events

package
v0.8.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 6, 2022 License: Apache-2.0 Imports: 18 Imported by: 1

Documentation

Overview

Invoked tracee-ebpf events from user mode This utility can prove itself useful to generate information needed by signatures that is not provided by normal events in the kernel. Because the events in the kernel are invoked by other programs behavior, we cannot anticipate which events will be invoked and as a result what information will be extracted. This is critical because tracee-rules is independent, and doesn't have to run on the same machine as tracee-ebpf. This means that tracee-rules might lack basic information of the operating machine needed for some signatures. By creating user mode events this information could be intentionally collected and passed to tracee-ebpf afterwards.

Index

Constants

View Source
const (
	CaptureIface int32 = 1 << iota
	TraceIface
)
View Source
const InitProcNsDir = "/proc/1/ns"
View Source
const Unique32BitSyscallsStartID = 3000

Variables

View Source
var Definitions = eventDefinitions{
	// contains filtered or unexported fields
}

Functions

func Derive

func Derive(event trace.Event, derivationTable DerivationTable) ([]trace.Event, []error)

Derive takes a trace.Event and checks if it can derive additional events from it as defined by tracee's eventDerivations map. The map is initialized in the above function

func ExistingContainersEvents

func ExistingContainersEvents(containers *containers.Containers, enrich bool) []trace.Event

ExistingContainersEvents returns a list of events for each existing container

func GetArg

func GetArg(event *trace.Event, argName string) *trace.Argument

func InitNamespacesEvent

func InitNamespacesEvent() trace.Event

InitNamespacesEvent collect the init process namespaces and create event from them.

func ParseArgs

func ParseArgs(event *trace.Event) error

func ParseArgsFDs added in v0.8.2

func ParseArgsFDs(event *trace.Event, fdArgPathMap *bpf.BPFMap) error

func RequiredCapabilities

func RequiredCapabilities(events []ID) []cap.Value

Types

type DerivationTable

type DerivationTable map[ID]map[ID]struct {
	Function DeriveFunction
	Enabled  bool //practically this field is to drop derivation of unneeded events
}

DerivationTable defines a table between events and events they can be derived into corresponding to some deriveFn

type DeriveFunction

type DeriveFunction func(trace.Event) ([]trace.Event, []error)

DeriveFunction is a function prototype for a function that receives an event as argument and may produce a new event if relevant. It returns a derived or empty event, depending on successful derivation, and an error if one occurred.

type Event

type Event struct {
	ID32Bit      ID
	Name         string
	DocPath      string // Relative to the 'doc/events' directory
	Internal     bool
	Syscall      bool
	Probes       []probeDependency
	Dependencies dependencies
	Sets         []string
	Params       []trace.ArgMeta
}

Event is a struct describing an event configuration

type ID

type ID int32
const (
	Read                ID = 0
	Write               ID = 1
	Open                ID = 2
	Close               ID = 3
	Stat                ID = 4
	Fstat               ID = 5
	Lstat               ID = 6
	Poll                ID = 7
	Lseek               ID = 8
	Mmap                ID = 9
	Mprotect            ID = 10
	Munmap              ID = 11
	Brk                 ID = 12
	RtSigaction         ID = 13
	RtSigprocmask       ID = 14
	RtSigreturn         ID = 15
	Ioctl               ID = 16
	Pread64             ID = 17
	Pwrite64            ID = 18
	Readv               ID = 19
	Writev              ID = 20
	Access              ID = 21
	Pipe                ID = 22
	Select              ID = 23
	SchedYield          ID = 24
	Mremap              ID = 25
	Msync               ID = 26
	Mincore             ID = 27
	Madvise             ID = 28
	Shmget              ID = 29
	Shmat               ID = 30
	Shmctl              ID = 31
	Dup                 ID = 32
	Dup2                ID = 33
	Pause               ID = 34
	Nanosleep           ID = 35
	Getitimer           ID = 36
	Alarm               ID = 37
	Setitimer           ID = 38
	Getpid              ID = 39
	Sendfile            ID = 40
	Socket              ID = 41
	Connect             ID = 42
	Accept              ID = 43
	Sendto              ID = 44
	Recvfrom            ID = 45
	Sendmsg             ID = 46
	Recvmsg             ID = 47
	Shutdown            ID = 48
	Bind                ID = 49
	Listen              ID = 50
	Getsockname         ID = 51
	Getpeername         ID = 52
	Socketpair          ID = 53
	Setsockopt          ID = 54
	Getsockopt          ID = 55
	Clone               ID = 56
	Fork                ID = 57
	Vfork               ID = 58
	Execve              ID = 59
	Exit                ID = 60
	Wait4               ID = 61
	Kill                ID = 62
	Uname               ID = 63
	Semget              ID = 64
	Semop               ID = 65
	Semctl              ID = 66
	Shmdt               ID = 67
	Msgget              ID = 68
	Msgsnd              ID = 69
	Msgrcv              ID = 70
	Msgctl              ID = 71
	Fcntl               ID = 72
	Flock               ID = 73
	Fsync               ID = 74
	Fdatasync           ID = 75
	Truncate            ID = 76
	Ftruncate           ID = 77
	Getdents            ID = 78
	Getcwd              ID = 79
	Chdir               ID = 80
	Fchdir              ID = 81
	Rename              ID = 82
	Mkdir               ID = 83
	Rmdir               ID = 84
	Creat               ID = 85
	Link                ID = 86
	Unlink              ID = 87
	Symlink             ID = 88
	Readlink            ID = 89
	Chmod               ID = 90
	Fchmod              ID = 91
	Chown               ID = 92
	Fchown              ID = 93
	Lchown              ID = 94
	Umask               ID = 95
	Gettimeofday        ID = 96
	Getrlimit           ID = 97
	Getrusage           ID = 98
	Sysinfo             ID = 99
	Times               ID = 100
	Ptrace              ID = 101
	Getuid              ID = 102
	Syslog              ID = 103
	Getgid              ID = 104
	Setuid              ID = 105
	Setgid              ID = 106
	Geteuid             ID = 107
	Getegid             ID = 108
	Setpgid             ID = 109
	Getppid             ID = 110
	Getpgrp             ID = 111
	Setsid              ID = 112
	Setreuid            ID = 113
	Setregid            ID = 114
	Getgroups           ID = 115
	Setgroups           ID = 116
	Setresuid           ID = 117
	Getresuid           ID = 118
	Setresgid           ID = 119
	Getresgid           ID = 120
	Getpgid             ID = 121
	Setfsuid            ID = 122
	Setfsgid            ID = 123
	Getsid              ID = 124
	Capget              ID = 125
	Capset              ID = 126
	RtSigpending        ID = 127
	RtSigtimedwait      ID = 128
	RtSigqueueinfo      ID = 129
	RtSigsuspend        ID = 130
	Sigaltstack         ID = 131
	Utime               ID = 132
	Mknod               ID = 133
	Uselib              ID = 134
	Personality         ID = 135
	Ustat               ID = 136
	Statfs              ID = 137
	Fstatfs             ID = 138
	Sysfs               ID = 139
	Getpriority         ID = 140
	Setpriority         ID = 141
	SchedSetparam       ID = 142
	SchedGetparam       ID = 143
	SchedSetscheduler   ID = 144
	SchedGetscheduler   ID = 145
	SchedGetPriorityMax ID = 146
	SchedGetPriorityMin ID = 147
	SchedRrGetInterval  ID = 148
	Mlock               ID = 149
	Munlock             ID = 150
	Mlockall            ID = 151
	Munlockall          ID = 152
	Vhangup             ID = 153
	ModifyLdt           ID = 154
	PivotRoot           ID = 155
	Sysctl              ID = 156
	Prctl               ID = 157
	ArchPrctl           ID = 158
	Adjtimex            ID = 159
	Setrlimit           ID = 160
	Chroot              ID = 161
	Sync                ID = 162
	Acct                ID = 163
	Settimeofday        ID = 164
	Mount               ID = 165
	Umount2             ID = 166
	Swapon              ID = 167
	Swapoff             ID = 168
	Reboot              ID = 169
	Sethostname         ID = 170
	Setdomainname       ID = 171
	Iopl                ID = 172
	Ioperm              ID = 173
	CreateModule        ID = 174
	InitModule          ID = 175
	DeleteModule        ID = 176
	GetKernelSyms       ID = 177
	QueryModule         ID = 178
	Quotactl            ID = 179
	Nfsservctl          ID = 180
	Getpmsg             ID = 181
	Putpmsg             ID = 182
	Afs                 ID = 183
	Tuxcall             ID = 184
	Security            ID = 185
	Gettid              ID = 186
	Readahead           ID = 187
	Setxattr            ID = 188
	Lsetxattr           ID = 189
	Fsetxattr           ID = 190
	Getxattr            ID = 191
	Lgetxattr           ID = 192
	Fgetxattr           ID = 193
	Listxattr           ID = 194
	Llistxattr          ID = 195
	Flistxattr          ID = 196
	Removexattr         ID = 197
	Lremovexattr        ID = 198
	Fremovexattr        ID = 199
	Tkill               ID = 200
	Time                ID = 201
	Futex               ID = 202
	SchedSetaffinity    ID = 203
	SchedGetaffinity    ID = 204
	SetThreadArea       ID = 205
	IoSetup             ID = 206
	IoDestroy           ID = 207
	IoGetevents         ID = 208
	IoSubmit            ID = 209
	IoCancel            ID = 210
	GetThreadArea       ID = 211
	LookupDcookie       ID = 212
	EpollCreate         ID = 213
	EpollCtlOld         ID = 214
	EpollWaitOld        ID = 215
	RemapFilePages      ID = 216
	Getdents64          ID = 217
	SetTidAddress       ID = 218
	RestartSyscall      ID = 219
	Semtimedop          ID = 220
	Fadvise64           ID = 221
	TimerCreate         ID = 222
	TimerSettime        ID = 223
	TimerGettime        ID = 224
	TimerGetoverrun     ID = 225
	TimerDelete         ID = 226
	ClockSettime        ID = 227
	ClockGettime        ID = 228
	ClockGetres         ID = 229
	ClockNanosleep      ID = 230
	ExitGroup           ID = 231
	EpollWait           ID = 232
	EpollCtl            ID = 233
	Tgkill              ID = 234
	Utimes              ID = 235
	Vserver             ID = 236
	Mbind               ID = 237
	SetMempolicy        ID = 238
	GetMempolicy        ID = 239
	MqOpen              ID = 240
	MqUnlink            ID = 241
	MqTimedsend         ID = 242
	MqTimedreceive      ID = 243
	MqNotify            ID = 244
	MqGetsetattr        ID = 245
	KexecLoad           ID = 246
	Waitid              ID = 247
	AddKey              ID = 248
	RequestKey          ID = 249
	Keyctl              ID = 250
	IoprioSet           ID = 251
	IoprioGet           ID = 252
	InotifyInit         ID = 253
	InotifyAddWatch     ID = 254
	InotifyRmWatch      ID = 255
	MigratePages        ID = 256
	Openat              ID = 257
	Mkdirat             ID = 258
	Mknodat             ID = 259
	Fchownat            ID = 260
	Futimesat           ID = 261
	Newfstatat          ID = 262
	Unlinkat            ID = 263
	Renameat            ID = 264
	Linkat              ID = 265
	Symlinkat           ID = 266
	Readlinkat          ID = 267
	Fchmodat            ID = 268
	Faccessat           ID = 269
	Pselect6            ID = 270
	Ppoll               ID = 271
	Unshare             ID = 272
	SetRobustList       ID = 273
	GetRobustList       ID = 274
	Splice              ID = 275
	Tee                 ID = 276
	SyncFileRange       ID = 277
	Vmsplice            ID = 278
	MovePages           ID = 279
	Utimensat           ID = 280
	EpollPwait          ID = 281
	Signalfd            ID = 282
	TimerfdCreate       ID = 283
	Eventfd             ID = 284
	Fallocate           ID = 285
	TimerfdSettime      ID = 286
	TimerfdGettime      ID = 287
	Accept4             ID = 288
	Signalfd4           ID = 289
	Eventfd2            ID = 290
	EpollCreate1        ID = 291
	Dup3                ID = 292
	Pipe2               ID = 293
	InotifyInit1        ID = 294
	Preadv              ID = 295
	Pwritev             ID = 296
	RtTgsigqueueinfo    ID = 297
	PerfEventOpen       ID = 298
	Recvmmsg            ID = 299
	FanotifyInit        ID = 300
	FanotifyMark        ID = 301
	Prlimit64           ID = 302
	NameToHandleAt      ID = 303
	OpenByHandleAt      ID = 304
	ClockAdjtime        ID = 305
	Syncfs              ID = 306
	Sendmmsg            ID = 307
	Setns               ID = 308
	Getcpu              ID = 309
	ProcessVmReadv      ID = 310
	ProcessVmWritev     ID = 311
	Kcmp                ID = 312
	FinitModule         ID = 313
	SchedSetattr        ID = 314
	SchedGetattr        ID = 315
	Renameat2           ID = 316
	Seccomp             ID = 317
	Getrandom           ID = 318
	MemfdCreate         ID = 319
	KexecFileLoad       ID = 320
	Bpf                 ID = 321
	Execveat            ID = 322
	Userfaultfd         ID = 323
	Membarrier          ID = 324
	Mlock2              ID = 325
	CopyFileRange       ID = 326
	Preadv2             ID = 327
	Pwritev2            ID = 328
	PkeyMprotect        ID = 329
	PkeyAlloc           ID = 330
	PkeyFree            ID = 331
	Statx               ID = 332
	IoPgetevents        ID = 333
	Rseq                ID = 334
	// 335 through 423 are unassigned to sync up with generic numbers
	PidfdSendSignal       ID = 424
	IoUringSetup          ID = 425
	IoUringEnter          ID = 426
	IoUringRegister       ID = 427
	OpenTree              ID = 428
	MoveMount             ID = 429
	Fsopen                ID = 430
	Fsconfig              ID = 431
	Fsmount               ID = 432
	Fspick                ID = 433
	PidfdOpen             ID = 434
	Clone3                ID = 435
	CloseRange            ID = 436
	Openat2               ID = 437
	PidfdGetfd            ID = 438
	Faccessat2            ID = 439
	ProcessMadvise        ID = 440
	EpollPwait2           ID = 441
	MountSetatt           ID = 442
	QuotactlFd            ID = 443
	LandlockCreateRuleset ID = 444
	LandlockAddRule       ID = 445
	LandloclRestrictSet   ID = 446
	MemfdSecret           ID = 447
	ProcessMrelease       ID = 448
	MaxSyscallID          ID = 449
)

