Documentation ¶
Overview ¶
Package bufferdecoder implements simple translation between byte sequences and the user-defined structs.
The package favors efficiency over flexibility. The provided API allows fast decoding of byte sequence sent by the Tracee eBPF program from kernel-space to user-space.
Package bufferdecoder implements the structs (protocol indeed) used in the communication between code eBPF running in the Kernel and the Tracee-eBPF user-space application.
Index ¶
- Variables
- func Print16BytesSliceIP(in []byte) string
- func PrintUint32IP(in uint32) string
- func ReadByteSliceFromBuff(ebpfMsgDecoder *EbpfDecoder, len int) ([]byte, error)
- type ArgType
- type BinType
- type BpfObjectMeta
- type ChunkMeta
- type EbpfDecoder
- func (decoder *EbpfDecoder) BuffLen() int
- func (decoder *EbpfDecoder) DecodeArguments(args []trace.Argument, argnum int, evtParams []trace.ArgMeta, evtName string, ...) error
- func (decoder *EbpfDecoder) DecodeBool(msg *bool) error
- func (decoder *EbpfDecoder) DecodeBpfObjectMeta(bpfObjectMeta *BpfObjectMeta) error
- func (decoder *EbpfDecoder) DecodeBytes(msg []byte, size int) error
- func (decoder *EbpfDecoder) DecodeChunkMeta(chunkMeta *ChunkMeta) error
- func (decoder *EbpfDecoder) DecodeContext(eCtx *EventContext) error
- func (decoder *EbpfDecoder) DecodeInt16(msg *int16) error
- func (decoder *EbpfDecoder) DecodeInt32(msg *int32) error
- func (decoder *EbpfDecoder) DecodeInt64(msg *int64) error
- func (decoder *EbpfDecoder) DecodeInt8(msg *int8) error
- func (decoder *EbpfDecoder) DecodeIntArray(msg []int32, size int) error
- func (decoder *EbpfDecoder) DecodeKernelModuleMeta(kernelModuleMeta *KernelModuleMeta) error
- func (decoder *EbpfDecoder) DecodeMprotectWriteMeta(mprotectWriteMeta *MprotectWriteMeta) error
- func (decoder *EbpfDecoder) DecodeSlimCred(slimCred *SlimCred) error
- func (decoder *EbpfDecoder) DecodeUint16(msg *uint16) error
- func (decoder *EbpfDecoder) DecodeUint16BigEndian(msg *uint16) error
- func (decoder *EbpfDecoder) DecodeUint32(msg *uint32) error
- func (decoder *EbpfDecoder) DecodeUint32BigEndian(msg *uint32) error
- func (decoder *EbpfDecoder) DecodeUint64(msg *uint64) error
- func (decoder *EbpfDecoder) DecodeUint64Array(msg *[]uint64) error
- func (decoder *EbpfDecoder) DecodeUint8(msg *uint8) error
- func (decoder *EbpfDecoder) DecodeVfsFileMeta(vfsFileMeta *VfsFileMeta) error
- func (decoder *EbpfDecoder) ReadAmountBytes() int
- type EventContext
- type KernelModuleMeta
- type MprotectWriteMeta
- type SlimCred
- type VfsFileMeta
Constants ¶
This section is empty.
Variables ¶
var ErrBufferTooShort = errors.New("can't read context from buffer: buffer too short")
Functions ¶
func Print16BytesSliceIP ¶
Print16BytesSliceIP prints the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable length slice, but that would cause unnecessary memory copying and type conversions
func PrintUint32IP ¶
PrintUint32IP prints the IP address encoded as a uint32
func ReadByteSliceFromBuff ¶
func ReadByteSliceFromBuff(ebpfMsgDecoder *EbpfDecoder, len int) ([]byte, error)
Types ¶
type ArgType ¶
type ArgType uint8
argType is an enum that encodes the argument types that the BPF program may write to the shared buffer argument types should match defined values in ebpf code
func GetParamType ¶
type BinType ¶
type BinType uint8
BinType is an enum that specifies the type of binary data sent in the file perf map binary types should match defined values in ebpf code
type BpfObjectMeta ¶ added in v0.13.0
func (BpfObjectMeta) GetSizeBytes ¶ added in v0.13.0
func (BpfObjectMeta) GetSizeBytes() uint32
type ChunkMeta ¶
func (ChunkMeta) GetSizeBytes ¶
type EbpfDecoder ¶
type EbpfDecoder struct {
// contains filtered or unexported fields
}
func New ¶
func New(rawBuffer []byte) *EbpfDecoder
New creates and initializes a new EbpfDecoder using rawBuffer as its initial content. The EbpfDecoder takes ownership of rawBuffer, and the caller should not use rawBuffer after this call. New is intended to prepare a buffer to read existing data from it, translating it to protocol defined structs. The protocol is specific between the Trace eBPF program and the Tracee-eBPF user space application.
func (*EbpfDecoder) BuffLen ¶
func (decoder *EbpfDecoder) BuffLen() int
BuffLen returns the total length of the buffer owned by decoder.
func (*EbpfDecoder) DecodeArguments ¶ added in v0.16.0
func (decoder *EbpfDecoder) DecodeArguments(args []trace.Argument, argnum int, evtParams []trace.ArgMeta, evtName string, eventId events.ID) error
DecodeArguments decodes the remaining buffer's argument values, according to the given event definition. It should be called last, and after decoding the argnum with DecodeUint8.
Argument array passed should be initialized with the size of len(evtParams).
func (*EbpfDecoder) DecodeBool ¶
func (decoder *EbpfDecoder) DecodeBool(msg *bool) error
DecodeBool translates data from the decoder buffer, starting from the decoder cursor, to bool.
func (*EbpfDecoder) DecodeBpfObjectMeta ¶ added in v0.13.0
func (decoder *EbpfDecoder) DecodeBpfObjectMeta(bpfObjectMeta *BpfObjectMeta) error
DecodeBpfObjectMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.BpfObjectMeta struct.
func (*EbpfDecoder) DecodeBytes ¶
func (decoder *EbpfDecoder) DecodeBytes(msg []byte, size int) error
DecodeBytes copies from the decoder buffer, starting from the decoder cursor, to msg, size bytes.
func (*EbpfDecoder) DecodeChunkMeta ¶
func (decoder *EbpfDecoder) DecodeChunkMeta(chunkMeta *ChunkMeta) error
DecodeChunkMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.ChunkMeta struct.
func (*EbpfDecoder) DecodeContext ¶
func (decoder *EbpfDecoder) DecodeContext(eCtx *EventContext) error
DecodeContext translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.EventContext struct.
func (*EbpfDecoder) DecodeInt16 ¶
func (decoder *EbpfDecoder) DecodeInt16(msg *int16) error
DecodeInt16 translates data from the decoder buffer, starting from the decoder cursor, to int16.
func (*EbpfDecoder) DecodeInt32 ¶
func (decoder *EbpfDecoder) DecodeInt32(msg *int32) error
DecodeInt32 translates data from the decoder buffer, starting from the decoder cursor, to int32.
func (*EbpfDecoder) DecodeInt64 ¶
func (decoder *EbpfDecoder) DecodeInt64(msg *int64) error
DecodeInt64 translates data from the decoder buffer, starting from the decoder cursor, to int64.
func (*EbpfDecoder) DecodeInt8 ¶
func (decoder *EbpfDecoder) DecodeInt8(msg *int8) error
DecodeInt8 translates data from the decoder buffer, starting from the decoder cursor, to int8.
func (*EbpfDecoder) DecodeIntArray ¶
func (decoder *EbpfDecoder) DecodeIntArray(msg []int32, size int) error
DecodeIntArray translate from the decoder buffer, starting from the decoder cursor, to msg, size * 4 bytes (in order to get int32).
func (*EbpfDecoder) DecodeKernelModuleMeta ¶
func (decoder *EbpfDecoder) DecodeKernelModuleMeta(kernelModuleMeta *KernelModuleMeta) error
DecodeKernelModuleMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.KernelModuleMeta struct.
func (*EbpfDecoder) DecodeMprotectWriteMeta ¶
func (decoder *EbpfDecoder) DecodeMprotectWriteMeta(mprotectWriteMeta *MprotectWriteMeta) error
DecodeMprotectWriteMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.MprotectWriteMeta struct.
func (*EbpfDecoder) DecodeSlimCred ¶
func (decoder *EbpfDecoder) DecodeSlimCred(slimCred *SlimCred) error
DecodeSlimCred translates data from the decoder buffer, starting from the decoder cursor, to SlimCred struct.
func (*EbpfDecoder) DecodeUint16 ¶
func (decoder *EbpfDecoder) DecodeUint16(msg *uint16) error
DecodeUint16 translates data from the decoder buffer, starting from the decoder cursor, to uint16.
func (*EbpfDecoder) DecodeUint16BigEndian ¶
func (decoder *EbpfDecoder) DecodeUint16BigEndian(msg *uint16) error
DecodeUint16BigEndian translates data from the decoder buffer, starting from the decoder cursor, to uint16.
func (*EbpfDecoder) DecodeUint32 ¶
func (decoder *EbpfDecoder) DecodeUint32(msg *uint32) error
DecodeUint32 translates data from the decoder buffer, starting from the decoder cursor, to uint32.
func (*EbpfDecoder) DecodeUint32BigEndian ¶
func (decoder *EbpfDecoder) DecodeUint32BigEndian(msg *uint32) error
DecodeUint32BigEndian translates data from the decoder buffer, starting from the decoder cursor, to uint32.
func (*EbpfDecoder) DecodeUint64 ¶
func (decoder *EbpfDecoder) DecodeUint64(msg *uint64) error
DecodeUint64 translates data from the decoder buffer, starting from the decoder cursor, to uint64.
func (*EbpfDecoder) DecodeUint64Array ¶ added in v0.8.0
func (decoder *EbpfDecoder) DecodeUint64Array(msg *[]uint64) error
DecodeUint64Array translate from the decoder buffer, starting from the decoder cursor, to msg, size * 8 bytes (in order to get int64).
func (*EbpfDecoder) DecodeUint8 ¶
func (decoder *EbpfDecoder) DecodeUint8(msg *uint8) error
DecodeUint8 translates data from the decoder buffer, starting from the decoder cursor, to uint8.
func (*EbpfDecoder) DecodeVfsFileMeta ¶ added in v0.15.0
func (decoder *EbpfDecoder) DecodeVfsFileMeta(vfsFileMeta *VfsFileMeta) error
DecodeVfsFileMeta translates data from the decoder buffer, starting from the decoder cursor, to bufferdecoder.VfsFileMeta struct.
func (*EbpfDecoder) ReadAmountBytes ¶
func (decoder *EbpfDecoder) ReadAmountBytes() int
ReadAmountBytes returns the total amount of bytes that decoder has read from its buffer up until now.
type EventContext ¶ added in v0.20.0
type EventContext struct { Ts uint64 // task_context start StartTime uint64 CgroupID uint64 Pid uint32 Tid uint32 Ppid uint32 HostPid uint32 HostTid uint32 HostPpid uint32 Uid uint32 MntID uint32 PidID uint32 Comm [16]byte UtsName [16]byte Flags uint32 LeaderStartTime uint64 ParentStartTime uint64 EventID events.ID // int32 Syscall int32 Retval int64 StackID uint32 ProcessorId uint16 PoliciesVersion uint16 MatchedPolicies uint64 }
EventContext contains common metadata that is collected for all types of events.
NOTE: Use pahole to ensure this struct reflects the `event_context“ struct in the eBPF code.
func (EventContext) GetSizeBytes ¶ added in v0.20.0
func (EventContext) GetSizeBytes() int
type KernelModuleMeta ¶
func (KernelModuleMeta) GetSizeBytes ¶
func (KernelModuleMeta) GetSizeBytes() uint32
type MprotectWriteMeta ¶
func (MprotectWriteMeta) GetSizeBytes ¶
func (MprotectWriteMeta) GetSizeBytes() uint32
type SlimCred ¶
type SlimCred struct { Uid uint32 /* real UID of the task */ Gid uint32 /* real GID of the task */ Suid uint32 /* saved UID of the task */ Sgid uint32 /* saved GID of the task */ Euid uint32 /* effective UID of the task */ Egid uint32 /* effective GID of the task */ Fsuid uint32 /* UID for VFS ops */ Fsgid uint32 /* GID for VFS ops */ UserNamespace uint32 /* User Namespace of the of the event */ SecureBits uint32 /* SUID-less security management */ CapInheritable uint64 /* caps our children can inherit */ CapPermitted uint64 /* caps we're permitted */ CapEffective uint64 /* caps we can actually use */ CapBounding uint64 /* capability bounding set */ CapAmbient uint64 /* Ambient capability set */ }
SlimCred struct is a slim version of the kernel's cred struct it is used to unmarshal binary data and therefore should match (bit by bit) to the `slim_cred_t` struct in the ebpf code. ANY CHANGE TO THIS STRUCT WILL BE REQUIRED ALSO TO detect.SlimCred and bufferdecoder.SlimCred
func (SlimCred) GetSizeBytes ¶
type VfsFileMeta ¶ added in v0.15.0
func (VfsFileMeta) GetSizeBytes ¶ added in v0.15.0
func (VfsFileMeta) GetSizeBytes() uint32