ebpf

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 16, 2022 License: Apache-2.0 Imports: 55 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	IterateShared int = iota
	Iterate
)
View Source 
const (
	UIDFilterMap         = "uid_filter"
	PIDFilterMap         = "pid_filter"
	MntNSFilterMap       = "mnt_ns_filter"
	PidNSFilterMap       = "pid_ns_filter"
	UTSFilterMap         = "uts_ns_filter"
	CommFilterMap        = "comm_filter"
	ProcessTreeFilterMap = "process_tree_map"
	CgroupIdFilterMap    = "cgroup_id_filter"
	ContIdFilter         = "cont_id_filter"
	BinaryFilterMap      = "binary_filter"
)
View Source 
const BPFMaxErrFileLen = 72 // BPF_MAX_ERR_FILE_LEN

Variables

This section is empty.

Functions

func CreateNetEvent 

func CreateNetEvent(eventMeta bufferdecoder.NetEventMetadata, ctx procinfo.ProcessCtx, eventName string) trace.Event

CreateNetEvent creates and returns event 'eventName'

func FindingToEvent added in v0.10.0 

func FindingToEvent(f detect.Finding) (*trace.Event, error)

FindingToEvent converts a detect.Finding into a trace.Event This is used because the pipeline expects trace.Event, but the rule engine returns detect.Finding

func GetCaptureEventsList added in v0.8.0 

func GetCaptureEventsList(cfg Config) map[events.ID]eventConfig

GetCaptureEventsList sets events used to capture data

func GetEssentialEventsList added in v0.8.0 

func GetEssentialEventsList() map[events.ID]eventConfig

GetEssentialEventsList sets the default events used by tracee

func MergeErrors 

func MergeErrors(cs ...<-chan error) <-chan error

MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.

Types

type BPFError added in v0.10.0 

type BPFError struct {
	// contains filtered or unexported fields
}

BPFError struct contains aggregated data about a bpf error origin

func (BPFError) CPU added in v0.10.0 

func (b BPFError) CPU() uint32

func (BPFError) Count added in v0.10.0 

func (b BPFError) Count() uint32

func (*BPFError) Decode added in v0.10.0 

func (b *BPFError) Decode(rawBuffer []byte) error

func (BPFError) Error added in v0.10.0 

func (b BPFError) Error() string

func (BPFError) File added in v0.10.0 

func (b BPFError) File() []byte

func (BPFError) FileAsString added in v0.10.0 

func (b BPFError) FileAsString() string

func (BPFError) ID added in v0.10.0 

func (b BPFError) ID() uint32

func (BPFError) Line added in v0.10.0 

func (b BPFError) Line() uint32

func (BPFError) LogLevel added in v0.10.0 

func (b BPFError) LogLevel() logger.Level

func (BPFError) Return added in v0.10.0 

func (b BPFError) Return() int64

func (BPFError) Size added in v0.10.0 

func (b BPFError) Size() int

func (BPFError) Type added in v0.10.0 

func (b BPFError) Type() BPFErrorType

type BPFErrorType added in v0.10.0 

type BPFErrorType uint32
const (
	BPFErrUnspec BPFErrorType = iota // BPF_ERR_UNSPEC

	// tracee functions
	BPFErrInitContext // BPF_ERR_INIT_CONTEXT

	// bpf helpers functions
	BPFErrMapLookupElem  // BPF_ERR_MAP_LOOKUP_ELEM
	BPFErrMapUpdateElem  // BPF_ERR_MAP_UPDATE_ELEM
	BPFErrMapDeleteElem  // BPF_ERR_MAP_DELETE_ELEM
	BPFErrGetCurrentComm // BPF_ERR_GET_CURRENT_COMM
	BPFErrTailCall       // BPF_ERR_TAIL_CALL
)

func (BPFErrorType) String added in v0.10.0 

func (b BPFErrorType) String() string

type CapabilitiesConfig added in v0.9.0 

type CapabilitiesConfig struct {
	BypassCaps bool
	AddCaps    []string
	DropCaps   []string
}

type CaptureConfig 

type CaptureConfig struct {
	OutputPath      string
	FileWrite       bool
	Module          bool
	FilterFileWrite []string
	Exec            bool
	Mem             bool
	Profile         bool
	NetIfaces       *NetIfaces
	NetPerContainer bool
	NetPerProcess   bool
}

type Config 

type Config struct {
	Filter             *Filter
	Capture            *CaptureConfig
	Capabilities       *CapabilitiesConfig
	Output             *OutputConfig
	Cache              queue.CacheConfig
	PerfBufferSize     int
	BlobPerfBufferSize int
	Debug              bool

	BTFObjPath       string
	BPFObjPath       string
	BPFObjBytes      []byte
	KernelConfig     *helpers.KernelConfig
	ChanEvents       chan trace.Event
	ProcessInfo      bool
	OSInfo           *helpers.OSInfo
	Sockets          runtime.Sockets
	ContainersEnrich bool
	EngineConfig     engine.Config
	// contains filtered or unexported fields
}

Config is a struct containing user defined configuration of tracee

func (Config) Validate 

func (tc Config) Validate() error

Validate does static validation of the configuration

type Filter 

type Filter struct {
	EventsToTrace     []events.ID
	UIDFilter         *filters.BPFUIntFilter[uint32]
	PIDFilter         *filters.BPFUIntFilter[uint32]
	NewPidFilter      *filters.BoolFilter
	MntNSFilter       *filters.BPFUIntFilter[uint64]
	PidNSFilter       *filters.BPFUIntFilter[uint64]
	UTSFilter         *filters.BPFStringFilter
	CommFilter        *filters.BPFStringFilter
	ContFilter        *filters.BoolFilter
	NewContFilter     *filters.BoolFilter
	ContIDFilter      *filters.ContainerFilter
	RetFilter         *filters.RetFilter
	ArgFilter         *filters.ArgFilter
	ContextFilter     *filters.ContextFilter
	ProcessTreeFilter *filters.ProcessTreeFilter
	BinaryFilter      *filters.BPFStringFilter
	Follow            bool
	NetFilter         *NetIfaces
}

type InitValues added in v0.8.1 

type InitValues struct {
	// contains filtered or unexported fields
}

InitValues determines if to initialize values that might be needed by eBPF programs

type NetIfaces added in v0.8.1 

type NetIfaces struct {
	Ifaces []string
}

func (*NetIfaces) Find added in v0.8.1 

func (ifaces *NetIfaces) Find(iface string) (int, bool)

func (*NetIfaces) Interfaces added in v0.8.1 

func (ifaces *NetIfaces) Interfaces() []string

func (*NetIfaces) Parse added in v0.8.1 

func (filter *NetIfaces) Parse(operatorAndValues string) error

type OutputConfig 

type OutputConfig struct {
	StackAddresses    bool
	DetectSyscall     bool
	ExecEnv           bool
	RelativeTime      bool
	ExecHash          bool
	ParseArguments    bool
	ParseArgumentsFDs bool
	EventsSorting     bool
}

type Tracee 

type Tracee struct {
	StackAddressesMap *bpf.BPFMap
	FDArgPathMap      *bpf.BPFMap
	// contains filtered or unexported fields
}

Tracee traces system calls and system events using eBPF

func New 

func New(cfg Config) (*Tracee, error)

New creates a new Tracee instance based on a given valid Config It is expected that New will not cause external system side effects (reads, writes, etc.)

func (*Tracee) Close 

func (t *Tracee) Close()

Close cleans up created resources

func (*Tracee) GetTailCalls added in v0.8.3 

func (t *Tracee) GetTailCalls() ([]events.TailCall, error)

func (*Tracee) Init added in v0.8.1 

func (t *Tracee) Init() error

Init initialize tracee instance and it's various subsystems, potentially performing external system operations to initialize them. NOTE: any initialization logic, especially one that causes side effects, should go here and not New().

func (*Tracee) Run 

func (t *Tracee) Run(ctx gocontext.Context) error

Run starts the trace. it will run until ctx is cancelled

func (*Tracee) Running added in v0.8.1 

func (t *Tracee) Running() bool

func (*Tracee) Stats 

func (t *Tracee) Stats() *metrics.Stats

func (*Tracee) WaitForPipeline 

func (t *Tracee) WaitForPipeline(errs ...<-chan error) error

WaitForPipeline waits for results from all error channels.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.