tracee

package
v0.9.13 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 24, 2022 License: Apache-2.0 Imports: 34 Imported by: 1

Documentation

Overview

Invoked tracee-ebpf events from user mode This utility can prove itself useful to generate information needed by signatures that is not provided by normal events in the kernel. Because the events in the kernel are invoked by other programs behavior, we cannot anticipate which events will be invoked and as a result what information will be extracted. This is critical because tracee-rules is independent, and doesn't have to run on the same machine as tracee-ebpf. This means that tracee-rules might lack basic information of the operating machine needed for some signatures. By creating user mode events this information could be intentionally collected and passed to tracee-ebpf afterwards.

Index

Constants

View Source 
const (
	ReadEventID                int32 = 0
	WriteEventID               int32 = 1
	OpenEventID                int32 = 2
	CloseEventID               int32 = 3
	StatEventID                int32 = 4
	FstatEventID               int32 = 5
	LstatEventID               int32 = 6
	PollEventID                int32 = 7
	LseekEventID               int32 = 8
	MmapEventID                int32 = 9
	MprotectEventID            int32 = 10
	MunmapEventID              int32 = 11
	BrkEventID                 int32 = 12
	RtSigactionEventID         int32 = 13
	RtSigprocmaskEventID       int32 = 14
	RtSigreturnEventID         int32 = 15
	IoctlEventID               int32 = 16
	Pread64EventID             int32 = 17
	Pwrite64EventID            int32 = 18
	ReadvEventID               int32 = 19
	WritevEventID              int32 = 20
	AccessEventID              int32 = 21
	PipeEventID                int32 = 22
	SelectEventID              int32 = 23
	SchedYieldEventID          int32 = 24
	MremapEventID              int32 = 25
	MsyncEventID               int32 = 26
	MincoreEventID             int32 = 27
	MadviseEventID             int32 = 28
	ShmgetEventID              int32 = 29
	ShmatEventID               int32 = 30
	ShmctlEventID              int32 = 31
	DupEventID                 int32 = 32
	Dup2EventID                int32 = 33
	PauseEventID               int32 = 34
	NanosleepEventID           int32 = 35
	GetitimerEventID           int32 = 36
	AlarmEventID               int32 = 37
	SetitimerEventID           int32 = 38
	GetpidEventID              int32 = 39
	SendfileEventID            int32 = 40
	SocketEventID              int32 = 41
	ConnectEventID             int32 = 42
	AcceptEventID              int32 = 43
	SendtoEventID              int32 = 44
	RecvfromEventID            int32 = 45
	SendmsgEventID             int32 = 46
	RecvmsgEventID             int32 = 47
	ShutdownEventID            int32 = 48
	BindEventID                int32 = 49
	ListenEventID              int32 = 50
	GetsocknameEventID         int32 = 51
	GetpeernameEventID         int32 = 52
	SocketpairEventID          int32 = 53
	SetsockoptEventID          int32 = 54
	GetsockoptEventID          int32 = 55
	CloneEventID               int32 = 56
	ForkEventID                int32 = 57
	VforkEventID               int32 = 58
	ExecveEventID              int32 = 59
	ExitEventID                int32 = 60
	Wait4EventID               int32 = 61
	KillEventID                int32 = 62
	UnameEventID               int32 = 63
	SemgetEventID              int32 = 64
	SemopEventID               int32 = 65
	SemctlEventID              int32 = 66
	ShmdtEventID               int32 = 67
	MsggetEventID              int32 = 68
	MsgsndEventID              int32 = 69
	MsgrcvEventID              int32 = 70
	MsgctlEventID              int32 = 71
	FcntlEventID               int32 = 72
	FlockEventID               int32 = 73
	FsyncEventID               int32 = 74
	FdatasyncEventID           int32 = 75
	TruncateEventID            int32 = 76
	FtruncateEventID           int32 = 77
	GetdentsEventID            int32 = 78
	GetcwdEventID              int32 = 79
	ChdirEventID               int32 = 80
	FchdirEventID              int32 = 81
	RenameEventID              int32 = 82
	MkdirEventID               int32 = 83
	RmdirEventID               int32 = 84
	CreatEventID               int32 = 85
	LinkEventID                int32 = 86
	UnlinkEventID              int32 = 87
	SymlinkEventID             int32 = 88
	ReadlinkEventID            int32 = 89
	ChmodEventID               int32 = 90
	FchmodEventID              int32 = 91
	ChownEventID               int32 = 92
	FchownEventID              int32 = 93
	LchownEventID              int32 = 94
	UmaskEventID               int32 = 95
	GettimeofdayEventID        int32 = 96
	GetrlimitEventID           int32 = 97
	GetrusageEventID           int32 = 98
	SysinfoEventID             int32 = 99
	TimesEventID               int32 = 100
	PtraceEventID              int32 = 101
	GetuidEventID              int32 = 102
	SyslogEventID              int32 = 103
	GetgidEventID              int32 = 104
	SetuidEventID              int32 = 105
	SetgidEventID              int32 = 106
	GeteuidEventID             int32 = 107
	GetegidEventID             int32 = 108
	SetpgidEventID             int32 = 109
	GetppidEventID             int32 = 110
	GetpgrpEventID             int32 = 111
	SetsidEventID              int32 = 112
	SetreuidEventID            int32 = 113
	SetregidEventID            int32 = 114
	GetgroupsEventID           int32 = 115
	SetgroupsEventID           int32 = 116
	SetresuidEventID           int32 = 117
	GetresuidEventID           int32 = 118
	SetresgidEventID           int32 = 119
	GetresgidEventID           int32 = 120
	GetpgidEventID             int32 = 121
	SetfsuidEventID            int32 = 122
	SetfsgidEventID            int32 = 123
	GetsidEventID              int32 = 124
	CapgetEventID              int32 = 125
	CapsetEventID              int32 = 126
	RtSigpendingEventID        int32 = 127
	RtSigtimedwaitEventID      int32 = 128
	RtSigqueueinfoEventID      int32 = 129
	RtSigsuspendEventID        int32 = 130
	SigaltstackEventID         int32 = 131
	UtimeEventID               int32 = 132
	MknodEventID               int32 = 133
	UselibEventID              int32 = 134
	PersonalityEventID         int32 = 135
	UstatEventID               int32 = 136
	StatfsEventID              int32 = 137
	FstatfsEventID             int32 = 138
	SysfsEventID               int32 = 139
	GetpriorityEventID         int32 = 140
	SetpriorityEventID         int32 = 141
	SchedSetparamEventID       int32 = 142
	SchedGetparamEventID       int32 = 143
	SchedSetschedulerEventID   int32 = 144
	SchedGetschedulerEventID   int32 = 145
	SchedGetPriorityMaxEventID int32 = 146
	SchedGetPriorityMinEventID int32 = 147
	SchedRrGetIntervalEventID  int32 = 148
	MlockEventID               int32 = 149
	MunlockEventID             int32 = 150
	MlockallEventID            int32 = 151
	MunlockallEventID          int32 = 152
	VhangupEventID             int32 = 153
	ModifyLdtEventID           int32 = 154
	PivotRootEventID           int32 = 155
	SysctlEventID              int32 = 156
	PrctlEventID               int32 = 157
	ArchPrctlEventID           int32 = 158
	AdjtimexEventID            int32 = 159
	SetrlimitEventID           int32 = 160
	ChrootEventID              int32 = 161
	SyncEventID                int32 = 162
	AcctEventID                int32 = 163
	SettimeofdayEventID        int32 = 164
	MountEventID               int32 = 165
	Umount2EventID             int32 = 166
	SwaponEventID              int32 = 167
	SwapoffEventID             int32 = 168
	RebootEventID              int32 = 169
	SethostnameEventID         int32 = 170
	SetdomainnameEventID       int32 = 171
	IoplEventID                int32 = 172
	IopermEventID              int32 = 173
	CreateModuleEventID        int32 = 174
	InitModuleEventID          int32 = 175
	DeleteModuleEventID        int32 = 176
	GetKernelSymsEventID       int32 = 177
	QueryModuleEventID         int32 = 178
