bufferdecoder

package
v0.21.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 20, 2024 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Overview

Package bufferdecoder implements simple translation between byte sequences and the user-defined structs.

The package favors efficiency over flexibility. The provided API allows fast decoding of byte sequence sent by the Tracee eBPF program from kernel-space to user-space.

Package bufferdecoder implements the structs (protocol indeed) used in the communication between code eBPF running in the Kernel and the Tracee-eBPF user-space application.

Index

Constants

This section is empty.

Variables

View Source
var ErrBufferTooShort = errors.New("can't read context from buffer: buffer too short")

Functions

func Print16BytesSliceIP

func Print16BytesSliceIP(in []byte) string

Print16BytesSliceIP prints the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable length slice, but that would cause unnecessary memory copying and type conversions

func PrintUint32IP

func PrintUint32IP(in uint32) string

PrintUint32IP prints the IP address encoded as a uint32

func ReadByteSliceFromBuff

func ReadByteSliceFromBuff(ebpfMsgDecoder *EbpfDecoder, len int) ([]byte, error)

Types

type ArgType

type ArgType uint8

argType is an enum that encodes the argument types that the BPF program may write to the shared buffer argument types should match defined values in ebpf code

func GetParamType

func GetParamType(paramType string) ArgType

type BinType

type BinType uint8

BinType is an enum that specifies the type of binary data sent in the file perf map binary types should match defined values in ebpf code

const (
	SendVfsWrite BinType = iota + 1
	SendMprotect
	SendKernelModule
	SendBpfObject
	SendVfsRead
)

type BpfObjectMeta added in v0.13.0

type BpfObjectMeta struct {
	Name [16]byte
	Rand uint32
	Pid  uint32
	Size uint32
}

func (BpfObjectMeta) GetSizeBytes added in v0.13.0

func (BpfObjectMeta) GetSizeBytes() uint32

type ChunkMeta

type ChunkMeta struct {
	BinType  BinType
	CgroupID uint64
	Metadata [28]byte
	Size     int32
	Off      uint64
}

func (ChunkMeta) GetSizeBytes

func (ChunkMeta) GetSizeBytes() uint32

type EbpfDecoder

type EbpfDecoder struct {
	// contains filtered or unexported fields
}

func New

func New(rawBuffer []byte) *EbpfDecoder

New creates and initializes a new EbpfDecoder using rawBuffer as its initial content. The EbpfDecoder takes ownership of rawBuffer, and the caller should not use rawBuffer after this call. New is intended to prepare a buffer to read existing data from it, translating it to protocol defined structs. The protocol is specific between the Trace eBPF program and the Tracee-eBPF user space application.

func (*EbpfDecoder) BuffLen

func (decoder *EbpfDecoder) BuffLen() int

BuffLen returns the total length of the buffer owned by decoder.

func (*EbpfDecoder) DecodeArguments added in v0.16.0

func (decoder *EbpfDecoder) DecodeArguments(args []trace.Argument, argnum int, evtDef events.Definition, eventId events.ID) error

DecodeArguments decodes the remaining buffer's argument values, according to the given event definition. It should be called last, and after decoding the argnum with DecodeUint8.

Argument array passed should be initialized with the size of len(eventDefinition.Params).

func (*EbpfDecoder) DecodeBool

func (decoder *EbpfDecoder) DecodeBool(msg *bool) error

DecodeBool translates data from the decoder buffer, starting from the decoder cursor, to bool.

func (*EbpfDecoder) DecodeBpfObjectMeta added in v0.13.0

func (decoder *EbpfDecoder) DecodeBpfObjectMeta(bpfObjectMeta *BpfObjectMeta) error

DecodeBpfObjectMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.BpfObjectMeta struct.

func (*EbpfDecoder) DecodeBytes

func (decoder *EbpfDecoder) DecodeBytes(msg []byte, size int) error

DecodeBytes copies from the decoder buffer, starting from the decoder cursor, to msg, size bytes.

func (*EbpfDecoder) DecodeChunkMeta

func (decoder *EbpfDecoder) DecodeChunkMeta(chunkMeta *ChunkMeta) error

DecodeChunkMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.ChunkMeta struct.

func (*EbpfDecoder) DecodeContext

func (decoder *EbpfDecoder) DecodeContext(eCtx *EventContext) error

DecodeContext translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.EventContext struct.

func (*EbpfDecoder) DecodeInt16

func (decoder *EbpfDecoder) DecodeInt16(msg *int16) error

DecodeInt16 translates data from the decoder buffer, starting from the decoder cursor, to int16.

func (*EbpfDecoder) DecodeInt32

func (decoder *EbpfDecoder) DecodeInt32(msg *int32) error

DecodeInt32 translates data from the decoder buffer, starting from the decoder cursor, to int32.

func (*EbpfDecoder) DecodeInt64

func (decoder *EbpfDecoder) DecodeInt64(msg *int64) error

DecodeInt64 translates data from the decoder buffer, starting from the decoder cursor, to int64.

func (*EbpfDecoder) DecodeInt8

func (decoder *EbpfDecoder) DecodeInt8(msg *int8) error

DecodeInt8 translates data from the decoder buffer, starting from the decoder cursor, to int8.

func (*EbpfDecoder) DecodeIntArray

func (decoder *EbpfDecoder) DecodeIntArray(msg []int32, size int) error

DecodeIntArray translate from the decoder buffer, starting from the decoder cursor, to msg, size * 4 bytes (in order to get int32).

func (*EbpfDecoder) DecodeKernelModuleMeta

func (decoder *EbpfDecoder) DecodeKernelModuleMeta(kernelModuleMeta *KernelModuleMeta) error

DecodeKernelModuleMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.KernelModuleMeta struct.

func (*EbpfDecoder) DecodeMprotectWriteMeta

func (decoder *EbpfDecoder) DecodeMprotectWriteMeta(mprotectWriteMeta *MprotectWriteMeta) error

DecodeMprotectWriteMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.MprotectWriteMeta struct.

func (*EbpfDecoder) DecodeSlimCred

func (decoder *EbpfDecoder) DecodeSlimCred(slimCred *SlimCred) error

DecodeSlimCred translates data from the decoder buffer, starting from the decoder cursor, to SlimCred struct.

func (*EbpfDecoder) DecodeUint16

func (decoder *EbpfDecoder) DecodeUint16(msg *uint16) error

DecodeUint16 translates data from the decoder buffer, starting from the decoder cursor, to uint16.

func (*EbpfDecoder) DecodeUint16BigEndian

func (decoder *EbpfDecoder) DecodeUint16BigEndian(msg *uint16) error

DecodeUint16BigEndian translates data from the decoder buffer, starting from the decoder cursor, to uint16.

func (*EbpfDecoder) DecodeUint32

func (decoder *EbpfDecoder) DecodeUint32(msg *uint32) error

DecodeUint32 translates data from the decoder buffer, starting from the decoder cursor, to uint32.

func (*EbpfDecoder) DecodeUint32BigEndian

func (decoder *EbpfDecoder) DecodeUint32BigEndian(msg *uint32) error

DecodeUint32BigEndian translates data from the decoder buffer, starting from the decoder cursor, to uint32.

func (*EbpfDecoder) DecodeUint64

func (decoder *EbpfDecoder) DecodeUint64(msg *uint64) error

DecodeUint64 translates data from the decoder buffer, starting from the decoder cursor, to uint64.

func (*EbpfDecoder) DecodeUint64Array added in v0.8.0

func (decoder *EbpfDecoder) DecodeUint64Array(msg *[]uint64) error

DecodeUint64Array translate from the decoder buffer, starting from the decoder cursor, to msg, size * 8 bytes (in order to get int64).

func (*EbpfDecoder) DecodeUint8

func (decoder *EbpfDecoder) DecodeUint8(msg *uint8) error

DecodeUint8 translates data from the decoder buffer, starting from the decoder cursor, to uint8.

func (*EbpfDecoder) DecodeVfsFileMeta added in v0.15.0

func (decoder *EbpfDecoder) DecodeVfsFileMeta(vfsFileMeta *VfsFileMeta) error

DecodeVfsFileMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.VfsFileMeta struct.

func (*EbpfDecoder) ReadAmountBytes

func (decoder *EbpfDecoder) ReadAmountBytes() int

ReadAmountBytes returns the total amount of bytes that decoder has read from its buffer up until now.

type EventContext added in v0.20.0

type EventContext struct {
	Ts uint64

	// task_context start
	StartTime       uint64
	CgroupID        uint64
	Pid             uint32
	Tid             uint32
	Ppid            uint32
	HostPid         uint32
	HostTid         uint32
	HostPpid        uint32
	Uid             uint32
	MntID           uint32
	PidID           uint32
	Comm            [16]byte
	UtsName         [16]byte
	Flags           uint32
	LeaderStartTime uint64
	ParentStartTime uint64

	EventID         events.ID // int32
	Syscall         int32
	Retval          int64
	StackID         uint32
	ProcessorId     uint16
	PoliciesVersion uint16
	MatchedPolicies uint64
}

EventContext contains common metadata that is collected for all types of events.

NOTE: Use pahole to ensure this struct reflects the `event_context“ struct in the eBPF code.

func (EventContext) GetSizeBytes added in v0.20.0

func (EventContext) GetSizeBytes() int

type KernelModuleMeta

type KernelModuleMeta struct {
	DevID uint32
	Inode uint64
	Pid   uint32
	Size  uint32
}

func (KernelModuleMeta) GetSizeBytes

func (KernelModuleMeta) GetSizeBytes() uint32

type MprotectWriteMeta

type MprotectWriteMeta struct {
	Ts  uint64
	Pid uint32
}

func (MprotectWriteMeta) GetSizeBytes

func (MprotectWriteMeta) GetSizeBytes() uint32

type SlimCred

type SlimCred struct {
	Uid            uint32 /* real UID of the task */
	Gid            uint32 /* real GID of the task */
	Suid           uint32 /* saved UID of the task */
	Sgid           uint32 /* saved GID of the task */
	Euid           uint32 /* effective UID of the task */
	Egid           uint32 /* effective GID of the task */
	Fsuid          uint32 /* UID for VFS ops */
	Fsgid          uint32 /* GID for VFS ops */
	UserNamespace  uint32 /* User Namespace of the of the event */
	SecureBits     uint32 /* SUID-less security management */
	CapInheritable uint64 /* caps our children can inherit */
	CapPermitted   uint64 /* caps we're permitted */
	CapEffective   uint64 /* caps we can actually use */
	CapBounding    uint64 /* capability bounding set */
	CapAmbient     uint64 /* Ambient capability set */
}

SlimCred struct is a slim version of the kernel's cred struct it is used to unmarshal binary data and therefore should match (bit by bit) to the `slim_cred_t` struct in the ebpf code. ANY CHANGE TO THIS STRUCT WILL BE REQUIRED ALSO TO detect.SlimCred and bufferdecoder.SlimCred

func (SlimCred) GetSizeBytes

func (s SlimCred) GetSizeBytes() uint32

type VfsFileMeta added in v0.15.0

type VfsFileMeta struct {
	DevID uint32
	Inode uint64
	Mode  uint32
	Pid   uint32
}

func (VfsFileMeta) GetSizeBytes added in v0.15.0

func (VfsFileMeta) GetSizeBytes() uint32

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL