Documentation
¶
Index ¶
- Constants
- Variables
- func Parse16BytesSliceIP(in []byte) string
- func ParseAccessMode(mode uint32) string
- func ParseBPFCmd(cmd int32) string
- func ParseCapability(cap int32) string
- func ParseCloneFlags(flags uint64) string
- func ParseExecFlags(flags uint32) string
- func ParseInodeMode(mode uint32) string
- func ParseMemProt(prot uint32) string
- func ParseOpenFlags(flags uint32) string
- func ParsePrctlOption(op int32) string
- func ParsePtraceRequest(req int64) string
- func ParseSocketDomain(sd uint32) string
- func ParseSocketType(st uint32) string
- func ParseUint32IP(in uint32) string
- func TracePipeListen() error
- type KernelConfig
- type RWArray
Examples ¶
Constants ¶
const ( CONFIG_BPF uint32 = iota + 1 CONFIG_BPF_SYSCALL CONFIG_HAVE_EBPF_JIT CONFIG_BPF_JIT CONFIG_BPF_JIT_ALWAYS_ON CONFIG_CGROUPS CONFIG_CGROUP_BPF CONFIG_CGROUP_NET_CLASSID CONFIG_SOCK_CGROUP_DATA CONFIG_BPF_EVENTS CONFIG_KPROBE_EVENTS CONFIG_UPROBE_EVENTS CONFIG_TRACING CONFIG_FTRACE_SYSCALLS CONFIG_FUNCTION_ERROR_INJECTION CONFIG_BPF_KPROBE_OVERRIDE CONFIG_NET CONFIG_XDP_SOCKETS CONFIG_LWTUNNEL_BPF CONFIG_NET_ACT_BPF CONFIG_NET_CLS_BPF CONFIG_NET_CLS_ACT CONFIG_NET_SCH_INGRESS CONFIG_XFRM CONFIG_IP_ROUTE_CLASSID CONFIG_IPV6_SEG6_BPF CONFIG_BPF_LIRC_MODE2 CONFIG_BPF_STREAM_PARSER CONFIG_NETFILTER_XT_MATCH_BPF CONFIG_BPFILTER CONFIG_BPFILTER_UMH CONFIG_TEST_BPF CONFIG_HZ CONFIG_DEBUG_INFO_BTF CONFIG_DEBUG_INFO_BTF_MODULES CONFIG_BPF_LSM CONFIG_BPF_PRELOAD CONFIG_BPF_PRELOAD_UMD )
These constants are a limited number of the total kernel config options, but are provided because they are most relevant for BPF development.
Variables ¶
var KernelConfigKeyIDToString map[uint32]string = map[uint32]string{ CONFIG_BPF: "CONFIG_BPF", CONFIG_BPF_SYSCALL: "CONFIG_BPF_SYSCALL", CONFIG_HAVE_EBPF_JIT: "CONFIG_HAVE_EBPF_JIT", CONFIG_BPF_JIT: "CONFIG_BPF_JIT", CONFIG_BPF_JIT_ALWAYS_ON: "CONFIG_BPF_JIT_ALWAYS_ON", CONFIG_CGROUPS: "CONFIG_CGROUPS", CONFIG_CGROUP_BPF: "CONFIG_CGROUP_BPF", CONFIG_CGROUP_NET_CLASSID: "CONFIG_CGROUP_NET_CLASSID", CONFIG_SOCK_CGROUP_DATA: "CONFIG_SOCK_CGROUP_DATA", CONFIG_BPF_EVENTS: "CONFIG_BPF_EVENTS", CONFIG_KPROBE_EVENTS: "CONFIG_KPROBE_EVENTS", CONFIG_UPROBE_EVENTS: "CONFIG_UPROBE_EVENTS", CONFIG_TRACING: "CONFIG_TRACING", CONFIG_FTRACE_SYSCALLS: "CONFIG_FTRACE_SYSCALLS", CONFIG_FUNCTION_ERROR_INJECTION: "CONFIG_FUNCTION_ERROR_INJECTION", CONFIG_BPF_KPROBE_OVERRIDE: "CONFIG_BPF_KPROBE_OVERRIDE", CONFIG_NET: "CONFIG_NET", CONFIG_XDP_SOCKETS: "CONFIG_XDP_SOCKETS", CONFIG_LWTUNNEL_BPF: "CONFIG_LWTUNNEL_BPF", CONFIG_NET_ACT_BPF: "CONFIG_NET_ACT_BPF", CONFIG_NET_CLS_BPF: "CONFIG_NET_CLS_BPF", CONFIG_NET_CLS_ACT: "CONFIG_NET_CLS_ACT", CONFIG_NET_SCH_INGRESS: "CONFIG_NET_SCH_INGRESS", CONFIG_XFRM: "CONFIG_XFRM", CONFIG_IP_ROUTE_CLASSID: "CONFIG_IP_ROUTE_CLASSID", CONFIG_IPV6_SEG6_BPF: "CONFIG_IPV6_SEG6_BPF", CONFIG_BPF_LIRC_MODE2: "CONFIG_BPF_LIRC_MODE2", CONFIG_BPF_STREAM_PARSER: "CONFIG_BPF_STREAM_PARSER", CONFIG_NETFILTER_XT_MATCH_BPF: "CONFIG_NETFILTER_XT_MATCH_BPF", CONFIG_BPFILTER: "CONFIG_BPFILTER", CONFIG_BPFILTER_UMH: "CONFIG_BPFILTER_UMH", CONFIG_TEST_BPF: "CONFIG_TEST_BPF", CONFIG_HZ: "CONFIG_HZ", CONFIG_DEBUG_INFO_BTF: "CONFIG_DEBUG_INFO_BTF", CONFIG_DEBUG_INFO_BTF_MODULES: "CONFIG_DEBUG_INFO_BTF_MODULES", CONFIG_BPF_LSM: "CONFIG_BPF_LSM", CONFIG_BPF_PRELOAD: "CONFIG_BPF_PRELOAD", CONFIG_BPF_PRELOAD_UMD: "CONFIG_BPF_PRELOAD_UMD", }
var KernelConfigKeyStringToID map[string]uint32 = map[string]uint32{ "CONFIG_BPF": CONFIG_BPF, "CONFIG_BPF_SYSCALL": CONFIG_BPF_SYSCALL, "CONFIG_HAVE_EBPF_JIT": CONFIG_HAVE_EBPF_JIT, "CONFIG_BPF_JIT": CONFIG_BPF_JIT, "CONFIG_BPF_JIT_ALWAYS_ON": CONFIG_BPF_JIT_ALWAYS_ON, "CONFIG_CGROUPS": CONFIG_CGROUPS, "CONFIG_CGROUP_BPF": CONFIG_CGROUP_BPF, "CONFIG_CGROUP_NET_CLASSID": CONFIG_CGROUP_NET_CLASSID, "CONFIG_SOCK_CGROUP_DATA": CONFIG_SOCK_CGROUP_DATA, "CONFIG_BPF_EVENTS": CONFIG_BPF_EVENTS, "CONFIG_KPROBE_EVENTS": CONFIG_KPROBE_EVENTS, "CONFIG_UPROBE_EVENTS": CONFIG_UPROBE_EVENTS, "CONFIG_TRACING": CONFIG_TRACING, "CONFIG_FTRACE_SYSCALLS": CONFIG_FTRACE_SYSCALLS, "CONFIG_FUNCTION_ERROR_INJECTION": CONFIG_FUNCTION_ERROR_INJECTION, "CONFIG_BPF_KPROBE_OVERRIDE": CONFIG_BPF_KPROBE_OVERRIDE, "CONFIG_NET": CONFIG_NET, "CONFIG_XDP_SOCKETS": CONFIG_XDP_SOCKETS, "CONFIG_LWTUNNEL_BPF": CONFIG_LWTUNNEL_BPF, "CONFIG_NET_ACT_BPF": CONFIG_NET_ACT_BPF, "CONFIG_NET_CLS_BPF": CONFIG_NET_CLS_BPF, "CONFIG_NET_CLS_ACT": CONFIG_NET_CLS_ACT, "CONFIG_NET_SCH_INGRESS": CONFIG_NET_SCH_INGRESS, "CONFIG_XFRM": CONFIG_XFRM, "CONFIG_IP_ROUTE_CLASSID": CONFIG_IP_ROUTE_CLASSID, "CONFIG_IPV6_SEG6_BPF": CONFIG_IPV6_SEG6_BPF, "CONFIG_BPF_LIRC_MODE2": CONFIG_BPF_LIRC_MODE2, "CONFIG_BPF_STREAM_PARSER": CONFIG_BPF_STREAM_PARSER, "CONFIG_NETFILTER_XT_MATCH_BPF": CONFIG_NETFILTER_XT_MATCH_BPF, "CONFIG_BPFILTER": CONFIG_BPFILTER, "CONFIG_BPFILTER_UMH": CONFIG_BPFILTER_UMH, "CONFIG_TEST_BPF": CONFIG_TEST_BPF, "CONFIG_HZ": CONFIG_HZ, "CONFIG_DEBUG_INFO_BTF": CONFIG_DEBUG_INFO_BTF, "CONFIG_DEBUG_INFO_BTF_MODULES": CONFIG_DEBUG_INFO_BTF_MODULES, "CONFIG_BPF_LSM": CONFIG_BPF_LSM, "CONFIG_BPF_PRELOAD": CONFIG_BPF_PRELOAD, "CONFIG_BPF_PRELOAD_UMD": CONFIG_BPF_PRELOAD_UMD, }
Functions ¶
func Parse16BytesSliceIP ¶
Parse16BytesSliceIP parses the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable lenth slice, but that would case unnecessary memory copying and type conversions
func ParseAccessMode ¶
ParseAccessMode parses the mode from the `access` system call http://man7.org/linux/man-pages/man2/access.2.html
func ParseBPFCmd ¶
ParseBPFCmd parses the `cmd` argument of the `bpf` syscall https://man7.org/linux/man-pages/man2/bpf.2.html
func ParseCapability ¶
ParseCapability parses the `capability` bitmask argument of the `cap_capable` function include/uapi/linux/capability.h
func ParseCloneFlags ¶
ParseCloneFlags parses the `flags` bitmask argument of the `clone` syscall https://man7.org/linux/man-pages/man2/clone.2.html
func ParseExecFlags ¶
ParseExecFlags parses the `flags` bitmask argument of the `execve` syscall http://man7.org/linux/man-pages/man2/axecveat.2.html
func ParseInodeMode ¶
ParseInodeMode parses the `mode` bitmask argument of the `mknod` syscall http://man7.org/linux/man-pages/man7/inode.7.html
func ParseMemProt ¶
ParseMemProt parses the `prot` bitmask argument of the `mmap` syscall http://man7.org/linux/man-pages/man2/mmap.2.html https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/mman-common.h#L10
func ParseOpenFlags ¶
ParseOpenFlags parses the `flags` bitmask argument of the `open` syscall http://man7.org/linux/man-pages/man2/open.2.html https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/fcntl.h
func ParsePrctlOption ¶
ParsePrctlOption parses the `option` argument of the `prctl` syscall http://man7.org/linux/man-pages/man2/prctl.2.html
func ParsePtraceRequest ¶
ParsePtraceRequest parses the `request` argument of the `ptrace` syscall http://man7.org/linux/man-pages/man2/ptrace.2.html
func ParseSocketDomain ¶
ParseSocketDomain parses the `domain` bitmask argument of the `socket` syscall http://man7.org/linux/man-pages/man2/socket.2.html
func ParseSocketType ¶
ParseSocketType parses the `type` bitmask argument of the `socket` syscall http://man7.org/linux/man-pages/man2/socket.2.html
func ParseUint32IP ¶
ParseUint32IP parses the IP address encoded as a uint32
func TracePipeListen ¶
func TracePipeListen() error
TracePipeListen reads data from the trace pipe that bpf_trace_printk() writes to, (/sys/kernel/debug/tracing/trace_pipe). It writes the data to stdout. The pipe is global, so this function is not associated with any BPF program. It is recommended to use bpf_trace_printk() and this function for debug purposes only. This is a blocking function intended to be called from a goroutine.
Example (Usage) ¶
package main
import (
"fmt"
"os"
"github.com/aquasecurity/tracee/libbpfgo/helpers"
)
func main() {
go func() {
err := helpers.TracePipeListen()
if err != nil {
fmt.Fprintf(os.Stderr, "%s\n", err.Error())
}
}()
}
Output:
Types ¶
type KernelConfig ¶
func (KernelConfig) GetKernelConfigValue ¶
func (k KernelConfig) GetKernelConfigValue(key uint32) (string, error)
GetKernelConfigValue retrieves a value from the kernel config If the config value does not exist an error will be returned
func (KernelConfig) InitKernelConfig ¶
func (k KernelConfig) InitKernelConfig() error
InitKernelConfig populates the passed KernelConfig by attempting to read the kernel config into it from: /proc/config-$(uname -r) or /boot/config.gz
type RWArray ¶
type RWArray struct {
// contains filtered or unexported fields
}
RWArray allows for multiple concurrent readers but only a single writer. The writers lock a mutex while the readers are lock free. It is implemented as an array of slots where each slot holds a value (of type interface{}) and a boolean marker to indicate if it's in use or not. The insertion (Put) performs a linear probe looking for an available slot as indicated by the in-use marker. While probing, it is not touching the value itself, as it's being read without a lock by the readers.
Source Files