Documentation
¶
Index ¶
- Constants
- Variables
- func NewPolicies() *policies
- func PoliciesMaxExceededError() error
- func PoliciesOutOfRangeError(idx int) error
- func PolicyAlreadyExistsError(name string, idx int) error
- func PolicyNilError() error
- func PolicyNotFoundByIDError(idx int) error
- func PolicyNotFoundByNameError(name string) error
- func Snapshots() *snapshots
- type KernelDataFields
- type Manager
- func (m *Manager) CreateAllIterator() utils.Iterator[*Policy]
- func (m *Manager) CreateUserlandIterator() utils.Iterator[*Policy]
- func (m *Manager) DisableEvent(id events.ID)
- func (m *Manager) DisableRule(policyId int, id events.ID) error
- func (m *Manager) EnableEvent(id events.ID)
- func (m *Manager) EnableRule(policyId int, id events.ID) error
- func (m *Manager) EventsSelected() []events.ID
- func (m *Manager) EventsToSubmit() []events.ID
- func (m *Manager) FilterableInUserland() bool
- func (m *Manager) IsEnabled(matchedPolicies uint64, id events.ID) bool
- func (m *Manager) IsEventEnabled(id events.ID) bool
- func (m *Manager) IsEventSelected(id events.ID) bool
- func (m *Manager) IsEventToEmit(id events.ID) bool
- func (m *Manager) IsEventToSubmit(id events.ID) bool
- func (m *Manager) IsRequiredBySignature(id events.ID) bool
- func (m *Manager) IsRuleEnabled(matchedPolicies uint64, id events.ID) bool
- func (m *Manager) LookupByName(name string) (*Policy, error)
- func (m *Manager) MatchEvent(id events.ID, matched uint64) uint64
- func (m *Manager) MatchEventInAnyPolicy(id events.ID) uint64
- func (m *Manager) MatchedNames(matched uint64) []string
- func (m *Manager) UpdateBPF(bpfModule *bpf.Module, cts *containers.Containers, ...) (*PoliciesConfig, error)
- func (m *Manager) WithContainerFilterEnabled() uint64
- type ManagerConfig
- type PoliciesConfig
- type Policy
- type RuleData
Constants ¶
View Source
const ( // outer maps UIDFilterMapVersion = "uid_filter_version" PIDFilterMapVersion = "pid_filter_version" MntNSFilterMapVersion = "mnt_ns_filter_version" PidNSFilterMapVersion = "pid_ns_filter_version" UTSFilterMapVersion = "uts_ns_filter_version" CommFilterMapVersion = "comm_filter_version" DataFilterPrefixMapVersion = "data_filter_prefix_version" DataFilterSuffixMapVersion = "data_filter_suffix_version" DataFilterExactMapVersion = "data_filter_exact_version" CgroupIdFilterVersion = "cgroup_id_filter_version" ProcessTreeFilterMapVersion = "process_tree_map_version" BinaryFilterMapVersion = "binary_filter_version" PoliciesConfigVersion = "policies_config_version" // inner maps UIDFilterMap = "uid_filter" PIDFilterMap = "pid_filter" MntNSFilterMap = "mnt_ns_filter" PidNSFilterMap = "pid_ns_filter" UTSFilterMap = "uts_ns_filter" CommFilterMap = "comm_filter" DataFilterPrefixMap = "data_filter_prefix" DataFilterSuffixMap = "data_filter_suffix" DataFilterExactMap = "data_filter_exact" CgroupIdFilterMap = "cgroup_id_filter" ProcessTreeFilterMap = "process_tree_map" BinaryFilterMap = "binary_filter" PoliciesConfigMap = "policies_config_map" ProcInfoMap = "proc_info_map" )
View Source
const ( PolicyMax = int(64) PolicyAll = ^uint64(0) PolicyNone = uint64(0) )
Variables ¶
View Source
var AlwaysSubmit = events.EventState{ Submit: PolicyAll, }
Functions ¶
func NewPolicies ¶
func NewPolicies() *policies
func PoliciesMaxExceededError ¶
func PoliciesMaxExceededError() error
func PoliciesOutOfRangeError ¶
func PolicyAlreadyExistsError ¶ added in v0.21.0
func PolicyNilError ¶
func PolicyNilError() error
func PolicyNotFoundByIDError ¶ added in v0.18.0
func PolicyNotFoundByNameError ¶ added in v0.18.0
Types ¶
type KernelDataFields ¶
type Manager ¶
type Manager struct {
// contains filtered or unexported fields
}
Manager is a thread-safe struct that manages the enabled policies for each rule
func NewManager ¶
func NewManager( cfg ManagerConfig, depsManager *dependencies.Manager, initialPolicies ...*Policy, ) (*Manager, error)
func (*Manager) CreateUserlandIterator ¶
func (*Manager) DisableEvent ¶
DisableEvent disables a given event
func (*Manager) DisableRule ¶
DisableRule disables a rule for a given event policy
func (*Manager) EnableEvent ¶
EnableEvent enables a given event
func (*Manager) EnableRule ¶
EnableRule enables a rule for a given event policy
func (*Manager) EventsSelected ¶
func (*Manager) EventsToSubmit ¶
func (*Manager) FilterableInUserland ¶
func (*Manager) IsEnabled ¶
IsEnabled tests if a event, or a policy per event is enabled (in the future it will also check if a policy is enabled) TODO: add metrics about an event being enabled/disabled, or a policy being enabled/disabled?
func (*Manager) IsEventEnabled ¶
IsEventEnabled returns true if a given event policy is enabled for a given rule
func (*Manager) IsRuleEnabled ¶
IsRuleEnabled returns true if a given event policy is enabled for a given rule
func (*Manager) MatchEventInAnyPolicy ¶
func (*Manager) MatchedNames ¶
func (*Manager) UpdateBPF ¶
func (m *Manager) UpdateBPF( bpfModule *bpf.Module, cts *containers.Containers, eventsFields map[events.ID][]bufferdecoder.ArgType, createNewMaps bool, updateProcTree bool, ) (*PoliciesConfig, error)
func (*Manager) WithContainerFilterEnabled ¶
type ManagerConfig ¶
type ManagerConfig struct {
DNSCacheConfig dnscache.Config
ProcTreeConfig proctree.ProcTreeConfig
CaptureConfig config.CaptureConfig
}
type PoliciesConfig ¶ added in v0.20.0
type PoliciesConfig struct {
UIDFilterEnabled uint64
PIDFilterEnabled uint64
MntNsFilterEnabled uint64
PidNsFilterEnabled uint64
UtsNsFilterEnabled uint64
CommFilterEnabled uint64
CgroupIdFilterEnabled uint64
ContFilterEnabled uint64
NewContFilterEnabled uint64
NewPidFilterEnabled uint64
ProcTreeFilterEnabled uint64
BinPathFilterEnabled uint64
FollowFilterEnabled uint64
UIDFilterMatchIfKeyMissing uint64
PIDFilterMatchIfKeyMissing uint64
MntNsFilterMatchIfKeyMissing uint64
PidNsFilterMatchIfKeyMissing uint64
UtsNsFilterMatchIfKeyMissing uint64
CommFilterMatchIfKeyMissing uint64
CgroupIdFilterMatchIfKeyMissing uint64
ContFilterMatchIfKeyMissing uint64
NewContFilterMatchIfKeyMissing uint64
NewPidFilterMatchIfKeyMissing uint64
ProcTreeFilterMatchIfKeyMissing uint64
BinPathFilterMatchIfKeyMissing uint64
EnabledPolicies uint64
UidMax uint64
UidMin uint64
PidMax uint64
PidMin uint64
}
PoliciesConfig mirrors the C struct policies_config (policies_config_t). Order of fields is important, as it is used as a value for the PoliciesConfigMap BPF map.
type Policy ¶
type Policy struct {
ID int
Name string
UIDFilter *filters.UIntFilter[uint32]
PIDFilter *filters.UIntFilter[uint32]
NewPidFilter *filters.BoolFilter
MntNSFilter *filters.UIntFilter[uint64]
PidNSFilter *filters.UIntFilter[uint64]
UTSFilter *filters.StringFilter
CommFilter *filters.StringFilter
ContFilter *filters.BoolFilter
NewContFilter *filters.BoolFilter
ContIDFilter *filters.StringFilter
ProcessTreeFilter *filters.ProcessTreeFilter
BinaryFilter *filters.BinaryFilter
Follow bool
Rules map[events.ID]RuleData
}
func (*Policy) ContainerFilterEnabled ¶
ContainerFilterEnabled returns true if the policy has at least one container filter type enabled.
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.