tracee

package
v0.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 24, 2021 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	LessNotSetUint    uint64 = 0
	GreaterNotSetUint uint64 = math.MaxUint64
	LessNotSetInt     int64  = math.MinInt64
	GreaterNotSetInt  int64  = math.MaxInt64
)

Set default inequality values val<0 and val>math.MaxUint64 should never be used by the user as they give an empty set

View Source 
const (
	SysEnterEventID int32 = iota + 1000
	SysExitEventID
	DoExitEventID
	CapCapableEventID
	SecurityBprmCheckEventID
	SecurityFileOpenEventID
	SecurityInodeUnlinkEventID
	VfsWriteEventID
	VfsWritevEventID
	MemProtAlertEventID
	SchedProcessExitEventID
	MaxEventID
)

Non syscalls events (used by all architectures) events should match defined values in ebpf code

View Source 
const (
	ReadEventID                int32 = 0
	WriteEventID               int32 = 1
	OpenEventID                int32 = 2
	CloseEventID               int32 = 3
	StatEventID                int32 = 4
	FstatEventID               int32 = 5
	LstatEventID               int32 = 6
	PollEventID                int32 = 7
	LseekEventID               int32 = 8
	MmapEventID                int32 = 9
	MprotectEventID            int32 = 10
	MunmapEventID              int32 = 11
	BrkEventID                 int32 = 12
	RtSigactionEventID         int32 = 13
	RtSigprocmaskEventID       int32 = 14
	RtSigreturnEventID         int32 = 15
	IoctlEventID               int32 = 16
	Pread64EventID             int32 = 17
	Pwrite64EventID            int32 = 18
	ReadvEventID               int32 = 19
	WritevEventID              int32 = 20
	AccessEventID              int32 = 21
	PipeEventID                int32 = 22
	SelectEventID              int32 = 23
	SchedYieldEventID          int32 = 24
	MremapEventID              int32 = 25
	MsyncEventID               int32 = 26
	MincoreEventID             int32 = 27
	MadviseEventID             int32 = 28
	ShmgetEventID              int32 = 29
	ShmatEventID               int32 = 30
	ShmctlEventID              int32 = 31
	DupEventID                 int32 = 32
	Dup2EventID                int32 = 33
	PauseEventID               int32 = 34
	NanosleepEventID           int32 = 35
	GetitimerEventID           int32 = 36
	AlarmEventID               int32 = 37
	SetitimerEventID           int32 = 38
	GetpidEventID              int32 = 39
	SendfileEventID            int32 = 40
	SocketEventID              int32 = 41
	ConnectEventID             int32 = 42
	AcceptEventID              int32 = 43
	SendtoEventID              int32 = 44
	RecvfromEventID            int32 = 45
	SendmsgEventID             int32 = 46
	RecvmsgEventID             int32 = 47
	ShutdownEventID            int32 = 48
	BindEventID                int32 = 49
	ListenEventID              int32 = 50
	GetsocknameEventID         int32 = 51
	GetpeernameEventID         int32 = 52
	SocketpairEventID          int32 = 53
	SetsockoptEventID          int32 = 54
	GetsockoptEventID          int32 = 55
	CloneEventID               int32 = 56
	ForkEventID                int32 = 57
	VforkEventID               int32 = 58
	ExecveEventID              int32 = 59
	ExitEventID                int32 = 60
	Wait4EventID               int32 = 61
	KillEventID                int32 = 62
	UnameEventID               int32 = 63
	SemgetEventID              int32 = 64
	SemopEventID               int32 = 65
	SemctlEventID              int32 = 66
	ShmdtEventID               int32 = 67
	MsggetEventID              int32 = 68
	MsgsndEventID              int32 = 69
	MsgrcvEventID              int32 = 70
	MsgctlEventID              int32 = 71
	FcntlEventID               int32 = 72
	FlockEventID               int32 = 73
	FsyncEventID               int32 = 74
	FdatasyncEventID           int32 = 75
	TruncateEventID            int32 = 76
	FtruncateEventID           int32 = 77
	GetdentsEventID            int32 = 78
	GetcwdEventID              int32 = 79
	ChdirEventID               int32 = 80
	FchdirEventID              int32 = 81
	RenameEventID              int32 = 82
	MkdirEventID               int32 = 83
	RmdirEventID               int32 = 84
	CreatEventID               int32 = 85
	LinkEventID                int32 = 86
	UnlinkEventID              int32 = 87
	SymlinkEventID             int32 = 88
	ReadlinkEventID            int32 = 89
	ChmodEventID               int32 = 90
	FchmodEventID              int32 = 91
	ChownEventID               int32 = 92
	FchownEventID              int32 = 93
	LchownEventID              int32 = 94
	UmaskEventID               int32 = 95
	GettimeofdayEventID        int32 = 96
	GetrlimitEventID           int32 = 97
	GetrusageEventID           int32 = 98
	SysinfoEventID             int32 = 99
	TimesEventID               int32 = 100
	PtraceEventID              int32 = 101
	GetuidEventID              int32 = 102
	SyslogEventID              int32 = 103
	GetgidEventID              int32 = 104
	SetuidEventID              int32 = 105
	SetgidEventID              int32 = 106
	GeteuidEventID             int32 = 107
	GetegidEventID             int32 = 108
	SetpgidEventID             int32 = 109
	GetppidEventID             int32 = 110
	GetpgrpEventID             int32 = 111
	SetsidEventID              int32 = 112
	SetreuidEventID            int32 = 113
	SetregidEventID            int32 = 114
	GetgroupsEventID           int32 = 115
	SetgroupsEventID           int32 = 116
	SetresuidEventID           int32 = 117
	GetresuidEventID           int32 = 118
	SetresgidEventID           int32 = 119
	GetresgidEventID           int32 = 120
	GetpgidEventID             int32 = 121
	SetfsuidEventID            int32 = 122
	SetfsgidEventID            int32 = 123
	GetsidEventID              int32 = 124
	CapgetEventID              int32 = 125
	CapsetEventID              int32 = 126
	RtSigpendingEventID        int32 = 127
	RtSigtimedwaitEventID      int32 = 128
	RtSigqueueinfoEventID      int32 = 129
	RtSigsuspendEventID        int32 = 130
	SigaltstackEventID         int32 = 131
	UtimeEventID               int32 = 132
	MknodEventID               int32 = 133
	UselibEventID              int32 = 134
	PersonalityEventID         int32 = 135
	UstatEventID               int32 = 136
	StatfsEventID              int32 = 137
	FstatfsEventID             int32 = 138
	SysfsEventID               int32 = 139
	GetpriorityEventID         int32 = 140
	SetpriorityEventID         int32 = 141
	SchedSetparamEventID       int32 = 142
	SchedGetparamEventID       int32 = 143
	SchedSetschedulerEventID   int32 = 144
	SchedGetschedulerEventID   int32 = 145
	SchedGetPriorityMaxEventID int32 = 146
	SchedGetPriorityMinEventID int32 = 147
	SchedRrGetIntervalEventID  int32 = 148
	MlockEventID               int32 = 149
	MunlockEventID             int32 = 150
	MlockallEventID            int32 = 151
	MunlockallEventID          int32 = 152
	VhangupEventID             int32 = 153
	ModifyLdtEventID           int32 = 154
	PivotRootEventID           int32 = 155
	SysctlEventID              int32 = 156
	PrctlEventID               int32 = 157
	ArchPrctlEventID           int32 = 158
	AdjtimexEventID            int32 = 159
	SetrlimitEventID           int32 = 160
	ChrootEventID              int32 = 161
	SyncEventID                int32 = 162
	AcctEventID                int32 = 163
	SettimeofdayEventID        int32 = 164
	MountEventID               int32 = 165
	UmountEventID              int32 = 166
	SwaponEventID              int32 = 167
	SwapoffEventID             int32 = 168
	RebootEventID              int32 = 169
	SethostnameEventID         int32 = 170
	SetdomainnameEventID       int32 = 171
	IoplEventID                int32 = 172
	IopermEventID              int32 = 173
	CreateModuleEventID        int32 = 174
	InitModuleEventID          int32 = 175
	DeleteModuleEventID        int32 = 176
	GetKernelSymsEventID       int32 = 177
	QueryModuleEventID         int32 = 178
	QuotactlEventID            int32 = 179
	NfsservctlEventID          int32 = 180
	GetpmsgEventID             int32 = 181
	PutpmsgEventID             int32 = 182
	AfsEventID                 int32 = 183
	TuxcallEventID             int32 = 184
	SecurityEventID            int32 = 185
	GettidEventID              int32 = 186
	ReadaheadEventID           int32 = 187
	SetxattrEventID            int32 = 188
	LsetxattrEventID           int32 = 189
	FsetxattrEventID           int32 = 190
	GetxattrEventID            int32 = 191
	LgetxattrEventID           int32 = 192
	FgetxattrEventID           int32 = 193
	ListxattrEventID           int32 = 194
	LlistxattrEventID          int32 = 195
	FlistxattrEventID          int32 = 196
	RemovexattrEventID         int32 = 197
	LremovexattrEventID        int32 = 198
	FremovexattrEventID        int32 = 199
	TkillEventID               int32 = 200
	TimeEventID                int32 = 201
	FutexEventID               int32 = 202
	SchedSetaffinityEventID    int32 = 203
	SchedGetaffinityEventID    int32 = 204
	SetThreadAreaEventID       int32 = 205
	IoSetupEventID             int32 = 206
	IoDestroyEventID           int32 = 207
	IoGeteventsEventID         int32 = 208
	IoSubmitEventID            int32 = 209
	IoCancelEventID            int32 = 210
	GetThreadAreaEventID       int32 = 211
	LookupDcookieEventID       int32 = 212
	EpollCreateEventID         int32 = 213
	EpollCtlOldEventID         int32 = 214
	EpollWaitOldEventID        int32 = 215
	RemapFilePagesEventID      int32 = 216
	Getdents64EventID          int32 = 217
	SetTidAddressEventID       int32 = 218
	RestartSyscallEventID      int32 = 219
	SemtimedopEventID          int32 = 220
	Fadvise64EventID           int32 = 221
	TimerCreateEventID         int32 = 222
	TimerSettimeEventID        int32 = 223
	TimerGettimeEventID        int32 = 224
	TimerGetoverrunEventID     int32 = 225
	TimerDeleteEventID         int32 = 226
	ClockSettimeEventID        int32 = 227
	ClockGettimeEventID        int32 = 228
	ClockGetresEventID         int32 = 229
	ClockNanosleepEventID      int32 = 230
	ExitGroupEventID           int32 = 231
	EpollWaitEventID           int32 = 232
	EpollCtlEventID            int32 = 233
	TgkillEventID              int32 = 234
	UtimesEventID              int32 = 235
	VserverEventID             int32 = 236
	MbindEventID               int32 = 237
	SetMempolicyEventID        int32 = 238
	GetMempolicyEventID        int32 = 239
	MqOpenEventID              int32 = 240
	MqUnlinkEventID            int32 = 241
	MqTimedsendEventID         int32 = 242
	MqTimedreceiveEventID      int32 = 243
	MqNotifyEventID            int32 = 244
	MqGetsetattrEventID        int32 = 245
	KexecLoadEventID           int32 = 246
	WaitidEventID              int32 = 247
	AddKeyEventID              int32 = 248
	RequestKeyEventID          int32 = 249
	KeyctlEventID              int32 = 250
	IoprioSetEventID           int32 = 251
	IoprioGetEventID           int32 = 252
	InotifyInitEventID         int32 = 253
	InotifyAddWatchEventID     int32 = 254
	InotifyRmWatchEventID      int32 = 255
	MigratePagesEventID        int32 = 256
	OpenatEventID              int32 = 257
	MkdiratEventID             int32 = 258
	MknodatEventID             int32 = 259
