ebpf

package
v0.8.0-rc-2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 14, 2022 License: Apache-2.0 Imports: 44 Imported by: 1

Documentation

Index

Constants

View Source
const (
	StructFopsPointer int = iota
	IterateShared
	Iterate
)
View Source
const (
	LessNotSetUint    uint64 = 0
	GreaterNotSetUint uint64 = math.MaxUint64
	LessNotSetInt     int64  = math.MinInt64
	GreaterNotSetInt  int64  = math.MaxInt64
)

Set default inequality values val<0 and val>math.MaxUint64 should never be used by the user as they give an empty set

View Source
const (
	IoctlFetchSyscalls int32 = 1 << iota
	IoctlHookedSeqOps
)

Variables

This section is empty.

Functions

func CopyFileByPath

func CopyFileByPath(src, dst string) error

CopyFileByPath copies a file from src to dst

func CreateNetEvent

func CreateNetEvent(eventMeta bufferdecoder.NetEventMetadata, ctx procinfo.ProcessCtx, eventName string) trace.Event

CreateNetEvent creates and returns event 'eventName'

func GetCaptureEventsList added in v0.8.0

func GetCaptureEventsList(cfg *Config) map[events.ID]eventConfig

GetCaptureEventsList sets events used to capture data

func GetEssentialEventsList added in v0.8.0

func GetEssentialEventsList(cfg *Config) map[events.ID]eventConfig

GetEssentialEventsList sets the default events used by tracee

func MatchFilter added in v0.8.0

func MatchFilter(filters []string, argValStr string) bool

func MergeErrors

func MergeErrors(cs ...<-chan error) <-chan error

MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.

func ParseIface added in v0.8.0

func ParseIface(operatorAndValues string, ifacesList *[]string) error

Types

type ArgFilter

type ArgFilter struct {
	Filters map[events.ID]map[string]ArgFilterVal // key to the first map is event id, and to the second map the argument name
	Enabled bool
}

func (*ArgFilter) Parse

func (filter *ArgFilter) Parse(filterName string, operatorAndValues string, eventsNameToID map[string]events.ID) error

type ArgFilterVal

type ArgFilterVal struct {
	Equal    []string
	NotEqual []string
}

type BoolFilter

type BoolFilter struct {
	Value   bool
	Enabled bool
}

func (*BoolFilter) FilterOut

func (filter *BoolFilter) FilterOut() bool

func (*BoolFilter) Parse

func (filter *BoolFilter) Parse(value string) error

type CaptureConfig

type CaptureConfig struct {
	OutputPath      string
	FileWrite       bool
	Module          bool
	FilterFileWrite []string
	Exec            bool
	Mem             bool
	Profile         bool
	NetIfaces       []string
	NetPerContainer bool
	NetPerProcess   bool
}

type Config

type Config struct {
	Filter             *Filter
	Capture            *CaptureConfig
	Output             *OutputConfig
	Cache              queue.CacheConfig
	PerfBufferSize     int
	BlobPerfBufferSize int
	Debug              bool

	BTFObjPath       string
	BPFObjPath       string
	BPFObjBytes      []byte
	KernelConfig     *helpers.KernelConfig
	ChanEvents       chan trace.Event
	ChanErrors       chan error
	ProcessInfo      bool
	OSInfo           *helpers.OSInfo
	Sockets          runtime.Sockets
	ContainersEnrich bool
	// contains filtered or unexported fields
}

Config is a struct containing user defined configuration of tracee

func (Config) Validate

func (tc Config) Validate() error

Validate does static validation of the configuration

type ContIDFilter

type ContIDFilter struct {
	Equal    []string
	NotEqual []string
	Enabled  bool
}

func (*ContIDFilter) FilterOut

func (filter *ContIDFilter) FilterOut() bool

func (*ContIDFilter) Parse

func (filter *ContIDFilter) Parse(operatorAndValues string) error

func (*ContIDFilter) Set

func (filter *ContIDFilter) Set(bpfModule *bpf.Module, conts *containers.Containers, filterMapName string) error

type Filter

type Filter struct {
	EventsToTrace     []events.ID
	UIDFilter         *UintFilter
	PIDFilter         *UintFilter
	NewPidFilter      *BoolFilter
	MntNSFilter       *UintFilter
	PidNSFilter       *UintFilter
	UTSFilter         *StringFilter
	CommFilter        *StringFilter
	ContFilter        *BoolFilter
	NewContFilter     *BoolFilter
	ContIDFilter      *ContIDFilter
	RetFilter         *RetFilter
	ArgFilter         *ArgFilter
	ProcessTreeFilter *ProcessTreeFilter
	Follow            bool
	NetFilter         *IfaceFilter
}

type IfaceFilter added in v0.8.0

type IfaceFilter struct {
	InterfacesToTrace []string
}

func (*IfaceFilter) Parse added in v0.8.0

func (filter *IfaceFilter) Parse(operatorAndValues string) error

type IntFilter

type IntFilter struct {
	Equal    []int64
	NotEqual []int64
	Greater  int64
	Less     int64
	Is32Bit  bool
	Enabled  bool
}

func (*IntFilter) Parse

func (filter *IntFilter) Parse(operatorAndValues string) error

type OutputConfig

type OutputConfig struct {
	StackAddresses bool
	DetectSyscall  bool
	ExecEnv        bool
	RelativeTime   bool
	ExecHash       bool
	ParseArguments bool
	EventsSorting  bool
}

type ProcessTreeFilter

type ProcessTreeFilter struct {
	PIDs    map[uint32]bool // PIDs is a map where k=pid and v represents whether it and its descendents should be traced or not
	Enabled bool
}

func (*ProcessTreeFilter) FilterOut

func (filter *ProcessTreeFilter) FilterOut() bool

func (*ProcessTreeFilter) Parse

func (filter *ProcessTreeFilter) Parse(operatorAndValues string) error

func (*ProcessTreeFilter) Set

func (filter *ProcessTreeFilter) Set(bpfModule *bpf.Module) error

type RequiredInitValues added in v0.8.0

type RequiredInitValues struct {
	// contains filtered or unexported fields
}

RequiredInitValues determines if to initialize values that might be needed by eBPF programs

type RetFilter

type RetFilter struct {
	Filters map[events.ID]IntFilter
	Enabled bool
}

func (*RetFilter) Parse

func (filter *RetFilter) Parse(filterName string, operatorAndValues string, eventsNameToID map[string]events.ID) error

type StringFilter

type StringFilter struct {
	Equal    []string
	NotEqual []string
	Size     uint
	Enabled  bool
}

func (*StringFilter) FilterOut

func (filter *StringFilter) FilterOut() bool

func (*StringFilter) Parse

func (filter *StringFilter) Parse(operatorAndValues string) error

func (*StringFilter) Set

func (filter *StringFilter) Set(bpfModule *bpf.Module, filterMapName string) error

type Tracee

type Tracee struct {
	StackAddressesMap *bpf.BPFMap
	// contains filtered or unexported fields
}

Tracee traces system calls and system events using eBPF

func New

func New(cfg Config) (*Tracee, error)

New creates a new Tracee instance based on a given valid Config

func (*Tracee) Close

func (t *Tracee) Close()

Close cleans up created resources

func (*Tracee) Run

func (t *Tracee) Run(ctx gocontext.Context) error

Run starts the trace. it will run until ctx is cancelled

func (*Tracee) Stats

func (t *Tracee) Stats() *metrics.Stats

func (*Tracee) WaitForPipeline

func (t *Tracee) WaitForPipeline(errs ...<-chan error) error

WaitForPipeline waits for results from all error channels.

type UintFilter

type UintFilter struct {
	Equal    []uint64
	NotEqual []uint64
	Greater  uint64
	Less     uint64
	Is32Bit  bool
	Enabled  bool
}

func (*UintFilter) FilterOut

func (filter *UintFilter) FilterOut() bool

func (*UintFilter) Parse

func (filter *UintFilter) Parse(operatorAndValues string) error

func (*UintFilter) Set

func (filter *UintFilter) Set(bpfModule *bpf.Module, filterMapName string, lessIdx uint32) error

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL