback program to execute after resolving the destination dentry of a selinux event DentryResolverSELinuxCallbackKprobeKey )
const ( // DentryResolverOpenCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of an open event DentryResolverOpenCallbackTracepointKey uint32 = iota + 1 // DentryResolverMkdirCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of an mkdir event DentryResolverMkdirCallbackTracepointKey // DentryResolverMountCallbackTracepointKey is the key to the callback program to execute after resolving the dentry of an mount event DentryResolverMountCallbackTracepointKey // DentryResolverLinkDstCallbackTracepointKey is the key to the callback program to execute after resolving the destination dentry of a link event DentryResolverLinkDstCallbackTracepointKey // DentryResolverRenameCallbackTracepointKey is the key to the callback program to execute after resolving the destination dentry of a rename event DentryResolverRenameCallbackTracepointKey )
const ( // Entry indicates that the entry kprobe should be expanded Entry = 1 << 0 // Exit indicates that the exit kretprobe should be expanded Exit = 1 << 1 // ExpandTime32 indicates that the _time32 suffix should be added to the provided probe if needed ExpandTime32 = 1 << 2 // EntryAndExit indicates that both the entry kprobe and exit kretprobe should be expanded EntryAndExit = Entry | Exit )
const ( // DentryResolverKernTracepointKey is the key to the kernel dentry resolver tail call program DentryResolverKernTracepointKey uint32 = iota )
const (
// SecurityAgentUID is the UID used for all the runtime security module probes
SecurityAgentUID = "security"
)
Variables ¶
var SelectorsPerEventType = map[eval.EventType][]manager.ProbesSelector{ "*": { &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "tracepoint/raw_syscalls/sys_exit", EBPFFuncName: "sys_exit"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "tracepoint/sched/sched_process_fork", EBPFFuncName: "sched_process_fork"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/do_exit", EBPFFuncName: "kprobe_do_exit"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/security_bprm_committed_creds", EBPFFuncName: "kprobe_security_bprm_committed_creds"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/exit_itimers", EBPFFuncName: "kprobe_exit_itimers"}}, &manager.BestEffort{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/prepare_binprm", EBPFFuncName: "kprobe_prepare_binprm"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/bprm_execve", EBPFFuncName: "kprobe_bprm_execve"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/security_bprm_check", EBPFFuncName: "kprobe_security_bprm_check"}}, }}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/vfs_open", EBPFFuncName: "kprobe_vfs_open"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/do_dentry_open", EBPFFuncName: "kprobe_do_dentry_open"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/commit_creds", EBPFFuncName: "kprobe_commit_creds"}}, }}, &manager.OneOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/cgroup_procs_write", EBPFFuncName: "kprobe_cgroup_procs_write"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/cgroup1_procs_write", EBPFFuncName: "kprobe_cgroup1_procs_write"}}, }}, &manager.OneOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/_do_fork", EBPFFuncName: "kprobe__do_fork"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/do_fork", EBPFFuncName: "kprobe_do_fork"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/kernel_clone", EBPFFuncName: "kprobe_kernel_clone"}}, }}, &manager.OneOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/cgroup_tasks_write", EBPFFuncName: "kprobe_cgroup_tasks_write"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/cgroup1_tasks_write", EBPFFuncName: "kprobe_cgroup1_tasks_write"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "execve"}, Entry), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "execveat"}, Entry), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setuid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setuid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setgid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setgid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "seteuid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "seteuid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setegid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setegid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setfsuid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setfsuid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setfsgid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setfsgid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setreuid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setreuid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setregid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setregid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setresuid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setresuid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setresgid"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setresgid16"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "capset"}, EntryAndExit), }, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/vfs_truncate", EBPFFuncName: "kprobe_vfs_truncate"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "open"}, EntryAndExit, true), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "creat"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "truncate"}, EntryAndExit, true), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "openat"}, EntryAndExit, true), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "openat2"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "open_by_handle_at"}, EntryAndExit, true), }, &manager.BestEffort{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/io_openat2", EBPFFuncName: "kprobe_io_openat2"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kretprobe/io_openat2", EBPFFuncName: "kretprobe_io_openat2"}}, }}, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/filp_close", EBPFFuncName: "kprobe_filp_close"}}, }}, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/attach_recursive_mnt", EBPFFuncName: "kprobe_attach_recursive_mnt"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/propagate_mnt", EBPFFuncName: "kprobe_propagate_mnt"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/security_sb_umount", EBPFFuncName: "kprobe_security_sb_umount"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "mount"}, EntryAndExit, true), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "umount"}, EntryAndExit), }, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/vfs_rename", EBPFFuncName: "kprobe_vfs_rename"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write", EBPFFuncName: "kprobe_mnt_want_write"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "rename"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "renameat"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "renameat2"}, EntryAndExit), }, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write", EBPFFuncName: "kprobe_mnt_want_write"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "unlinkat"}, EntryAndExit), }, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/security_inode_rmdir", EBPFFuncName: "kprobe_security_inode_rmdir"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "rmdir"}, EntryAndExit), }, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/vfs_unlink", EBPFFuncName: "kprobe_vfs_unlink"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "unlink"}, EntryAndExit), }, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/do_vfs_ioctl", EBPFFuncName: "kprobe_do_vfs_ioctl"}}, }}, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/security_inode_getattr", EBPFFuncName: "kprobe_security_inode_getattr"}}, }}, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/vfs_link", EBPFFuncName: "kprobe_vfs_link"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/filename_create", EBPFFuncName: "kprobe_filename_create"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "link"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "linkat"}, EntryAndExit), }, &manager.BestEffort{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/sel_write_disable", EBPFFuncName: "kprobe_sel_write_disable"}}, }}, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/sel_write_enforce", EBPFFuncName: "kprobe_sel_write_enforce"}}, }}, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/sel_write_bool", EBPFFuncName: "kprobe_sel_write_bool"}}, }}, &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/sel_commit_bools_write", EBPFFuncName: "kprobe_sel_commit_bools_write"}}, }}, }, "chmod": { &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/security_inode_setattr", EBPFFuncName: "kprobe_security_inode_setattr"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write", EBPFFuncName: "kprobe_mnt_want_write"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "chmod"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "fchmod"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "fchmodat"}, EntryAndExit), }, }, "chown": { &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/security_inode_setattr", EBPFFuncName: "kprobe_security_inode_setattr"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write", EBPFFuncName: "kprobe_mnt_want_write"}}, }}, &manager.OneOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write_file", EBPFFuncName: "kprobe_mnt_want_write_file"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write_file_path", EBPFFuncName: "kprobe_mnt_want_write_file_path"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "chown"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "chown16"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "fchown"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "fchown16"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "fchownat"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "lchown"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "lchown16"}, EntryAndExit), }, }, "mkdir": { &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/vfs_mkdir", EBPFFuncName: "kprobe_vfs_mkdir"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/filename_create", EBPFFuncName: "kprobe_filename_create"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "mkdir"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "mkdirat"}, EntryAndExit), }, }, "removexattr": { &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/vfs_removexattr", EBPFFuncName: "kprobe_vfs_removexattr"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write", EBPFFuncName: "kprobe_mnt_want_write"}}, }}, &manager.OneOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write_file", EBPFFuncName: "kprobe_mnt_want_write_file"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write_file_path", EBPFFuncName: "kprobe_mnt_want_write_file_path"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "removexattr"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "fremovexattr"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "lremovexattr"}, EntryAndExit), }, }, "setxattr": { &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/vfs_setxattr", EBPFFuncName: "kprobe_vfs_setxattr"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write", EBPFFuncName: "kprobe_mnt_want_write"}}, }}, &manager.OneOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write_file", EBPFFuncName: "kprobe_mnt_want_write_file"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write_file_path", EBPFFuncName: "kprobe_mnt_want_write_file_path"}}, }}, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "setxattr"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "fsetxattr"}, EntryAndExit), }, &manager.OneOf{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "lsetxattr"}, EntryAndExit), }, }, "utimes": { &manager.AllOf{Selectors: []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/security_inode_setattr", EBPFFuncName: "kprobe_security_inode_setattr"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "kprobe/mnt_want_write", EBPFFuncName: "kprobe_mnt_want_write"}}, }}, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "utime"}, EntryAndExit, true), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "utime32"}, EntryAndExit), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "utimes"}, EntryAndExit, true), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "utimes"}, EntryAndExit|ExpandTime32), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "utimensat"}, EntryAndExit, true), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "utimensat"}, EntryAndExit|ExpandTime32), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "futimesat"}, EntryAndExit, true), }, &manager.BestEffort{Selectors: ExpandSyscallProbesSelector( manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "futimesat"}, EntryAndExit|ExpandTime32), }, }, }
SelectorsPerEventType is the list of probes that should be activated for each event
var SyscallMonitorSelectors = []manager.ProbesSelector{ &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "tracepoint/raw_syscalls/sys_enter", EBPFFuncName: "sys_enter"}}, &manager.ProbeSelector{ProbeIdentificationPair: manager.ProbeIdentificationPair{UID: SecurityAgentUID, EBPFSection: "tracepoint/sched/sched_process_exec", EBPFFuncName: "sched_process_exec"}}, }
SyscallMonitorSelectors is the list of probes that should be activated for the syscall monitor feature
Functions ¶
func AllBPFProbeWriteUserSections ¶
func AllBPFProbeWriteUserSections() []string
AllBPFProbeWriteUserSections returns the list of program sections that use the bpf_probe_write_user helper
func AllMapSpecEditors ¶
func AllMapSpecEditors(numCPU int) map[string]manager.MapSpecEditor
AllMapSpecEditors returns the list of map editors
func AllPerfMaps ¶
AllPerfMaps returns the list of perf maps of the runtime security module
func AllTailRoutes ¶
func AllTailRoutes(ERPCDentryResolutionEnabled bool) []manager.TailCallRoute
AllTailRoutes returns the list of all the tail call routes
func ExpandSyscallProbes ¶
ExpandSyscallProbes returns the list of available hook probes for the syscall func name of the provided probe
func ExpandSyscallProbesSelector ¶
func ExpandSyscallProbesSelector(id manager.ProbeIdentificationPair, flag int, compat ...bool) []manager.ProbesSelector
ExpandSyscallProbesSelector returns the list of a ProbesSelector required to query all the probes available for a syscall
func GetPerfBufferStatisticsMaps ¶
GetPerfBufferStatisticsMaps returns the list of maps used to monitor the performances of each perf buffers
func ShouldUseSyscallExitTracepoints ¶
func ShouldUseSyscallExitTracepoints() bool
ShouldUseSyscallExitTracepoints returns true if the kernel version is old and we need to use tracepoints to handle syscall exits instead of kretprobes
Types ¶
This section is empty.