ebpf

package

v0.8.2 Latest Latest Go to latest Published: Sep 6, 2022 License: Apache-2.0 Imports: 46 Imported by: 1

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/aquasecurity/tracee

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func CreateNetEvent(eventMeta bufferdecoder.NetEventMetadata, ctx procinfo.ProcessCtx, ...) trace.Event
func GetCaptureEventsList(cfg Config) map[events.ID]eventConfig
func GetEssentialEventsList() map[events.ID]eventConfig
func MatchFilter(filters []string, argValStr string) bool
func MergeErrors(cs ...<-chan error) <-chan error
type CaptureConfig
type Config
- func (tc Config) Validate() error
type Filter
type InitValues
type NetIfaces
type OutputConfig
type Tracee
- func New(cfg Config) (*Tracee, error)

Constants ¶

View Source

const (
	StructFopsPointer int = iota
	IterateShared
	Iterate
)

Variables ¶

This section is empty.

Functions ¶

func CreateNetEvent ¶

func CreateNetEvent(eventMeta bufferdecoder.NetEventMetadata, ctx procinfo.ProcessCtx, eventName string) trace.Event

CreateNetEvent creates and returns event 'eventName'

func GetCaptureEventsList ¶ added in v0.8.0

func GetCaptureEventsList(cfg Config) map[events.ID]eventConfig

GetCaptureEventsList sets events used to capture data

func GetEssentialEventsList ¶ added in v0.8.0

func GetEssentialEventsList() map[events.ID]eventConfig

GetEssentialEventsList sets the default events used by tracee

func MatchFilter ¶ added in v0.8.0

func MatchFilter(filters []string, argValStr string) bool

func MergeErrors ¶

func MergeErrors(cs ...<-chan error) <-chan error

MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.

Types ¶

type CaptureConfig ¶

type CaptureConfig struct {
	OutputPath      string
	FileWrite       bool
	Module          bool
	FilterFileWrite []string
	Exec            bool
	Mem             bool
	Profile         bool
	NetIfaces       *NetIfaces
	NetPerContainer bool
	NetPerProcess   bool
}

type Config ¶

type Config struct {
	Filter             *Filter
	Capture            *CaptureConfig
	Output             *OutputConfig
	Cache              queue.CacheConfig
	PerfBufferSize     int
	BlobPerfBufferSize int
	Debug              bool

	BTFObjPath       string
	BPFObjPath       string
	BPFObjBytes      []byte
	KernelConfig     *helpers.KernelConfig
	ChanEvents       chan trace.Event
	ChanErrors       chan error
	ProcessInfo      bool
	OSInfo           *helpers.OSInfo
	Sockets          runtime.Sockets
	ContainersEnrich bool
	// contains filtered or unexported fields
}

Config is a struct containing user defined configuration of tracee

func (Config) Validate ¶

func (tc Config) Validate() error

Validate does static validation of the configuration

type Filter ¶

type Filter struct {
	EventsToTrace     []events.ID
	UIDFilter         *filters.UIntFilter
	PIDFilter         *filters.UIntFilter
	NewPidFilter      *filters.BoolFilter
	MntNSFilter       *filters.UIntFilter
	PidNSFilter       *filters.UIntFilter
	UTSFilter         *filters.StringFilter
	CommFilter        *filters.StringFilter
	ContFilter        *filters.BoolFilter
	NewContFilter     *filters.BoolFilter
	ContIDFilter      *filters.ContIDFilter
	RetFilter         *filters.RetFilter
	ArgFilter         *filters.ArgFilter
	ProcessTreeFilter *filters.ProcessTreeFilter
	Follow            bool
	NetFilter         *NetIfaces
}

type InitValues ¶ added in v0.8.1

type InitValues struct {
	// contains filtered or unexported fields
}

InitValues determines if to initialize values that might be needed by eBPF programs

type NetIfaces ¶ added in v0.8.1

type NetIfaces struct {
	Ifaces []string
}

func (*NetIfaces) Find ¶ added in v0.8.1

func (ifaces *NetIfaces) Find(iface string) (int, bool)

func (*NetIfaces) Interfaces ¶ added in v0.8.1

func (ifaces *NetIfaces) Interfaces() []string

func (*NetIfaces) Parse ¶ added in v0.8.1

func (filter *NetIfaces) Parse(operatorAndValues string) error

type OutputConfig ¶

type OutputConfig struct {
	StackAddresses    bool
	DetectSyscall     bool
	ExecEnv           bool
	RelativeTime      bool
	ExecHash          bool
	ParseArguments    bool
	ParseArgumentsFDs bool
	EventsSorting     bool
}

type Tracee ¶

type Tracee struct {
	StackAddressesMap *bpf.BPFMap
	FDArgPathMap      *bpf.BPFMap
	// contains filtered or unexported fields
}

Tracee traces system calls and system events using eBPF

func New ¶

func New(cfg Config) (*Tracee, error)

New creates a new Tracee instance based on a given valid Config It is expected that New will not cause external system side effects (reads, writes, etc.)

func (*Tracee) Close ¶

func (t *Tracee) Close()

Close cleans up created resources

func (*Tracee) Init ¶ added in v0.8.1

func (t *Tracee) Init() error

Initialize tracee instance and it's various subsystems, potentially performing external system operations to initialize them NOTE: any initialization logic, especially one that causes side effects, should go here and not New().

func (*Tracee) Run ¶

func (t *Tracee) Run(ctx gocontext.Context) error

Run starts the trace. it will run until ctx is cancelled

func (*Tracee) Running ¶ added in v0.8.1

func (t *Tracee) Running() bool

func (*Tracee) Stats ¶

func (t *Tracee) Stats() *metrics.Stats

func (*Tracee) WaitForPipeline ¶

func (t *Tracee) WaitForPipeline(errs ...<-chan error) error

WaitForPipeline waits for results from all error channels.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
initialization
probes

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL