ebpf

package
v0.11.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 15, 2023 License: Apache-2.0 Imports: 52 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	IterateShared int = iota
	Iterate
)
View Source 
const (
	UIDFilterMap         = "uid_filter"
	PIDFilterMap         = "pid_filter"
	MntNSFilterMap       = "mnt_ns_filter"
	PidNSFilterMap       = "pid_ns_filter"
	UTSFilterMap         = "uts_ns_filter"
	CommFilterMap        = "comm_filter"
	ProcessTreeFilterMap = "process_tree_map"
	CgroupIdFilterMap    = "cgroup_id_filter"
	ContIdFilter         = "cont_id_filter"
	BinaryFilterMap      = "binary_filter"
	ProcInfoMap          = "proc_info_map"
)
View Source 
const BPFMaxLogFileLen = 72 // BPF_MAX_LOG_FILE_LEN
View Source 
const MaxFilterScopes = 64

Variables

This section is empty.

Functions

func FilterScopeAlreadyExists added in v0.11.0 

func FilterScopeAlreadyExists(scope *FilterScope, id int) error

func FilterScopeNilError added in v0.11.0 

func FilterScopeNilError() error

func FilterScopeNotFoundError added in v0.11.0 

func FilterScopeNotFoundError(idx int) error

func FilterScopesMaxExceededError added in v0.11.0 

func FilterScopesMaxExceededError() error

func FilterScopesOutOfRangeError added in v0.11.0 

func FilterScopesOutOfRangeError(idx int) error

func FindingToEvent added in v0.10.0 

func FindingToEvent(f detect.Finding) (*trace.Event, error)

FindingToEvent converts a detect.Finding into a trace.Event This is used because the pipeline expects trace.Event, but the rule engine returns detect.Finding

func GetCaptureEventsList added in v0.8.0 

func GetCaptureEventsList(cfg Config) map[events.ID]eventConfig

GetCaptureEventsList sets events used to capture data

func GetEssentialEventsList added in v0.8.0 

func GetEssentialEventsList() map[events.ID]eventConfig

GetEssentialEventsList sets the default events used by tracee

func LoadKallsymsValues added in v0.11.0 

func LoadKallsymsValues(ksymsTable helpers.KernelSymbolTable, ksymbols []string) map[string]*helpers.KernelSymbol

func MergeErrors 

func MergeErrors(cs ...<-chan error) <-chan error

MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.

func SendKsymbolsToMap added in v0.11.0 

func SendKsymbolsToMap(bpfKsymsMap *libbpfgo.BPFMap, ksymbols map[string]*helpers.KernelSymbol) error

func ValidateKsymbolsTable added in v0.11.0 

func ValidateKsymbolsTable(ksyms helpers.KernelSymbolTable) bool

ValidateKsymbolsTable checks if the addresses in the table are valid by checking a specific symbol address. The reason for the addresses to be invalid is if the capabilities required to read the kallsyms file are not given. The chosen symbol used here is "security_file_open" because it is a must-have symbol for tracee to run.

Types

type BPFLog added in v0.11.0 

type BPFLog struct {
	// contains filtered or unexported fields
}

BPFLog struct contains aggregated data about a bpf log origin

func (BPFLog) CPU added in v0.11.0 

func (b BPFLog) CPU() uint32

func (BPFLog) Count added in v0.11.0 

func (b BPFLog) Count() uint32

func (*BPFLog) Decode added in v0.11.0 

func (b *BPFLog) Decode(rawBuffer []byte) error

func (BPFLog) Error added in v0.11.0 

func (b BPFLog) Error() string

func (BPFLog) File added in v0.11.0 

func (b BPFLog) File() []byte

func (BPFLog) FileAsString added in v0.11.0 

func (b BPFLog) FileAsString() string

func (BPFLog) ID added in v0.11.0 

func (b BPFLog) ID() uint32

func (BPFLog) Line added in v0.11.0 

func (b BPFLog) Line() uint32

func (BPFLog) LogLevel added in v0.11.0 

func (b BPFLog) LogLevel() logger.Level

func (BPFLog) Return added in v0.11.0 

func (b BPFLog) Return() int64

func (BPFLog) Size added in v0.11.0 

func (b BPFLog) Size() int

func (BPFLog) Type added in v0.11.0 

func (b BPFLog) Type() BPFLogType

type BPFLogType added in v0.11.0 

type BPFLogType uint32
const (
	BPFLogIDUnspec BPFLogType = iota // BPF_LOG_ID_UNSPEC

	// tracee functions
	BPFLogIDInitContext // BPF_LOG_ID_INIT_CONTEXT

	// bpf helpers functions
	BPFLogIDMapLookupElem  // BPF_LOG_ID_MAP_LOOKUP_ELEM
	BPFLogIDMapUpdateElem  // BPF_LOG_ID_MAP_UPDATE_ELEM
	BPFLogIDMapDeleteElem  // BPF_LOG_ID_MAP_DELETE_ELEM
	BPFLogIDGetCurrentComm // BPF_LOG_ID_GET_CURRENT_COMM
	BPFLogIDTailCall       // BPF_LOG_ID_TAIL_CALL
	BPFLogIDMemRead        // BPF_LOG_ID_MEM_READ
)

func (BPFLogType) String added in v0.11.0 

func (b BPFLogType) String() string

type CapabilitiesConfig added in v0.9.0 

type CapabilitiesConfig struct {
	BypassCaps bool
	AddCaps    []string
	DropCaps   []string
}

type CaptureConfig 

type CaptureConfig struct {
	OutputPath      string
	FileWrite       bool
	Module          bool
	FilterFileWrite []string
	Exec            bool
	Mem             bool
	Net             pcaps.Config
}

type Config 

type Config struct {
	FilterScopes       *FilterScopes
	Capture            *CaptureConfig
	Capabilities       *CapabilitiesConfig
	Output             *OutputConfig
	Cache              queue.CacheConfig
	PerfBufferSize     int
	BlobPerfBufferSize int

	BTFObjPath       string
	BPFObjPath       string
	BPFObjBytes      []byte
	KernelConfig     *helpers.KernelConfig
	ChanEvents       chan trace.Event
	OSInfo           *helpers.OSInfo
	Sockets          runtime.Sockets
	ContainersEnrich bool
	EngineConfig     engine.Config
	// contains filtered or unexported fields
}

Config is a struct containing user defined configuration of tracee

func (Config) Validate 

func (tc Config) Validate() error

Validate does static validation of the configuration

type FilterScope added in v0.11.0 

type FilterScope struct {
	ID                int
	EventsToTrace     map[events.ID]string
	UIDFilter         *filters.BPFUIntFilter[uint32]
	PIDFilter         *filters.BPFUIntFilter[uint32]
	NewPidFilter      *filters.BoolFilter
	MntNSFilter       *filters.BPFUIntFilter[uint64]
	PidNSFilter       *filters.BPFUIntFilter[uint64]
	UTSFilter         *filters.BPFStringFilter
	CommFilter        *filters.BPFStringFilter
	ContFilter        *filters.BoolFilter
	NewContFilter     *filters.BoolFilter
	ContIDFilter      *filters.ContainerFilter
	RetFilter         *filters.RetFilter
	ArgFilter         *filters.ArgFilter
	ContextFilter     *filters.ContextFilter
	ProcessTreeFilter *filters.ProcessTreeFilter
	BinaryFilter      *filters.BPFBinaryFilter
	Follow            bool
}

func NewFilterScope added in v0.11.0 

func NewFilterScope() *FilterScope

func (FilterScope) ContainerFilterEnabled added in v0.11.0 

func (fs FilterScope) ContainerFilterEnabled() bool

ContainerFilterEnabled returns true when the scope has at least one container filter type enabled

type FilterScopes added in v0.11.0 

type FilterScopes struct {
	// contains filtered or unexported fields
}

TODO: add locking mechanism as scopes will change at runtime

func NewFilterScopes added in v0.11.0 

func NewFilterScopes() *FilterScopes

func (*FilterScopes) Add added in v0.11.0 

func (fs *FilterScopes) Add(scope *FilterScope) error

Add adds a scope to FilterScopes. Its ID (index) is set to the first room found. Returns nil if scope is already inserted.

func (FilterScopes) ContainerFilterEnabled added in v0.11.0 

func (fs FilterScopes) ContainerFilterEnabled() uint64

ContainerFilterEnabled returns a bitmask of scopes that have at least one container filter type enabled

func (FilterScopes) Count added in v0.11.0 

func (fs FilterScopes) Count() int

func (*FilterScopes) Delete added in v0.11.0 

func (fs *FilterScopes) Delete(id int) error

Delete deletes a scope from FilterScopes.

func (FilterScopes) Lookup added in v0.11.0 

func (fs FilterScopes) Lookup(id int) (*FilterScope, error)

func (FilterScopes) Map added in v0.11.0 

func (fs FilterScopes) Map() map[*FilterScope]int

func (FilterScopes) PIDFilterMax added in v0.11.0 

func (fs FilterScopes) PIDFilterMax() uint64

func (FilterScopes) PIDFilterMin added in v0.11.0 

func (fs FilterScopes) PIDFilterMin() uint64

func (FilterScopes) PIDFilterableInUserSpace added in v0.11.0 

func (fs FilterScopes) PIDFilterableInUserSpace() bool

func (*FilterScopes) Set added in v0.11.0 

func (fs *FilterScopes) Set(id int, scope *FilterScope) error

func (FilterScopes) UIDFilterMax added in v0.11.0 

func (fs FilterScopes) UIDFilterMax() uint64

func (FilterScopes) UIDFilterMin added in v0.11.0 

func (fs FilterScopes) UIDFilterMin() uint64

func (FilterScopes) UIDFilterableInUserSpace added in v0.11.0 

func (fs FilterScopes) UIDFilterableInUserSpace() bool

func (FilterScopes) UserSpaceMap added in v0.11.0 

func (fs FilterScopes) UserSpaceMap() map[*FilterScope]int

UserSpaceMap returns a reduced scopes map which must be filtered in user space (ArgFilter, RetFilter, ContextFilter, UIDFilter and PIDFilter).

type InitValues added in v0.8.1 

type InitValues struct {
	// contains filtered or unexported fields
}

InitValues determines if to initialize values that might be needed by eBPF programs

type OutputConfig 

type OutputConfig struct {
	StackAddresses    bool
	ExecEnv           bool
	RelativeTime      bool
	ExecHash          bool
	ParseArguments    bool
	ParseArgumentsFDs bool
	EventsSorting     bool
}

type Tracee 

type Tracee struct {
	StackAddressesMap *bpf.BPFMap
	FDArgPathMap      *bpf.BPFMap
	// contains filtered or unexported fields
}

Tracee traces system calls and system events using eBPF

func New 

func New(cfg Config) (*Tracee, error)

New creates a new Tracee instance based on a given valid Config It is expected that New will not cause external system side effects (reads, writes, etc.)

func (*Tracee) Close 

func (t *Tracee) Close()

Close cleans up created resources

func (*Tracee) GetTailCalls added in v0.8.3 

func (t *Tracee) GetTailCalls() ([]events.TailCall, error)

func (*Tracee) Init added in v0.8.1 

func (t *Tracee) Init() error

Init initialize tracee instance and it's various subsystems, potentially performing external system operations to initialize them. NOTE: any initialization logic, especially one that causes side effects, should go here and not New().

func (*Tracee) NewKernelSymbols added in v0.11.0 

func (t *Tracee) NewKernelSymbols() error

func (*Tracee) RegisterEventDerivation added in v0.11.0 

func (t *Tracee) RegisterEventDerivation(deriveFrom events.ID, deriveTo events.ID, deriveCondition func() bool, deriveLogic derive.DeriveFunction) error

RegisterEventDerivation registers an event derivation handler for tracee to use in the event pipeline

func (*Tracee) RegisterEventProcessor added in v0.11.0 

func (t *Tracee) RegisterEventProcessor(id events.ID, proc func(evt *trace.Event) error) error

RegisterEventProcessor registers a pipeline processing handler for an event

func (*Tracee) Run 

func (t *Tracee) Run(ctx gocontext.Context) error

Run starts the trace. it will run until ctx is cancelled

func (*Tracee) Running added in v0.8.1 

func (t *Tracee) Running() bool

func (*Tracee) Stats 

func (t *Tracee) Stats() *metrics.Stats

func (*Tracee) UpdateBPFKsymbolsMap added in v0.11.0 

func (t *Tracee) UpdateBPFKsymbolsMap() error

func (*Tracee) UpdateKallsyms added in v0.11.0 

func (t *Tracee) UpdateKallsyms() error

func (*Tracee) UpdateKernelSymbols added in v0.11.0 

func (t *Tracee) UpdateKernelSymbols() error

func (*Tracee) WaitForPipeline 

func (t *Tracee) WaitForPipeline(errs ...<-chan error) error

WaitForPipeline waits for results from all error channels.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.