x86 64bit syscall numbers Also used as event IDs https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl

const (
	Waitpid ID = iota + Unique32BitSyscallsStartID
	Oldfstat
	Break
	Oldstat
	Umount
	Stime
	Stty
	Gtty
	Nice
	Ftime
	Prof
	Signal
	Lock
	Mpx
	Ulimit
	Oldolduname
	Sigaction
	Sgetmask
	Ssetmask
	Sigsuspend
	Sigpending
	Oldlstat
	Readdir
	Profil
	Socketcall
	Olduname
	Idle
	Vm86old
	Ipc
	Sigreturn
	Sigprocmask
	Bdflush
	Afs_syscall
	Llseek
	OldSelect
	Vm86
	OldGetrlimit
	Mmap2
	Truncate64
	Ftruncate64
	Stat64
	Lstat64
	Fstat64
	Lchown16
	Getuid16
	Getgid16
	Geteuid16
	Getegid16
	Setreuid16
	Setregid16
	Getgroups16
	Setgroups16
	Fchown16
	Setresuid16
	Getresuid16
	Setresgid16
	Getresgid16
	Chown16
	Setuid16
	Setgid16
	Setfsuid16
	Setfsgid16
	Fcntl64
	Sendfile32
	Statfs64
	Fstatfs64
	Fadvise64_64
	ClockGettime32
	ClockSettime32
	ClockAdjtime64
	ClockGetresTime32
	ClockNanosleepTime32
	TimerGettime32
	TimerSettime32
	TimerfdGettime32
	TimerfdSettime32
	UtimensatTime32
	Pselect6Time32
	PpollTime32
	IoPgeteventsTime32
	RecvmmsgTime32
	MqTimedsendTime32
	MqTimedreceiveTime32
	RtSigtimedwaitTime32
	FutexTime32
	SchedRrGetInterval32
	Unique32BitSyscallsEndID
)

Set of events IDs for 32bit syscalls which have no parallel 64bit syscall

const (
	NetPacket ID = iota + 700
	DnsRequest
	DnsResponse
	MaxNetID
	SysEnter
	SysExit
	SchedProcessFork
	SchedProcessExec
	SchedProcessExit
	SchedSwitch
	DoExit
	CapCapable
	VfsWrite
	VfsWritev
	MemProtAlert
	CommitCreds
	SwitchTaskNS
	MagicWrite
	CgroupAttachTask
	CgroupMkdir
	CgroupRmdir
	SecurityBprmCheck
	SecurityFileOpen
	SecurityInodeUnlink
	SecuritySocketCreate
	SecuritySocketListen
	SecuritySocketConnect
	SecuritySocketAccept
	SecuritySocketBind
	SecuritySocketSetsockopt
	SecuritySbMount
	SecurityBPF
	SecurityBPFMap
	SecurityKernelReadFile
	SecurityInodeMknod
	SecurityPostReadFile
	SecurityInodeSymlinkEventId
	SecurityMmapFile
	SecurityFileMprotect
	SocketDup
	HiddenInodes
	KernelWrite
	ProcCreate
	KprobeAttach
	CallUsermodeHelper
	DirtyPipeSplice
	DebugfsCreateFile
	PrintSyscallTable
	DebugfsCreateDir
	DeviceAdd
	RegisterChrdev
	SharedObjectLoaded
	DoInitModule
	SocketAccept
	LoadElfPhdrs
	HookedProcFops
	PrintNetSeqOps
	TaskRename
	SymbolsLoaded
	SecurityInodeRename
	MaxCommonID
	DebugNetSecurityBind
	DebugNetUdpSendmsg
	DebugNetUdpDisconnect
	DebugNetUdpDestroySock
	DebugNetUdpV6DestroySock
	DebugNetInetSockSetState
	DebugNetTcpConnect
	MaxDebugID
)

Common events (used by all architectures) events should match defined values in ebpf code

const (
	InitNamespaces ID = iota + 2000
	ContainerCreate
	ContainerRemove
	ExistingContainer
	HookedSyscalls
	HookedSeqOps
	MaxUserSpace
)

Events originated from user-space

const (
	CaptureFileWrite ID = iota + 4000
	CaptureExec
	CaptureModule
	CaptureMem
	CaptureProfile
	CapturePcap
)

Capture meta-events

func SyscallsToCheck

func SyscallsToCheck() []ID

type TailCall

type TailCall struct {
	MapName  string
	MapIdx   uint32
	ProgName string
}

Directories

Path Synopsis
package queue defines the interface and and implementation of a queue for events storage.
package queue defines the interface and and implementation of a queue for events storage.
Package sorting is responsible for sorting incoming events from the BPF programs chronologically.
Package sorting is responsible for sorting incoming events from the BPF programs chronologically.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL