ebpf

package
v0.9.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 24, 2022 License: Apache-2.0 Imports: 49 Imported by: 1

Documentation

Index

Constants

View Source 
const (
	StructFopsPointer int = iota
	IterateShared
	Iterate
)
View Source 
const (
	UIDFilterMap         = "uid_filter"
	PIDFilterMap         = "pid_filter"
	MntNSFilterMap       = "mnt_ns_filter"
	PidNSFilterMap       = "pid_ns_filter"
	UTSFilterMap         = "uts_ns_filter"
	CommFilterMap        = "comm_filter"
	ProcessTreeFilterMap = "process_tree_map"
	CgroupIdFilterMap    = "cgroup_id_filter"
	ContIdFilter         = "cont_id_filter"
)

Variables

This section is empty.

Functions

func CreateNetEvent 

func CreateNetEvent(eventMeta bufferdecoder.NetEventMetadata, ctx procinfo.ProcessCtx, eventName string) trace.Event

CreateNetEvent creates and returns event 'eventName'

func GetCaptureEventsList added in v0.8.0 

func GetCaptureEventsList(cfg Config) map[events.ID]eventConfig

GetCaptureEventsList sets events used to capture data

func GetEssentialEventsList added in v0.8.0 

func GetEssentialEventsList() map[events.ID]eventConfig

GetEssentialEventsList sets the default events used by tracee

func MergeErrors 

func MergeErrors(cs ...<-chan error) <-chan error

MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.

Types

type CapabilitiesConfig added in v0.9.0 

type CapabilitiesConfig struct {
	BypassCaps bool
	AddCaps    []string
	DropCaps   []string
}

type CaptureConfig 

type CaptureConfig struct {
	OutputPath      string
	FileWrite       bool
	Module          bool
	FilterFileWrite []string
	Exec            bool
	Mem             bool
	Profile         bool
	NetIfaces       *NetIfaces
	NetPerContainer bool
	NetPerProcess   bool
}

type Config 

type Config struct {
	Filter             *Filter
	Capture            *CaptureConfig
	Capabilities       *CapabilitiesConfig
	Output             *OutputConfig
	Cache              queue.CacheConfig
	PerfBufferSize     int
	BlobPerfBufferSize int
	Debug              bool

	BTFObjPath       string
	BPFObjPath       string
	BPFObjBytes      []byte
	KernelConfig     *helpers.KernelConfig
	ChanEvents       chan trace.Event
	ChanErrors       chan error
	ProcessInfo      bool
	OSInfo           *helpers.OSInfo
	Sockets          runtime.Sockets
	ContainersEnrich bool
	// contains filtered or unexported fields
}

Config is a struct containing user defined configuration of tracee

func (Config) Validate 

func (tc Config) Validate() error

Validate does static validation of the configuration

type Filter 

type Filter struct {
	EventsToTrace     []events.ID
	UIDFilter         *filters.BPFUIntFilter
	PIDFilter         *filters.BPFUIntFilter
	NewPidFilter      *filters.BoolFilter
	MntNSFilter       *filters.BPFUIntFilter
	PidNSFilter       *filters.BPFUIntFilter
	UTSFilter         *filters.BPFStringFilter
	CommFilter        *filters.BPFStringFilter
	ContFilter        *filters.BoolFilter
	NewContFilter     *filters.BoolFilter
	ContIDFilter      *filters.ContainerFilter
	RetFilter         *filters.RetFilter
	ArgFilter         *filters.ArgFilter
	ProcessTreeFilter *filters.ProcessTreeFilter
	Follow            bool
	NetFilter         *NetIfaces
}

type InitValues added in v0.8.1 

type InitValues struct {
	// contains filtered or unexported fields
}

InitValues determines if to initialize values that might be needed by eBPF programs

type NetIfaces added in v0.8.1 

type NetIfaces struct {
	Ifaces []string
}

func (*NetIfaces) Find added in v0.8.1 

func (ifaces *NetIfaces) Find(iface string) (int, bool)

func (*NetIfaces) Interfaces added in v0.8.1 

func (ifaces *NetIfaces) Interfaces() []string

func (*NetIfaces) Parse added in v0.8.1 

func (filter *NetIfaces) Parse(operatorAndValues string) error

type OutputConfig 

type OutputConfig struct {
	StackAddresses    bool
	DetectSyscall     bool
	ExecEnv           bool
	RelativeTime      bool
	ExecHash          bool
	ParseArguments    bool
	ParseArgumentsFDs bool
	EventsSorting     bool
}

type Tracee 

type Tracee struct {
	StackAddressesMap *bpf.BPFMap
	FDArgPathMap      *bpf.BPFMap
	// contains filtered or unexported fields
}

Tracee traces system calls and system events using eBPF

func New 

func New(cfg Config) (*Tracee, error)

New creates a new Tracee instance based on a given valid Config It is expected that New will not cause external system side effects (reads, writes, etc.)

func (*Tracee) Close 

func (t *Tracee) Close()

Close cleans up created resources

func (*Tracee) GetTailCalls added in v0.8.3 

func (t *Tracee) GetTailCalls() ([]events.TailCall, error)

func (*Tracee) Init added in v0.8.1 

func (t *Tracee) Init() error

Initialize tracee instance and it's various subsystems, potentially performing external system operations to initialize them. NOTE: any initialization logic, especially one that causes side effects, should go here and not New().

func (*Tracee) Run 

func (t *Tracee) Run(ctx gocontext.Context) error

Run starts the trace. it will run until ctx is cancelled

func (*Tracee) Running added in v0.8.1 

func (t *Tracee) Running() bool

func (*Tracee) Stats 

func (t *Tracee) Stats() *metrics.Stats

func (*Tracee) WaitForPipeline 

func (t *Tracee) WaitForPipeline(errs ...<-chan error) error

WaitForPipeline waits for results from all error channels.

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.