bufferdecoder

package
v0.12.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 3, 2023 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Overview

Package bufferdecoder implements simple translation between byte sequences and the user-defined structs.

The package favors efficiency over flexibility. The provided API allows fast decoding of byte sequence sent by the Tracee eBPF program from kernel-space to user-space.

Package bufferdecoder implements the structs (protocol indeed) used in the communication between code eBPF running in the Kernel and the Tracee-eBPF user-space application.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func Print16BytesSliceIP

func Print16BytesSliceIP(in []byte) string

Print16BytesSliceIP prints the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable lenth slice, but that would cause unnecessary memory copying and type conversions

func PrintUint32IP

func PrintUint32IP(in uint32) string

PrintUint32IP prints the IP address encoded as a uint32

func ReadArgFromBuff

func ReadArgFromBuff(id events.ID, ebpfMsgDecoder *EbpfDecoder, params []trace.ArgMeta,
) (
	uint, trace.Argument, error,
)

ReadArgFromBuff read the next argument from the buffer. Return the index of the argument and the parsed argument.

func ReadByteSliceFromBuff

func ReadByteSliceFromBuff(ebpfMsgDecoder *EbpfDecoder, len int) ([]byte, error)

Types

type ArgType

type ArgType uint8

argType is an enum that encodes the argument types that the BPF program may write to the shared buffer argument types should match defined values in ebpf code

func GetParamType

func GetParamType(paramType string) ArgType

type BinType

type BinType uint8

BinType is an enum that specifies the type of binary data sent in the file perf map binary types should match defined values in ebpf code

const (
	SendVfsWrite BinType = iota + 1
	SendMprotect
	SendKernelModule
)

type ChunkMeta

type ChunkMeta struct {
	BinType  BinType
	CgroupID uint64
	Metadata [24]byte
	Size     int32
	Off      uint64
}

func (ChunkMeta) GetSizeBytes

func (ChunkMeta) GetSizeBytes() uint32

type Context

type Context struct {
	Ts            uint64
	StartTime     uint64
	CgroupID      uint64
	Pid           uint32
	Tid           uint32
	Ppid          uint32
	HostPid       uint32
	HostTid       uint32
	HostPpid      uint32
	Uid           uint32
	MntID         uint32
	PidID         uint32
	Comm          [16]byte
	UtsName       [16]byte
	Flags         uint32
	EventID       events.ID //int32
	Syscall       int32
	MatchedScopes uint64
	Retval        int64
	StackID       uint32
	ProcessorId   uint16
	Argnum        uint8
	// contains filtered or unexported fields
}

Context struct contains common metadata that is collected for all types of events it is used to unmarshal binary data and therefore should match (bit by bit) to the `context_t` struct in the ebpf code. NOTE: Integers want to be aligned in memory, so if changing the format of this struct keep the 1-byte 'Argnum' as the final parameter before the padding (if padding is needed).

func (Context) GetSizeBytes

func (Context) GetSizeBytes() uint32

type EbpfDecoder

type EbpfDecoder struct {
	// contains filtered or unexported fields
}

func New

func New(rawBuffer []byte) *EbpfDecoder

New creates and initializes a new EbpfDecoder using rawBuffer as its initial content. The EbpfDecoder takes ownership of rawBuffer, and the caller should not use rawBuffer after this call. New is intended to prepare a buffer to read existing data from it, translating it to protocol defined structs. The protocol is specific between the Trace eBPF program and the Tracee-eBPF user space application.

func (*EbpfDecoder) BuffLen

func (decoder *EbpfDecoder) BuffLen() int

BuffLen returns the total length of the buffer owned by decoder.

func (*EbpfDecoder) DecodeBool

func (decoder *EbpfDecoder) DecodeBool(msg *bool) error

DecodeBool translates data from the decoder buffer, starting from the decoder cursor, to bool.

func (*EbpfDecoder) DecodeBytes

func (decoder *EbpfDecoder) DecodeBytes(msg []byte, size uint32) error

DecodeBytes copies from the decoder buffer, starting from the decoder cursor, to msg, size bytes.

func (*EbpfDecoder) DecodeChunkMeta

func (decoder *EbpfDecoder) DecodeChunkMeta(chunkMeta *ChunkMeta) error

DecodeChunkMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.ChunkMeta struct.

func (*EbpfDecoder) DecodeContext

func (decoder *EbpfDecoder) DecodeContext(ctx *Context) error

DecodeContext translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.Context struct.

func (*EbpfDecoder) DecodeInt16

func (decoder *EbpfDecoder) DecodeInt16(msg *int16) error

DecodeInt16 translates data from the decoder buffer, starting from the decoder cursor, to int16.

func (*EbpfDecoder) DecodeInt32

func (decoder *EbpfDecoder) DecodeInt32(msg *int32) error

DecodeInt32 translates data from the decoder buffer, starting from the decoder cursor, to int32.

func (*EbpfDecoder) DecodeInt64

func (decoder *EbpfDecoder) DecodeInt64(msg *int64) error

DecodeInt64 translates data from the decoder buffer, starting from the decoder cursor, to int64.

func (*EbpfDecoder) DecodeInt8

func (decoder *EbpfDecoder) DecodeInt8(msg *int8) error

DecodeInt8 translates data from the decoder buffer, starting from the decoder cursor, to int8.

func (*EbpfDecoder) DecodeIntArray

func (decoder *EbpfDecoder) DecodeIntArray(msg []int32, size uint32) error

DecodeIntArray translate from the decoder buffer, starting from the decoder cursor, to msg, size * 4 bytes (in order to get int32).

func (*EbpfDecoder) DecodeKernelModuleMeta

func (decoder *EbpfDecoder) DecodeKernelModuleMeta(kernelModuleMeta *KernelModuleMeta) error

DecodeKernelModuleMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.KernelModuleMeta struct.

func (*EbpfDecoder) DecodeMprotectWriteMeta

func (decoder *EbpfDecoder) DecodeMprotectWriteMeta(mprotectWriteMeta *MprotectWriteMeta) error

DecodeMprotectWriteMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.MprotectWriteMeta struct.

func (*EbpfDecoder) DecodeSlimCred

func (decoder *EbpfDecoder) DecodeSlimCred(slimCred *SlimCred) error

DecodeSlimCred translates data from the decoder buffer, starting from the decoder cursor, to SlimCred struct.

func (*EbpfDecoder) DecodeUint16

func (decoder *EbpfDecoder) DecodeUint16(msg *uint16) error

DecodeUint16 translates data from the decoder buffer, starting from the decoder cursor, to uint16.

func (*EbpfDecoder) DecodeUint16BigEndian

func (decoder *EbpfDecoder) DecodeUint16BigEndian(msg *uint16) error

DecodeUint16BigEndian translates data from the decoder buffer, starting from the decoder cursor, to uint16.

func (*EbpfDecoder) DecodeUint32

func (decoder *EbpfDecoder) DecodeUint32(msg *uint32) error

DecodeUint32 translates data from the decoder buffer, starting from the decoder cursor, to uint32.

func (*EbpfDecoder) DecodeUint32BigEndian

func (decoder *EbpfDecoder) DecodeUint32BigEndian(msg *uint32) error

DecodeUint32BigEndian translates data from the decoder buffer, starting from the decoder cursor, to uint32.

func (*EbpfDecoder) DecodeUint64

func (decoder *EbpfDecoder) DecodeUint64(msg *uint64) error

DecodeUint64 translates data from the decoder buffer, starting from the decoder cursor, to uint64.

func (*EbpfDecoder) DecodeUint64Array added in v0.8.0

func (decoder *EbpfDecoder) DecodeUint64Array(msg *[]uint64) error

DecodeUint64Array translate from the decoder buffer, starting from the decoder cursor, to msg, size * 8 bytes (in order to get int64).

func (*EbpfDecoder) DecodeUint8

func (decoder *EbpfDecoder) DecodeUint8(msg *uint8) error

DecodeUint8 translates data from the decoder buffer, starting from the decoder cursor, to uint8.

func (*EbpfDecoder) DecodeVfsWriteMeta

func (decoder *EbpfDecoder) DecodeVfsWriteMeta(vfsWriteMeta *VfsWriteMeta) error

DecodeVfsWriteMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.VfsWriteMeta struct.

func (*EbpfDecoder) ReadAmountBytes

func (decoder *EbpfDecoder) ReadAmountBytes() int

ReadAmountBytes returns the total amount of bytes that decoder has read from its buffer up until now.

type KernelModuleMeta

type KernelModuleMeta struct {
	DevID uint32
	Inode uint64
	Pid   uint32
	Size  uint64
}

func (KernelModuleMeta) GetSizeBytes

func (KernelModuleMeta) GetSizeBytes() uint32

type MprotectWriteMeta

type MprotectWriteMeta struct {
	Ts uint64
}

func (MprotectWriteMeta) GetSizeBytes

func (MprotectWriteMeta) GetSizeBytes() uint32

type SlimCred

type SlimCred struct {
	Uid            uint32 /* real UID of the task */
	Gid            uint32 /* real GID of the task */
	Suid           uint32 /* saved UID of the task */
	Sgid           uint32 /* saved GID of the task */
	Euid           uint32 /* effective UID of the task */
	Egid           uint32 /* effective GID of the task */
	Fsuid          uint32 /* UID for VFS ops */
	Fsgid          uint32 /* GID for VFS ops */
	UserNamespace  uint32 /* User Namespace of the of the event */
	SecureBits     uint32 /* SUID-less security management */
	CapInheritable uint64 /* caps our children can inherit */
	CapPermitted   uint64 /* caps we're permitted */
	CapEffective   uint64 /* caps we can actually use */
	CapBounding    uint64 /* capability bounding set */
	CapAmbient     uint64 /* Ambient capability set */
}

SlimCred struct is a slim version of the kernel's cred struct it is used to unmarshal binary data and therefore should match (bit by bit) to the `slim_cred_t` struct in the ebpf code. ANY CHANGE TO THIS STRUCT WILL BE REQUIRED ALSO TO detect.SlimCred and bufferdecoder.SlimCred

func (SlimCred) GetSizeBytes

func (s SlimCred) GetSizeBytes() uint32

type VfsWriteMeta

type VfsWriteMeta struct {
	DevID uint32
	Inode uint64
	Mode  uint32
	Pid   uint32
}

func (VfsWriteMeta) GetSizeBytes

func (VfsWriteMeta) GetSizeBytes() uint32

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL