Documentation ¶
Overview ¶
Invoked tracee-ebpf events from user mode This utility can prove itself useful to generate information needed by signatures that is not provided by normal events in the kernel. Because the events in the kernel are invoked by other programs behavior, we cannot anticipate which events will be invoked and as a result what information will be extracted. This is critical because tracee-rules is independent, and doesn't have to run on the same machine as tracee-ebpf. This means that tracee-rules might lack basic information of the operating machine needed for some signatures. By creating user mode events this information could be intentionally collected and passed to tracee-ebpf afterwards.
Index ¶
- Constants
- Variables
- func Derive(event trace.Event, derivationTable DerivationTable) ([]trace.Event, []error)
- func ExistingContainersEvents(containers *containers.Containers, enrich bool) []trace.Event
- func GetArg(event *trace.Event, argName string) *trace.Argument
- func InitNamespacesEvent() trace.Event
- func ParseArgs(event *trace.Event) error
- func ParseArgsFDs(event *trace.Event, fdArgPathMap *bpf.BPFMap) error
- func RequiredCapabilities(events []ID) []cap.Value
- type DerivationTable
- type DeriveFunction
- type Event
- type ID
- type TailCall
Constants ¶
const ( CaptureIface int32 = 1 << iota TraceIface )
const InitProcNsDir = "/proc/1/ns"
const Unique32BitSyscallsStartID = 3000
Variables ¶
var Definitions = eventDefinitions{ // contains filtered or unexported fields }
Functions ¶
func Derive ¶
Derive takes a trace.Event and checks if it can derive additional events from it as defined by tracee's eventDerivations map. The map is initialized in the above function
func ExistingContainersEvents ¶
func ExistingContainersEvents(containers *containers.Containers, enrich bool) []trace.Event
ExistingContainersEvents returns a list of events for each existing container
func InitNamespacesEvent ¶
InitNamespacesEvent collect the init process namespaces and create event from them.
func ParseArgsFDs ¶ added in v0.8.2
func RequiredCapabilities ¶
Types ¶
type DerivationTable ¶
type DerivationTable map[ID]map[ID]struct { Function DeriveFunction Enabled bool //practically this field is to drop derivation of unneeded events }
DerivationTable defines a table between events and events they can be derived into corresponding to some deriveFn
type DeriveFunction ¶
DeriveFunction is a function prototype for a function that receives an event as argument and may produce a new event if relevant. It returns a derived or empty event, depending on successful derivation, and an error if one occurred.
type Event ¶
type Event struct { ID32Bit ID Name string DocPath string // Relative to the 'doc/events' directory Internal bool Syscall bool Probes []probeDependency Dependencies dependencies Sets []string Params []trace.ArgMeta }
Event is a struct describing an event configuration
type ID ¶
type ID int32
