Documentation
¶
Index ¶
- Constants
- Variables
- func CopyFileByPath(src, dst string) error
- func MergeErrors(cs ...<-chan error) <-chan error
- func Print16BytesSliceIP(in []byte) string
- func PrintAccessMode(mode uint32) string
- func PrintAlert(alert alert) string
- func PrintBPFCmd(cmd int32) string
- func PrintCapability(cap int32) string
- func PrintCloneFlags(flags uint64) string
- func PrintExecFlags(flags uint32) string
- func PrintInodeMode(mode uint32) string
- func PrintMemProt(prot uint32) string
- func PrintOpenFlags(flags uint32) string
- func PrintPrctlOption(op int32) string
- func PrintPtraceRequest(req int32) string
- func PrintSocketDomain(sd uint32) string
- func PrintSocketType(st uint32) string
- func PrintUint32IP(in uint32) string
- func UnameRelease() string
- type Argument
- type Event
- type EventConfig
- type Filter
- type RawEvent
- type Tracee
- type TraceeConfig
- type UIDFilter
Constants ¶
const ( ModeProcessAll uint32 = iota + 1 ModeProcessNew ModeProcessList ModeContainerAll ModeContainerNew ModeHostAll ModeHostNew )
const ( ReadEventID int32 = iota WriteEventID OpenEventID CloseEventID StatEventID FstatEventID LstatEventID PollEventID LseekEventID MmapEventID MprotectEventID MunmapEventID BrkEventID RtSigactionEventID RtSigprocmaskEventID RtSigreturnEventID IoctlEventID Pread64EventID Pwrite64EventID ReadvEventID WritevEventID AccessEventID PipeEventID SelectEventID SchedYieldEventID MremapEventID MsyncEventID MincoreEventID MadviseEventID ShmgetEventID ShmatEventID ShmctlEventID DupEventID Dup2EventID PauseEventID NanosleepEventID GetitimerEventID AlarmEventID SetitimerEventID GetpidEventID SendfileEventID SocketEventID ConnectEventID AcceptEventID SendtoEventID RecvfromEventID SendmsgEventID RecvmsgEventID ShutdownEventID BindEventID ListenEventID GetsocknameEventID GetpeernameEventID SocketpairEventID SetsockoptEventID GetsockoptEventID CloneEventID ForkEventID VforkEventID ExecveEventID ExitEventID Wait4EventID KillEventID UnameEventID SemgetEventID SemopEventID SemctlEventID ShmdtEventID MsggetEventID MsgsndEventID MsgrcvEventID MsgctlEventID FcntlEventID FlockEventID FsyncEventID FdatasyncEventID TruncateEventID FtruncateEventID GetdentsEventID GetcwdEventID ChdirEventID FchdirEventID RenameEventID MkdirEventID RmdirEventID CreatEventID LinkEventID UnlinkEventID SymlinkEventID ReadlinkEventID ChmodEventID FchmodEventID ChownEventID FchownEventID LchownEventID UmaskEventID GettimeofdayEventID GetrlimitEventID GetrusageEventID SysinfoEventID TimesEventID PtraceEventID GetuidEventID SyslogEventID GetgidEventID SetuidEventID SetgidEventID GeteuidEventID GetegidEventID SetpgidEventID GetppidEventID GetpgrpEventID SetsidEventID SetreuidEventID SetregidEventID GetgroupsEventID SetgroupsEventID SetresuidEventID GetresuidEventID SetresgidEventID GetresgidEventID GetpgidEventID SetfsuidEventID SetfsgidEventID GetsidEventID CapgetEventID CapsetEventID RtSigpendingEventID RtSigtimedwaitEventID RtSigqueueinfoEventID RtSigsuspendEventID SigaltstackEventID UtimeEventID MknodEventID UselibEventID PersonalityEventID UstatEventID StatfsEventID FstatfsEventID SysfsEventID GetpriorityEventID SetpriorityEventID SchedSetparamEventID SchedGetparamEventID SchedSetschedulerEventID SchedGetschedulerEventID SchedGetPriorityMaxEventID SchedGetPriorityMinEventID SchedRrGetIntervalEventID MlockEventID MunlockEventID MlockallEventID MunlockallEventID VhangupEventID ModifyLdtEventID PivotRootEventID SysctlEventID PrctlEventID ArchPrctlEventID AdjtimexEventID SetrlimitEventID ChrootEventID SyncEventID AcctEventID SettimeofdayEventID MountEventID UmountEventID SwaponEventID