	FchownatEventID            int32 = 260
	FutimesatEventID           int32 = 261
	NewfstatatEventID          int32 = 262
	UnlinkatEventID            int32 = 263
	RenameatEventID            int32 = 264
	LinkatEventID              int32 = 265
	SymlinkatEventID           int32 = 266
	ReadlinkatEventID          int32 = 267
	FchmodatEventID            int32 = 268
	FaccessatEventID           int32 = 269
	Pselect6EventID            int32 = 270
	PpollEventID               int32 = 271
	UnshareEventID             int32 = 272
	SetRobustListEventID       int32 = 273
	GetRobustListEventID       int32 = 274
	SpliceEventID              int32 = 275
	TeeEventID                 int32 = 276
	SyncFileRangeEventID       int32 = 277
	VmspliceEventID            int32 = 278
	MovePagesEventID           int32 = 279
	UtimensatEventID           int32 = 280
	EpollPwaitEventID          int32 = 281
	SignalfdEventID            int32 = 282
	TimerfdCreateEventID       int32 = 283
	EventfdEventID             int32 = 284
	FallocateEventID           int32 = 285
	TimerfdSettimeEventID      int32 = 286
	TimerfdGettimeEventID      int32 = 287
	Accept4EventID             int32 = 288
	Signalfd4EventID           int32 = 289
	Eventfd2EventID            int32 = 290
	EpollCreate1EventID        int32 = 291
	Dup3EventID                int32 = 292
	Pipe2EventID               int32 = 293
	InotifyInit1EventID        int32 = 294
	PreadvEventID              int32 = 295
	PwritevEventID             int32 = 296
	RtTgsigqueueinfoEventID    int32 = 297
	PerfEventOpenEventID       int32 = 298
	RecvmmsgEventID            int32 = 299
	FanotifyInitEventID        int32 = 300
	FanotifyMarkEventID        int32 = 301
	Prlimit64EventID           int32 = 302
	NameToHandleAtEventID      int32 = 303
	OpenByHandleAtEventID      int32 = 304
	ClockAdjtimeEventID        int32 = 305
	SyncfsEventID              int32 = 306
	SendmmsgEventID            int32 = 307
	SetnsEventID               int32 = 308
	GetcpuEventID              int32 = 309
	ProcessVmReadvEventID      int32 = 310
	ProcessVmWritevEventID     int32 = 311
	KcmpEventID                int32 = 312
	FinitModuleEventID         int32 = 313
	SchedSetattrEventID        int32 = 314
	SchedGetattrEventID        int32 = 315
	Renameat2EventID           int32 = 316
	SeccompEventID             int32 = 317
	GetrandomEventID           int32 = 318
	MemfdCreateEventID         int32 = 319
	KexecFileLoadEventID       int32 = 320
	BpfEventID                 int32 = 321
	ExecveatEventID            int32 = 322
	UserfaultfdEventID         int32 = 323
	MembarrierEventID          int32 = 324
	Mlock2EventID              int32 = 325
	CopyFileRangeEventID       int32 = 326
	Preadv2EventID             int32 = 327
	Pwritev2EventID            int32 = 328
	PkeyMprotectEventID        int32 = 329
	PkeyAllocEventID           int32 = 330
	PkeyFreeEventID            int32 = 331
	StatxEventID               int32 = 332
	IoPgeteventsEventID        int32 = 333
	RseqEventID                int32 = 334
	// 335 through 423 are unassigned to sync up with generic numbers
	PidfdSendSignalEventID int32 = 424
	IoUringSetupEventID    int32 = 425
	IoUringEnterEventID    int32 = 426
	IoUringRegisterEventID int32 = 427
	OpenTreeEventID        int32 = 428
	MoveMountEventID       int32 = 429
	FsopenEventID          int32 = 430
	FsconfigEventID        int32 = 431
	FsmountEventID         int32 = 432
	FspickEventID          int32 = 433
	PidfdOpenEventID       int32 = 434
	Clone3EventID          int32 = 435
	CloseRangeEventID      int32 = 436
	Openat2EventID         int32 = 437
	PidfdGetfdEventID      int32 = 438
	Faccessat2EventID      int32 = 439
	ProcessMadviseEventID  int32 = 440
	EpollPwait2EventID     int32 = 441
)

x86 64bit syscall numbers Also used as event IDs https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl

Variables

View Source 
var EventsIDToEvent = map[int32]EventConfig{}/* 364 elements not displayed */

EventsIDToEvent is list of supported events, indexed by their ID

View Source 
var EventsIDToParams = map[int32][]external.ArgMeta{}/* 352 elements not displayed */

EventsIDToParams is list of the parameters (name and type) used by the events

Functions

func CopyFileByPath added in v0.3.0 

func CopyFileByPath(src, dst string) error

CopyFileByPath copies a file from src to dst

func MergeErrors added in v0.0.3 

func MergeErrors(cs ...<-chan error) <-chan error

MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.

func Print16BytesSliceIP 

func Print16BytesSliceIP(in []byte) string

Print16BytesSliceIP prints the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable lenth slice, but that would case unnecessary memory copying and type conversions

func PrintAccessMode 

func PrintAccessMode(mode uint32) string

http://man7.org/linux/man-pages/man2/access.2.html https://pubs.opengroup.org/onlinepubs/9699919799/basedefs/unistd.h.html#tag_13_77_03_04

func PrintAlert added in v0.0.2 

func PrintAlert(alert alert) string

PrintAlert prints the encoded alert message and output file path if required

func PrintBPFCmd added in v0.3.1 

func PrintBPFCmd(cmd int32) string

PrintBPFCmd prints the `cmd` argument of the `bpf` syscall https://man7.org/linux/man-pages/man2/bpf.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/bpf.h

func PrintCapability 

func PrintCapability(cap int32) string

PrintCapability prints the `capability` bitmask argument of the `cap_capable` function include/uapi/linux/capability.h

func PrintCloneFlags added in v0.0.3 

func PrintCloneFlags(flags uint64) string

PrintCloneFlags prints the `flags` bitmask argument of the `clone` syscall https://man7.org/linux/man-pages/man2/clone.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/sched.h

func PrintExecFlags 

func PrintExecFlags(flags uint32) string

PrintExecFlags prints the `flags` bitmask argument of the `execve` syscall http://man7.org/linux/man-pages/man2/axecveat.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/fcntl.h#L94

func PrintInodeMode 

func PrintInodeMode(mode uint32) string

PrintInodeMode prints the `mode` bitmask argument of the `mknod` syscall http://man7.org/linux/man-pages/man7/inode.7.html

func PrintMemProt 

func PrintMemProt(prot uint32) string

PrintMemProt prints the `prot` bitmask argument of the `mmap` syscall http://man7.org/linux/man-pages/man2/mmap.2.html https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/mman-common.h#L10

func PrintOpenFlags 

func PrintOpenFlags(flags uint32) string

PrintOpenFlags prints the `flags` bitmask argument of the `open` syscall http://man7.org/linux/man-pages/man2/open.2.html https://elixir.bootlin.com/linux/v5.5.3/source/include/uapi/asm-generic/fcntl.h

func PrintPrctlOption 

func PrintPrctlOption(op int32) string

PrintPrctlOption prints the `option` argument of the `prctl` syscall http://man7.org/linux/man-pages/man2/prctl.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/prctl.h

func PrintPtraceRequest 

func PrintPtraceRequest(req int64) string

PrintPtraceRequest prints the `request` argument of the `ptrace` syscall http://man7.org/linux/man-pages/man2/ptrace.2.html https://elixir.bootlin.com/linux/latest/source/include/uapi/linux/ptrace.h

func PrintSocketDomain 

func PrintSocketDomain(sd uint32) string

PrintSocketDomain prints the `domain` bitmask argument of the `socket` syscall http://man7.org/linux/man-pages/man2/socket.2.html

func PrintSocketType 

func PrintSocketType(st uint32) string

PrintSocketType prints the `type` bitmask argument of the `socket` syscall http://man7.org/linux/man-pages/man2/socket.2.html https://elixir.bootlin.com/linux/v5.5.3/source/arch/mips/include/asm/socket.h

func PrintUint32IP 

func PrintUint32IP(in uint32) string

PrintUint32IP prints the IP address encoded as a uint32

func UnameRelease added in v0.3.0 

func UnameRelease() string

UnameRelease gets the version string of the current running kernel

Types

type ArgFilter added in v0.4.0 

type ArgFilter struct {
	Filters map[int32]map[string]ArgFilterVal // key to the first map is event id, and to the second map the argument name
	Enabled bool
}

type ArgFilterVal added in v0.4.0 

type ArgFilterVal struct {
	Equal    []string
	NotEqual []string
	// contains filtered or unexported fields
}

type BoolFilter added in v0.4.0 

type BoolFilter struct {
	Value   bool
	Enabled bool
}

type CaptureConfig added in v0.4.0 

type CaptureConfig struct {
	OutputPath      string
	FileWrite       bool
	FilterFileWrite []string
	Exec            bool
	Mem             bool
}

type EventConfig added in v0.0.2 

type EventConfig struct {
	ID             int32
	ID32Bit        int32
	Name           string
	Probes         []probe
	EssentialEvent bool
	Sets           []string
}

EventConfig is a struct describing an event configuration

type Filter added in v0.3.0 

type Filter struct {
	EventsToTrace []int32
	UIDFilter     *UintFilter
	PIDFilter     *UintFilter
	NewPidFilter  *BoolFilter
	MntNSFilter   *UintFilter
	PidNSFilter   *UintFilter
	UTSFilter     *StringFilter
	CommFilter    *StringFilter
	ContFilter    *BoolFilter
	NewContFilter *BoolFilter
	RetFilter     *RetFilter
	ArgFilter     *ArgFilter
	Follow        bool
}

type IntFilter added in v0.4.0 

type IntFilter struct {
	Equal    []int64
	NotEqual []int64
	Greater  int64
	Less     int64
	Is32Bit  bool
	Enabled  bool
}

type OutputConfig added in v0.4.0 

type OutputConfig struct {
	Format         string
	OutPath        string
	ErrPath        string
	EOT            bool
	StackAddresses bool
	DetectSyscall  bool
	ExecEnv        bool
}

func (OutputConfig) Validate added in v0.4.0 

func (cfg OutputConfig) Validate() error

Validate does static validation of the configuration

type RawEvent added in v0.0.3 

type RawEvent struct {
	Ctx      context
	RawArgs  map[argTag]interface{}
	ArgsTags []argTag
}

type RetFilter added in v0.4.0 

type RetFilter struct {
	Filters map[int32]IntFilter
	Enabled bool
}

type StringFilter added in v0.4.0 

type StringFilter struct {
	Equal    []string
	NotEqual []string
	Enabled  bool
}

type Tracee 

type Tracee struct {
	DecParamName [2]map[argTag]external.ArgMeta
	EncParamName [2]map[string]argTag

	StackAddressesMap *bpf.BPFMap
	// contains filtered or unexported fields
}

Tracee traces system calls and system events using eBPF

func New 

func New(cfg TraceeConfig) (*Tracee, error)

New creates a new Tracee instance based on a given valid TraceeConfig

func (*Tracee) Close 

func (t *Tracee) Close()

Close cleans up created resources

func (*Tracee) Run 

func (t *Tracee) Run() error

Run starts the trace. it will run until interrupted

func (*Tracee) WaitForPipeline added in v0.0.3 

func (t *Tracee) WaitForPipeline(errs ...<-chan error) error

WaitForPipeline waits for results from all error channels.

type TraceeConfig 

type TraceeConfig struct {
	Filter             *Filter
	Capture            *CaptureConfig
	Output             *OutputConfig
	PerfBufferSize     int
	BlobPerfBufferSize int
	SecurityAlerts     bool

	BPFObjPath string
	// contains filtered or unexported fields
}

TraceeConfig is a struct containing user defined configuration of tracee

func (TraceeConfig) Validate 

func (tc TraceeConfig) Validate() error

Validate does static validation of the configuration

type UintFilter added in v0.4.0 

type UintFilter struct {
	Equal    []uint64
	NotEqual []uint64
	Greater  uint64
	Less     uint64
	Is32Bit  bool
	Enabled  bool
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.