const ( Read ID = 0 Write ID = 1 Open ID = 2 Close ID = 3 Stat ID = 4 Fstat ID = 5 Lstat ID = 6 Poll ID = 7 Lseek ID = 8 Mmap ID = 9 Mprotect ID = 10 Munmap ID = 11 Brk ID = 12 RtSigaction ID = 13 RtSigprocmask ID = 14 RtSigreturn ID = 15 Ioctl ID = 16 Pread64 ID = 17 Pwrite64 ID = 18 Readv ID = 19 Writev ID = 20 Access ID = 21 Pipe ID = 22 Select ID = 23 SchedYield ID = 24 Mremap ID = 25 Msync ID = 26 Mincore ID = 27 Madvise ID = 28 Shmget ID = 29 Shmat ID = 30 Shmctl ID = 31 Dup ID = 32 Dup2 ID = 33 Pause ID = 34 Nanosleep ID = 35 Getitimer ID = 36 Alarm ID = 37 Setitimer ID = 38 Getpid ID = 39 Sendfile ID = 40 Socket ID = 41 Connect ID = 42 Accept ID = 43 Sendto ID = 44 Recvfrom ID = 45 Sendmsg ID = 46 Recvmsg ID = 47 Shutdown ID = 48 Bind ID = 49 Listen ID = 50 Getsockname ID = 51 Getpeername ID = 52 Socketpair ID = 53 Setsockopt ID = 54 Getsockopt ID = 55 Clone ID = 56 Fork ID = 57 Vfork ID = 58 Execve ID = 59 Exit ID = 60 Wait4 ID = 61 Kill ID = 62 Uname ID = 63 Semget ID = 64 Semop ID = 65 Semctl ID = 66 Shmdt ID = 67 Msgget ID = 68 Msgsnd ID = 69 Msgrcv ID = 70 Msgctl ID = 71 Fcntl ID = 72 Flock ID = 73 Fsync ID = 74 Fdatasync ID = 75 Truncate ID = 76 Ftruncate ID = 77 Getdents ID = 78 Getcwd ID = 79 Chdir ID = 80 Fchdir ID = 81 Rename ID = 82 Mkdir ID = 83 Rmdir ID = 84 Creat ID = 85 Link ID = 86 Unlink ID = 87 Symlink ID = 88 Readlink ID = 89 Chmod ID = 90 Fchmod ID = 91 Chown ID = 92 Fchown ID = 93 Lchown ID = 94 Umask ID = 95 Gettimeofday ID = 96 Getrlimit ID = 97 Getrusage ID = 98 Sysinfo ID = 99 Times ID = 100 Ptrace ID = 101 Getuid ID = 102 Syslog ID = 103 Getgid ID = 104 Setuid ID = 105 Setgid ID = 106 Geteuid ID = 107 Getegid ID = 108 Setpgid ID = 109 Getppid ID = 110 Getpgrp ID = 111 Setsid ID = 112 Setreuid ID = 113 Setregid ID = 114 Getgroups ID = 115 Setgroups ID = 116 Setresuid ID = 117 Getresuid ID = 118 Setresgid ID = 119 Getresgid ID = 120 Getpgid ID = 121 Setfsuid ID = 122 Setfsgid ID = 123 Getsid ID = 124 Capget ID = 125 Capset ID = 126 RtSigpending ID = 127 RtSigtimedwait ID = 128 RtSigqueueinfo ID = 129 RtSigsuspend ID = 130 Sigaltstack ID = 131 Utime ID = 132 Mknod ID = 133 Uselib ID = 134 Personality ID = 135 Ustat ID = 136 Statfs ID = 137 Fstatfs ID = 138 Sysfs ID = 139 Getpriority ID = 140 Setpriority ID = 141 SchedSetparam ID = 142 SchedGetparam ID = 143 SchedSetscheduler ID = 144 SchedGetscheduler ID = 145 SchedGetPriorityMax ID = 146 SchedGetPriorityMin ID = 147 SchedRrGetInterval ID = 148 Mlock ID = 149 Munlock ID = 150 Mlockall ID = 151 Munlockall ID = 152 Vhangup ID = 153 ModifyLdt ID = 154 PivotRoot ID = 155 Sysctl ID = 156 Prctl ID = 157 ArchPrctl ID = 158 Adjtimex ID = 159 Setrlimit ID = 160 Chroot ID = 161 Sync ID = 162 Acct ID = 163 Settimeofday ID = 164 Mount ID = 165 Umount2 ID = 166 Swapon ID = 167 Swapoff ID = 168 Reboot ID = 169 Sethostname ID = 170 Setdomainname ID = 171 Iopl ID = 172 Ioperm ID = 173 CreateModule ID = 174 InitModule ID = 175 DeleteModule ID = 176 GetKernelSyms ID = 177 QueryModule ID = 178 Quotactl ID = 179 Nfsservctl ID = 180 Getpmsg ID = 181 Putpmsg ID = 182 Afs ID = 183 Tuxcall ID = 184 Security ID = 185 Gettid ID = 186 Readahead ID = 187 Setxattr ID = 188 Lsetxattr ID = 189 Fsetxattr ID = 190 Getxattr ID = 191 Lgetxattr ID = 192 Fgetxattr ID = 193 Listxattr ID = 194 Llistxattr ID = 195 Flistxattr ID = 196 Removexattr ID = 197 Lremovexattr ID = 198 Fremovexattr ID = 199 Tkill ID = 200 Time ID = 201 Futex ID = 202 SchedSetaffinity ID = 203 SchedGetaffinity ID = 204 SetThreadArea ID = 205 IoSetup ID = 206 IoDestroy ID = 207 IoGetevents ID = 208 IoSubmit ID = 209 IoCancel ID = 210 GetThreadArea ID = 211 EpollCreate ID = 213 EpollCtlOld ID = 214 EpollWaitOld ID = 215 RemapFilePages ID = 216 Getdents64 ID = 217 SetTidAddress ID = 218 RestartSyscall ID = 219 Semtimedop ID = 220 Fadvise64 ID = 221 TimerCreate ID = 222 TimerSettime ID = 223 TimerGettime ID = 224 TimerGetoverrun ID = 225 TimerDelete ID = 226 ClockSettime ID = 227 ClockGettime ID = 228 ClockGetres ID = 229 ClockNanosleep ID = 230 ExitGroup ID = 231 EpollWait ID = 232 EpollCtl ID = 233 Tgkill ID = 234 Utimes ID = 235 Vserver ID = 236 Mbind ID = 237 SetMempolicy ID = 238 GetMempolicy ID = 239 MqOpen ID = 240 MqUnlink ID = 241 MqTimedsend ID = 242 MqTimedreceive ID = 243 MqNotify ID = 244 MqGetsetattr ID = 245 KexecLoad ID = 246 Waitid ID = 247 AddKey ID = 248 RequestKey ID = 249 Keyctl ID = 250 IoprioSet ID = 251 IoprioGet ID = 252 InotifyInit ID = 253 InotifyAddWatch ID = 254 InotifyRmWatch ID = 255 MigratePages ID = 256 Openat ID = 257 Mkdirat ID = 258 Mknodat ID = 259 Fchownat ID = 260 Futimesat ID = 261 Newfstatat ID = 262 Unlinkat ID = 263 Renameat ID = 264 Linkat ID = 265 Symlinkat ID = 266 Readlinkat ID = 267 Fchmodat ID = 268 Faccessat ID = 269 Pselect6 ID = 270 Ppoll ID = 271 SetRobustList ID = 273 GetRobustList ID = 274 Splice ID = 275 Tee ID = 276 SyncFileRange ID = 277 Vmsplice ID = 278 MovePages ID = 279 Utimensat ID = 280 EpollPwait ID = 281 Signalfd ID = 282 TimerfdCreate ID = 283 Eventfd ID = 284 Fallocate ID = 285 TimerfdSettime ID = 286 TimerfdGettime ID = 287 Accept4 ID = 288 Signalfd4 ID = 289 Eventfd2 ID = 290 EpollCreate1 ID = 291 Dup3 ID = 292 Pipe2 ID = 293 InotifyInit1 ID = 294 Preadv ID = 295 Pwritev ID = 296 RtTgsigqueueinfo ID = 297 PerfEventOpen ID = 298 Recvmmsg ID = 299 FanotifyInit ID = 300 FanotifyMark ID = 301 Prlimit64 ID = 302 NameToHandleAt ID = 303 OpenByHandleAt ID = 304 ClockAdjtime ID = 305 Syncfs ID = 306 Sendmmsg ID = 307 Setns ID = 308 Getcpu ID = 309 ProcessVmReadv ID = 310 ProcessVmWritev ID = 311 Kcmp ID = 312 FinitModule ID = 313 SchedSetattr ID = 314 SchedGetattr ID = 315 Renameat2 ID = 316 Seccomp ID = 317 Getrandom ID = 318 MemfdCreate ID = 319 KexecFileLoad ID = 320 Bpf ID = 321 Execveat ID = 322 Userfaultfd ID = 323 Membarrier ID = 324 Mlock2 ID = 325 CopyFileRange ID = 326 Preadv2 ID = 327 Pwritev2 ID = 328 PkeyMprotect ID = 329 PkeyAlloc ID = 330 PkeyFree ID = 331 Statx ID = 332 IoPgetevents ID = 333 Rseq ID = 334 // 335 through 423 are unassigned to sync up with generic numbers PidfdSendSignal ID = 424 IoUringSetup ID = 425 IoUringEnter ID = 426 IoUringRegister ID = 427 OpenTree ID = 428 MoveMount ID = 429 Fsopen ID = 430 Fsconfig ID = 431 Fsmount ID = 432 Fspick ID = 433 PidfdOpen ID = 434 Clone3 ID = 435 CloseRange ID = 436 Openat2 ID = 437 PidfdGetfd ID = 438 Faccessat2 ID = 439 ProcessMadvise ID = 440 EpollPwait2 ID = 441 MountSetatt ID = 442 QuotactlFd ID = 443 LandlockCreateRuleset ID = 444 LandlockAddRule ID = 445 LandloclRestrictSet ID = 446 MemfdSecret ID = 447 ProcessMrelease ID = 448 MaxSyscallID ID = 449 )