SwapoffEventID RebootEventID SethostnameEventID SetdomainnameEventID IoplEventID IopermEventID CreateModuleEventID InitModuleEventID DeleteModuleEventID GetKernelSymsEventID QueryModuleEventID QuotactlEventID NfsservctlEventID GetpmsgEventID PutpmsgEventID AfsEventID TuxcallEventID SecurityEventID GettidEventID ReadaheadEventID SetxattrEventID LsetxattrEventID FsetxattrEventID GetxattrEventID LgetxattrEventID FgetxattrEventID ListxattrEventID LlistxattrEventID FlistxattrEventID RemovexattrEventID LremovexattrEventID FremovexattrEventID TkillEventID TimeEventID FutexEventID SchedSetaffinityEventID SchedGetaffinityEventID SetThreadAreaEventID IoSetupEventID IoDestroyEventID IoGeteventsEventID IoSubmitEventID IoCancelEventID GetThreadAreaEventID EpollCreateEventID EpollCtlOldEventID EpollWaitOldEventID RemapFilePagesEventID Getdents64EventID SetTidAddressEventID RestartSyscallEventID SemtimedopEventID Fadvise64EventID TimerCreateEventID TimerSettimeEventID TimerGettimeEventID TimerGetoverrunEventID TimerDeleteEventID ClockSettimeEventID ClockGettimeEventID ClockGetresEventID ClockNanosleepEventID ExitGroupEventID EpollWaitEventID EpollCtlEventID TgkillEventID UtimesEventID VserverEventID MbindEventID SetMempolicyEventID GetMempolicyEventID MqOpenEventID MqUnlinkEventID MqTimedsendEventID MqTimedreceiveEventID MqNotifyEventID MqGetsetattrEventID KexecLoadEventID WaitidEventID AddKeyEventID RequestKeyEventID KeyctlEventID IoprioSetEventID IoprioGetEventID InotifyInitEventID InotifyAddWatchEventID InotifyRmWatchEventID MigratePagesEventID OpenatEventID MkdiratEventID MknodatEventID FchownatEventID FutimesatEventID NewfstatatEventID UnlinkatEventID RenameatEventID LinkatEventID SymlinkatEventID ReadlinkatEventID FchmodatEventID FaccessatEventID Pselect6EventID PpollEventID SetRobustListEventID GetRobustListEventID SpliceEventID TeeEventID SyncFileRangeEventID VmspliceEventID MovePagesEventID UtimensatEventID EpollPwaitEventID SignalfdEventID TimerfdCreateEventID EventfdEventID FallocateEventID TimerfdSettimeEventID TimerfdGettimeEventID Accept4EventID Signalfd4EventID Eventfd2EventID EpollCreate1EventID Dup3EventID Pipe2EventID InotifyInit1EventID PreadvEventID PwritevEventID RtTgsigqueueinfoEventID PerfEventOpenEventID RecvmmsgEventID FanotifyInitEventID FanotifyMarkEventID Prlimit64EventID NameToHandleAtEventID OpenByHandleAtEventID ClockAdjtimeEventID SyncfsEventID SendmmsgEventID SetnsEventID GetcpuEventID ProcessVmReadvEventID ProcessVmWritevEventID KcmpEventID FinitModuleEventID SchedSetattrEventID SchedGetattrEventID Renameat2EventID SeccompEventID GetrandomEventID MemfdCreateEventID KexecFileLoadEventID BpfEventID ExecveatEventID UserfaultfdEventID MembarrierEventID Mlock2EventID CopyFileRangeEventID Preadv2EventID Pwritev2EventID PkeyMprotectEventID PkeyAllocEventID PkeyFreeEventID StatxEventID IoPgeteventsEventID RseqEventID SysEnterEventID SysExitEventID DoExitEventID CapCapableEventID SecurityBprmCheckEventID SecurityFileOpenEventID SecurityInodeUnlinkEventID VfsWriteEventID VfsWritevEventID MemProtAlertEventID SchedProcessExitEventID )
events should match defined values in ebpf code
Variables ¶
var EventsIDToEvent = map[int32]EventConfig{}/* 346 elements not displayed */
EventsIDToEvent is list of supported events, indexed by their ID
var EventsIDToParams = map[int32][]param{}/* 334 elements not displayed */
EventsIDToParams is list of the parameters (name and type) used by the events
Functions ¶
func CopyFileByPath ¶ added in v0.3.0
CopyFileByPath copies a file from src to dst
func MergeErrors ¶ added in v0.0.3
MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.
