bufferdecoder

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 16, 2022 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package bufferdecoder implements simple translation between byte sequences and the user-defined structs.

The package favors efficiency over flexibility. The provided API allows fast decoding of byte sequence sent by the Tracee eBPF program from kernel-space to user-space.

Package bufferdecoder implements the structs (protocol indeed) used in the communication between code eBPF running in the Kernel and the Tracee-eBPF user-space application.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Print16BytesSliceIP 

func Print16BytesSliceIP(in []byte) string

Print16BytesSliceIP prints the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable lenth slice, but that would cause unnecessary memory copying and type conversions

func PrintUint32IP 

func PrintUint32IP(in uint32) string

PrintUint32IP prints the IP address encoded as a uint32

func ReadArgFromBuff 

func ReadArgFromBuff(ebpfMsgDecoder *EbpfDecoder, params []trace.ArgMeta) (trace.ArgMeta, interface{}, error)

func ReadByteSliceFromBuff 

func ReadByteSliceFromBuff(ebpfMsgDecoder *EbpfDecoder, len int) ([]byte, error)

Types

type ArgType 

type ArgType uint8

argType is an enum that encodes the argument types that the BPF program may write to the shared buffer argument types should match defined values in ebpf code

func GetParamType 

func GetParamType(paramType string) ArgType

type BinType 

type BinType uint8

BinType is an enum that specifies the type of binary data sent in the file perf map binary types should match defined values in ebpf code 

const (
	SendVfsWrite BinType = iota + 1
	SendMprotect
	SendKernelModule
)

type ChunkMeta 

type ChunkMeta struct {
	BinType  BinType
	CgroupID uint64
	Metadata [24]byte
	Size     int32
	Off      uint64
}

func (ChunkMeta) GetSizeBytes 

func (ChunkMeta) GetSizeBytes() uint32

type Context 

type Context struct {
	Ts          uint64
	StartTime   uint64
	CgroupID    uint64
	Pid         uint32
	Tid         uint32
	Ppid        uint32
	HostPid     uint32
	HostTid     uint32
	HostPpid    uint32
	Uid         uint32
	MntID       uint32
	PidID       uint32
	Comm        [16]byte
	UtsName     [16]byte
	Flags       uint32
	EventID     events.ID //int32
	Pad2        [4]byte
	Retval      int64
	StackID     uint32
	ProcessorId uint16
	Argnum      uint8
	// contains filtered or unexported fields
}

Context struct contains common metadata that is collected for all types of events it is used to unmarshal binary data and therefore should match (bit by bit) to the `context_t` struct in the ebpf code. NOTE: Integers want to be aligned in memory, so if changing the format of this struct keep the 1-byte 'Argnum' as the final parameter before the padding (if padding is needed).

func (Context) GetSizeBytes 

func (Context) GetSizeBytes() uint32

type DnsAnswer added in v0.8.0 

type DnsAnswer struct {
	Type   string `json:"answerType"`
	Ttl    uint32 `json:"ttl"`
	Answer string `json:"answer"`
}

type DnsQueryData added in v0.8.0 

type DnsQueryData struct {
	Query      string `json:"query"`
	QueryType  string `json:"queryType"`
	QueryClass string `json:"queryClass"`
}

type DnsResponseData added in v0.8.0 

type DnsResponseData struct {
	QueryData DnsQueryData `json:"queryData"`
	DnsAnswer []DnsAnswer  `json:"dnsAnswer"`
}

type EbpfDecoder 

type EbpfDecoder struct {
	// contains filtered or unexported fields
}

func New 

func New(rawBuffer []byte) *EbpfDecoder

New creates and initializes a new EbpfDecoder using rawBuffer as its initial content. The EbpfDecoder takes ownership of rawBuffer, and the caller should not use rawBuffer after this call. New is intended to prepare a buffer to read existing data from it, translating it to protocol defined structs. The protocol is specific between the Trace eBPF program and the Tracee-eBPF user space application.

func (*EbpfDecoder) BuffLen 

func (decoder *EbpfDecoder) BuffLen() int

BuffLen returns the total length of the buffer owned by decoder.

func (*EbpfDecoder) DecodeBool 

func (decoder *EbpfDecoder) DecodeBool(msg *bool) error

DecodeBool translates data from the decoder buffer, starting from the decoder cursor, to bool.

func (*EbpfDecoder) DecodeBytes 

func (decoder *EbpfDecoder) DecodeBytes(msg []byte, size uint32) error

DecodeBytes copies from the decoder buffer, starting from the decoder cursor, to msg, size bytes.

func (*EbpfDecoder) DecodeChunkMeta 

func (decoder *EbpfDecoder) DecodeChunkMeta(chunkMeta *ChunkMeta) error

DecodeChunkMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.ChunkMeta struct.

func (*EbpfDecoder) DecodeContext 

func (decoder *EbpfDecoder) DecodeContext(ctx *Context) error

DecodeContext translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.Context struct.

func (*EbpfDecoder) DecodeDnsQueryArray added in v0.8.0 

func (decoder *EbpfDecoder) DecodeDnsQueryArray(questions *[]DnsQueryData) error

DecodeDnsQueryArray gets DNS layer from packet and parses DNS questions from it

func (*EbpfDecoder) DecodeDnsRepliesData added in v0.8.0 

func (decoder *EbpfDecoder) DecodeDnsRepliesData(responses *[]DnsResponseData) error

DecodeDnsRepliesData gets DNS layer from packet and parses DNS replies from it

func (*EbpfDecoder) DecodeInt16 

func (decoder *EbpfDecoder) DecodeInt16(msg *int16) error

DecodeInt16 translates data from the decoder buffer, starting from the decoder cursor, to int16.

func (*EbpfDecoder) DecodeInt32 

func (decoder *EbpfDecoder) DecodeInt32(msg *int32) error

DecodeInt32 translates data from the decoder buffer, starting from the decoder cursor, to int32.

func (*EbpfDecoder) DecodeInt64 

func (decoder *EbpfDecoder) DecodeInt64(msg *int64) error

DecodeInt64 translates data from the decoder buffer, starting from the decoder cursor, to int64.

func (*EbpfDecoder) DecodeInt8 

func (decoder *EbpfDecoder) DecodeInt8(msg *int8) error

DecodeInt8 translates data from the decoder buffer, starting from the decoder cursor, to int8.

func (*EbpfDecoder) DecodeIntArray 

func (decoder *EbpfDecoder) DecodeIntArray(msg []int32, size uint32) error

DecodeIntArray translate from the decoder buffer, starting from the decoder cursor, to msg, size * 4 bytes (in order to get int32).

func (*EbpfDecoder) DecodeKernelModuleMeta 

func (decoder *EbpfDecoder) DecodeKernelModuleMeta(kernelModuleMeta *KernelModuleMeta) error

DecodeKernelModuleMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.KernelModuleMeta struct.

func (*EbpfDecoder) DecodeMprotectWriteMeta 

func (decoder *EbpfDecoder) DecodeMprotectWriteMeta(mprotectWriteMeta *MprotectWriteMeta) error

DecodeMprotectWriteMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.MprotectWriteMeta struct.

func (*EbpfDecoder) DecodeNetCaptureData 

func (decoder *EbpfDecoder) DecodeNetCaptureData(netCaptureData *NetCaptureData) error

DecodeNetCaptureData parsing the NetCaptureData struct from byte array

func (*EbpfDecoder) DecodeNetEventMetadata 

func (decoder *EbpfDecoder) DecodeNetEventMetadata(eventMetaData *NetEventMetadata) error

DecodeNetEventMetadata parsing the NetEventMetadata struct from byte array

func (*EbpfDecoder) DecodeNetPacketEvent 

func (decoder *EbpfDecoder) DecodeNetPacketEvent(netPacketEvent *NetPacketEvent) error

DecodeNetPacketEvent parsing the NetPacketEvent struct from byte array

func (*EbpfDecoder) DecodeSlimCred 

func (decoder *EbpfDecoder) DecodeSlimCred(slimCred *SlimCred) error

DecodeSlimCred translates data from the decoder buffer, starting from the decoder cursor, to SlimCred struct.

func (*EbpfDecoder) DecodeUint16 

func (decoder *EbpfDecoder) DecodeUint16(msg *uint16) error

DecodeUint16 translates data from the decoder buffer, starting from the decoder cursor, to uint16.

func (*EbpfDecoder) DecodeUint16BigEndian 

func (decoder *EbpfDecoder) DecodeUint16BigEndian(msg *uint16) error

DecodeUint16BigEndian translates data from the decoder buffer, starting from the decoder cursor, to uint16.

func (*EbpfDecoder) DecodeUint32 

func (decoder *EbpfDecoder) DecodeUint32(msg *uint32) error

DecodeUint32 translates data from the decoder buffer, starting from the decoder cursor, to uint32.

func (*EbpfDecoder) DecodeUint32BigEndian 

func (decoder *EbpfDecoder) DecodeUint32BigEndian(msg *uint32) error

DecodeUint32BigEndian translates data from the decoder buffer, starting from the decoder cursor, to uint32.

func (*EbpfDecoder) DecodeUint64 

func (decoder *EbpfDecoder) DecodeUint64(msg *uint64) error

DecodeUint64 translates data from the decoder buffer, starting from the decoder cursor, to uint64.

func (*EbpfDecoder) DecodeUint64Array added in v0.8.0 

func (decoder *EbpfDecoder) DecodeUint64Array(msg *[]uint64) error

DecodeUint64Array translate from the decoder buffer, starting from the decoder cursor, to msg, size * 8 bytes (in order to get int64).

func (*EbpfDecoder) DecodeUint8 

func (decoder *EbpfDecoder) DecodeUint8(msg *uint8) error

DecodeUint8 translates data from the decoder buffer, starting from the decoder cursor, to uint8.

func (*EbpfDecoder) DecodeVfsWriteMeta 

func (decoder *EbpfDecoder) DecodeVfsWriteMeta(vfsWriteMeta *VfsWriteMeta) error

DecodeVfsWriteMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.VfsWriteMeta struct.

func (*EbpfDecoder) ReadAmountBytes 

func (decoder *EbpfDecoder) ReadAmountBytes() int

ReadAmountBytes returns the total amount of bytes that decoder has read from its buffer up until now.

type KernelModuleMeta 

type KernelModuleMeta struct {
	DevID uint32
	Inode uint64
	Pid   uint32
	Size  uint64
}

func (KernelModuleMeta) GetSizeBytes 

func (KernelModuleMeta) GetSizeBytes() uint32

type MprotectWriteMeta 

type MprotectWriteMeta struct {
	Ts uint64
}

func (MprotectWriteMeta) GetSizeBytes 

func (MprotectWriteMeta) GetSizeBytes() uint32

type NetCaptureData 

type NetCaptureData struct {
	PacketLength     uint32 `json:"pktLen"`
	ConfigIfaceIndex uint32 `json:"ifIndex"`
}

func (NetCaptureData) GetSizeBytes 

func (NetCaptureData) GetSizeBytes() uint32

type NetEventMetadata 

type NetEventMetadata struct {
	TimeStamp   uint64    `json:"timeStamp"`
	NetEventId  events.ID `json:"netEventId"` //int32
	HostTid     uint32    `json:"hostTid"`
	ProcessName [16]byte  `json:"processName"`
}

func (NetEventMetadata) GetSizeBytes 

func (NetEventMetadata) GetSizeBytes() uint32

type NetPacketEvent 

type NetPacketEvent struct {
	SrcIP    [16]byte
	DstIP    [16]byte
	SrcPort  uint16
	DstPort  uint16
	Protocol uint8
	// contains filtered or unexported fields
}

func (NetPacketEvent) GetSizeBytes 

func (NetPacketEvent) GetSizeBytes() uint32

type SlimCred 

type SlimCred struct {
	Uid            uint32 /* real UID of the task */
	Gid            uint32 /* real GID of the task */
	Suid           uint32 /* saved UID of the task */
	Sgid           uint32 /* saved GID of the task */
	Euid           uint32 /* effective UID of the task */
	Egid           uint32 /* effective GID of the task */
	Fsuid          uint32 /* UID for VFS ops */
	Fsgid          uint32 /* GID for VFS ops */
	UserNamespace  uint32 /* User Namespace of the of the event */
	SecureBits     uint32 /* SUID-less security management */
	CapInheritable uint64 /* caps our children can inherit */
	CapPermitted   uint64 /* caps we're permitted */
	CapEffective   uint64 /* caps we can actually use */
	CapBounding    uint64 /* capability bounding set */
	CapAmbient     uint64 /* Ambient capability set */
}

SlimCred struct is a slim version of the kernel's cred struct it is used to unmarshal binary data and therefore should match (bit by bit) to the `slim_cred_t` struct in the ebpf code. ANY CHANGE TO THIS STRUCT WILL BE REQUIRED ALSO TO detect.SlimCred and bufferdecoder.SlimCred

func (SlimCred) GetSizeBytes 

func (s SlimCred) GetSizeBytes() uint32

type VfsWriteMeta 

type VfsWriteMeta struct {
	DevID uint32
	Inode uint64
	Mode  uint32
	Pid   uint32
}

func (VfsWriteMeta) GetSizeBytes 

func (VfsWriteMeta) GetSizeBytes() uint32

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.