x86 64bit syscall numbers Also used as event IDs https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl
const ( Waitpid ID = iota + Unique32BitSyscallsStartID Oldfstat Break Oldstat Umount Stime Stty Gtty Nice Ftime Prof Signal Lock Mpx Ulimit Oldolduname Sigaction Sgetmask Ssetmask Sigsuspend Sigpending Oldlstat Readdir Profil Socketcall Olduname Idle Vm86old Ipc Sigreturn Sigprocmask Bdflush Afs_syscall Llseek OldSelect Vm86 OldGetrlimit Mmap2 Truncate64 Ftruncate64 Stat64 Lstat64 Fstat64 Lchown16 Getuid16 Getgid16 Geteuid16 Getegid16 Setreuid16 Setregid16 Getgroups16 Setgroups16 Fchown16 Setresuid16 Getresuid16 Setresgid16 Getresgid16 Chown16 Setuid16 Setgid16 Setfsuid16 Setfsgid16 Fcntl64 Sendfile32 Statfs64 Fstatfs64 Fadvise64_64 ClockGettime32 ClockSettime32 ClockAdjtime64 ClockGetresTime32 ClockNanosleepTime32 TimerGettime32 TimerSettime32 TimerfdGettime32 TimerfdSettime32 UtimensatTime32 Pselect6Time32 PpollTime32 IoPgeteventsTime32 RecvmmsgTime32 MqTimedsendTime32 MqTimedreceiveTime32 RtSigtimedwaitTime32 FutexTime32 SchedRrGetInterval32 Unique32BitSyscallsEndID )
Set of events IDs for 32bit syscalls which have no parallel 64bit syscall
const ( NetPacket ID = iota + 700 DnsRequest DnsResponse MaxNetID SysEnter SysExit SchedProcessFork SchedProcessExec SchedProcessExit SchedSwitch DoExit CapCapable VfsWrite VfsWritev MemProtAlert CommitCreds SwitchTaskNS MagicWrite CgroupAttachTask CgroupMkdir CgroupRmdir SecurityBprmCheck SecurityFileOpen SecurityInodeUnlink SecuritySocketCreate SecuritySocketListen SecuritySocketConnect SecuritySocketAccept SecuritySocketBind SecuritySocketSetsockopt SecuritySbMount SecurityBPF SecurityBPFMap SecurityKernelReadFile SecurityInodeMknod SecurityPostReadFile SecurityInodeSymlinkEventId SecurityMmapFile SecurityFileMprotect SocketDup HiddenInodes KernelWrite ProcCreate KprobeAttach CallUsermodeHelper DirtyPipeSplice DebugfsCreateFile PrintSyscallTable DebugfsCreateDir DeviceAdd RegisterChrdev DoInitModule SocketAccept LoadElfPhdrs HookedProcFops PrintNetSeqOps TaskRename SymbolsLoaded SecurityInodeRename MaxCommonID DebugNetSecurityBind DebugNetUdpSendmsg DebugNetUdpDisconnect DebugNetUdpDestroySock DebugNetUdpV6DestroySock DebugNetInetSockSetState DebugNetTcpConnect MaxDebugID )
Common events (used by all architectures) events should match defined values in ebpf code
const ( InitNamespaces ID = iota + 2000 ContainerCreate ContainerRemove ExistingContainer HookedSyscalls HookedSeqOps MaxUserSpace )
Events originated from user-space
const ( CaptureFileWrite ID = iota + 4000 CaptureExec CaptureModule CaptureMem CaptureProfile CapturePcap )
Capture meta-events
func SyscallsToCheck ¶
func SyscallsToCheck() []ID
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
package queue defines the interface and and implementation of a queue for events storage.
|
package queue defines the interface and and implementation of a queue for events storage. |
Package sorting is responsible for sorting incoming events from the BPF programs chronologically.
|
Package sorting is responsible for sorting incoming events from the BPF programs chronologically. |