func Print16BytesSliceIP ¶
Print16BytesSliceIP prints the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable lenth slice, but that would case unnecessary memory copying and type conversions
func PrintAccessMode ¶
http://man7.org/linux/man-pages/man2/access.2.html https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/unistd.h.html#tag_13_77_03_04
func PrintAlert ¶ added in v0.0.2
func PrintAlert(alert alert) string
PrintAlert prints the encoded alert message and output file path if required
func PrintBPFCmd ¶ added in v0.3.1
PrintBPFCmd prints the `cmd` argument of the `bpf` syscall https://man7.org/linux/man-pages/man2/bpf.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf.h
func PrintCapability ¶
PrintCapability prints the `capability` bitmask argument of the `cap_capable` function include/uapi/linux/capability.h
func PrintCloneFlags ¶ added in v0.0.3
PrintCloneFlags prints the `flags` bitmask argument of the `clone` syscall https://man7.org/linux/man-pages/man2/clone.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/sched.h
func PrintExecFlags ¶
PrintExecFlags prints the `flags` bitmask argument of the `execve` syscall http://man7.org/linux/man-pages/man2/axecveat.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/fcntl.h#L94
func PrintInodeMode ¶
PrintInodeMode prints the `mode` bitmask argument of the `mknod` syscall http://man7.org/linux/man-pages/man7/inode.7.html
func PrintMemProt ¶
PrintMemProt prints the `prot` bitmask argument of the `mmap` syscall http://man7.org/linux/man-pages/man2/mmap.2.html https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/mman-common.h#L10
func PrintOpenFlags ¶
PrintOpenFlags prints the `flags` bitmask argument of the `open` syscall http://man7.org/linux/man-pages/man2/open.2.html https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/fcntl.h
func PrintPrctlOption ¶
PrintPrctlOption prints the `option` argument of the `prctl` syscall http://man7.org/linux/man-pages/man2/prctl.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/prctl.h
func PrintPtraceRequest ¶
PrintPtraceRequest prints the `request` argument of the `ptrace` syscall http://man7.org/linux/man-pages/man2/ptrace.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/ptrace.h
func PrintSocketDomain ¶
PrintSocketDomain prints the `domain` bitmask argument of the `socket` syscall http://man7.org/linux/man-pages/man2/socket.2.html
func PrintSocketType ¶
PrintSocketType prints the `type` bitmask argument of the `socket` syscall http://man7.org/linux/man-pages/man2/socket.2.html https://elixir.bootlin.com/linux/v5.5.3/source/arch/mips/include/asm/socket.h
func PrintUint32IP ¶
PrintUint32IP prints the IP address encoded as a uint32
func UnameRelease ¶ added in v0.3.0
func UnameRelease() string
UnameRelease gets the version string of the current running kernel
Types ¶
type Argument ¶ added in v0.0.3
type Argument struct {
Name string `json:"name"`
Value interface{} `json:"value"`
}
Argument holds the information for one argument
type Event ¶ added in v0.0.2
type Event struct {
Timestamp float64 `json:"timestamp"`
ProcessID int `json:"processId"`
ThreadID int `json:"threadId"`
ParentProcessID int `json:"parentProcessId"`
HostProcessID int `json:"hostProcessId"`
HostThreadID int `json:"hostThreadId"`
HostParentProcessID int `json:"hostParentProcessId"`
UserID int `json:"userId"`
MountNS int `json:"mountNamespace"`
PIDNS int `json:"pidNamespace"`
ProcessName string `json:"processName"`
HostName string `json:"hostName"`
EventID int `json:"eventId,string"`
EventName string `json:"eventName"`
ArgsNum int `json:"argsNum"`
ReturnValue int `json:"returnValue"`
Args []Argument `json:"args"` //Arguments are ordered according their appearance in the original event
}
Event is a user facing data structure representing a single event
type EventConfig ¶ added in v0.0.2
type EventConfig struct {
ID int32
ID32Bit int32
Name string
Probes []probe
EssentialEvent bool
Sets []string
}
EventConfig is a struct describing an event configuration
type RawEvent ¶ added in v0.0.3
type RawEvent struct {
Ctx context
RawArgs map[argTag]interface{}
ArgsTags []argTag
}
type Tracee ¶
type Tracee struct {
DecParamName [2]map[argTag]string
EncParamName [2]map[string]argTag
// contains filtered or unexported fields
}
Tracee traces system calls and system events using eBPF
func New ¶
func New(cfg TraceeConfig) (*Tracee, error)
New creates a new Tracee instance based on a given valid TraceeConfig
func (*Tracee) WaitForPipeline ¶ added in v0.0.3
WaitForPipeline waits for results from all error channels.
type TraceeConfig ¶
type TraceeConfig struct {
EventsToTrace []int32
Mode uint32
Filter *Filter
PidsToTrace []int
DetectOriginalSyscall bool
ShowExecEnv bool
OutputFormat string
PerfBufferSize int
BlobPerfBufferSize int
OutputPath string
CaptureWrite bool
CaptureExec bool
CaptureMem bool
FilterFileWrite []string
SecurityAlerts bool
EventsFile *os.File
ErrorsFile *os.File
BPFObjPath string
// contains filtered or unexported fields
}
TraceeConfig is a struct containing user defined configuration of tracee
func (TraceeConfig) Validate ¶
func (tc TraceeConfig) Validate() error
Validate does static validation of the configuration
Source Files