	QuotactlEventID            int32 = 179
	NfsservctlEventID          int32 = 180
	GetpmsgEventID             int32 = 181
	PutpmsgEventID             int32 = 182
	AfsEventID                 int32 = 183
	TuxcallEventID             int32 = 184
	SecurityEventID            int32 = 185
	GettidEventID              int32 = 186
	ReadaheadEventID           int32 = 187
	SetxattrEventID            int32 = 188
	LsetxattrEventID           int32 = 189
	FsetxattrEventID           int32 = 190
	GetxattrEventID            int32 = 191
	LgetxattrEventID           int32 = 192
	FgetxattrEventID           int32 = 193
	ListxattrEventID           int32 = 194
	LlistxattrEventID          int32 = 195
	FlistxattrEventID          int32 = 196
	RemovexattrEventID         int32 = 197
	LremovexattrEventID        int32 = 198
	FremovexattrEventID        int32 = 199
	TkillEventID               int32 = 200
	TimeEventID                int32 = 201
	FutexEventID               int32 = 202
	SchedSetaffinityEventID    int32 = 203
	SchedGetaffinityEventID    int32 = 204
	SetThreadAreaEventID       int32 = 205
	IoSetupEventID             int32 = 206
	IoDestroyEventID           int32 = 207
	IoGeteventsEventID         int32 = 208
	IoSubmitEventID            int32 = 209
	IoCancelEventID            int32 = 210
	GetThreadAreaEventID       int32 = 211
	LookupDcookieEventID       int32 = 212
	EpollCreateEventID         int32 = 213
	EpollCtlOldEventID         int32 = 214
	EpollWaitOldEventID        int32 = 215
	RemapFilePagesEventID      int32 = 216
	Getdents64EventID          int32 = 217
	SetTidAddressEventID       int32 = 218
	RestartSyscallEventID      int32 = 219
	SemtimedopEventID          int32 = 220
	Fadvise64EventID           int32 = 221
	TimerCreateEventID         int32 = 222
	TimerSettimeEventID        int32 = 223
	TimerGettimeEventID        int32 = 224
	TimerGetoverrunEventID     int32 = 225
	TimerDeleteEventID         int32 = 226
	ClockSettimeEventID        int32 = 227
	ClockGettimeEventID        int32 = 228
	ClockGetresEventID         int32 = 229
	ClockNanosleepEventID      int32 = 230
	ExitGroupEventID           int32 = 231
	EpollWaitEventID           int32 = 232
	EpollCtlEventID            int32 = 233
	TgkillEventID              int32 = 234
	UtimesEventID              int32 = 235
	VserverEventID             int32 = 236
	MbindEventID               int32 = 237
	SetMempolicyEventID        int32 = 238
	GetMempolicyEventID        int32 = 239
	MqOpenEventID              int32 = 240
	MqUnlinkEventID            int32 = 241
	MqTimedsendEventID         int32 = 242
	MqTimedreceiveEventID      int32 = 243
	MqNotifyEventID            int32 = 244
	MqGetsetattrEventID        int32 = 245
	KexecLoadEventID           int32 = 246
	WaitidEventID              int32 = 247
	AddKeyEventID              int32 = 248
	RequestKeyEventID          int32 = 249
	KeyctlEventID              int32 = 250
	IoprioSetEventID           int32 = 251
	IoprioGetEventID           int32 = 252
	InotifyInitEventID         int32 = 253
	InotifyAddWatchEventID     int32 = 254
	InotifyRmWatchEventID      int32 = 255
	MigratePagesEventID        int32 = 256
	OpenatEventID              int32 = 257
	MkdiratEventID             int32 = 258
	MknodatEventID             int32 = 259
	FchownatEventID            int32 = 260
	FutimesatEventID           int32 = 261
	NewfstatatEventID          int32 = 262
	UnlinkatEventID            int32 = 263
	RenameatEventID            int32 = 264
	LinkatEventID              int32 = 265
	SymlinkatEventID           int32 = 266
	ReadlinkatEventID          int32 = 267
	FchmodatEventID            int32 = 268
	FaccessatEventID           int32 = 269
	Pselect6EventID            int32 = 270
	PpollEventID               int32 = 271
	UnshareEventID             int32 = 272
	SetRobustListEventID       int32 = 273
	GetRobustListEventID       int32 = 274
	SpliceEventID              int32 = 275
	TeeEventID                 int32 = 276
	SyncFileRangeEventID       int32 = 277
	VmspliceEventID            int32 = 278
	MovePagesEventID           int32 = 279
	UtimensatEventID           int32 = 280
	EpollPwaitEventID          int32 = 281
	SignalfdEventID            int32 = 282
	TimerfdCreateEventID       int32 = 283
	EventfdEventID             int32 = 284
	FallocateEventID           int32 = 285
	TimerfdSettimeEventID      int32 = 286
	TimerfdGettimeEventID      int32 = 287
	Accept4EventID             int32 = 288
	Signalfd4EventID           int32 = 289
	Eventfd2EventID            int32 = 290
	EpollCreate1EventID        int32 = 291
	Dup3EventID                int32 = 292
	Pipe2EventID               int32 = 293
	InotifyInit1EventID        int32 = 294
	PreadvEventID              int32 = 295
	PwritevEventID             int32 = 296
	RtTgsigqueueinfoEventID    int32 = 297
	PerfEventOpenEventID       int32 = 298
	RecvmmsgEventID            int32 = 299
	FanotifyInitEventID        int32 = 300
	FanotifyMarkEventID        int32 = 301
	Prlimit64EventID           int32 = 302
	NameToHandleAtEventID      int32 = 303
	OpenByHandleAtEventID      int32 = 304
	ClockAdjtimeEventID        int32 = 305
	SyncfsEventID              int32 = 306
	SendmmsgEventID            int32 = 307
	SetnsEventID               int32 = 308
	GetcpuEventID              int32 = 309
	ProcessVmReadvEventID      int32 = 310
	ProcessVmWritevEventID     int32 = 311
	KcmpEventID                int32 = 312
	FinitModuleEventID         int32 = 313
	SchedSetattrEventID        int32 = 314
	SchedGetattrEventID        int32 = 315
	Renameat2EventID           int32 = 316
	SeccompEventID             int32 = 317
	GetrandomEventID           int32 = 318
	MemfdCreateEventID         int32 = 319
	KexecFileLoadEventID       int32 = 320
	BpfEventID                 int32 = 321
	ExecveatEventID            int32 = 322
	UserfaultfdEventID         int32 = 323
	MembarrierEventID          int32 = 324
	Mlock2EventID              int32 = 325
	CopyFileRangeEventID       int32 = 326
	Preadv2EventID             int32 = 327
	Pwritev2EventID            int32 = 328
	PkeyMprotectEventID        int32 = 329
	PkeyAllocEventID           int32 = 330
	PkeyFreeEventID            int32 = 331
	StatxEventID               int32 = 332
	IoPgeteventsEventID        int32 = 333
	RseqEventID                int32 = 334
	// 335 through 423 are unassigned to sync up with generic numbers
	PidfdSendSignalEventID       int32 = 424
	IoUringSetupEventID          int32 = 425
	IoUringEnterEventID          int32 = 426
	IoUringRegisterEventID       int32 = 427
	OpenTreeEventID              int32 = 428
	MoveMountEventID             int32 = 429
	FsopenEventID                int32 = 430
	FsconfigEventID              int32 = 431
	FsmountEventID               int32 = 432
	FspickEventID                int32 = 433
	PidfdOpenEventID             int32 = 434
	Clone3EventID                int32 = 435
	CloseRangeEventID            int32 = 436
	Openat2EventID               int32 = 437
	PidfdGetfdEventID            int32 = 438
	Faccessat2EventID            int32 = 439
	ProcessMadviseEventID        int32 = 440
	EpollPwait2EventID           int32 = 441
	MountSetattEventID           int32 = 442
	QuotactlFdEventID            int32 = 443
	LandlockCreateRulesetEventID int32 = 444
	LandlockAddRuleEventID       int32 = 445
	LandloclRestrictSetEventID   int32 = 446
	MemfdSecretEventID           int32 = 447
	ProcessMreleaseEventID       int32 = 448
)

x86 64bit syscall numbers Also used as event IDs https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl

View Source 
const (
	WaitpidEventID int32 = iota + Unique32BitSyscallsStartID
	OldfstatEventID
	BreakEventID
	OldstatEventID
	UmountEventID
	StimeEventID
	SttyEventID
	GttyEventID
	NiceEventID
	FtimeEventID
	ProfEventID
	SignalEventID
	LockEventID
	MpxEventID
	UlimitEventID
	OldoldunameEventID
	SigactionEventID
	SgetmaskEventID
	SsetmaskEventID
	SigsuspendEventID
	SigpendingEventID
	OldlstatEventID
	ReaddirEventID
	ProfilEventID
	SocketcallEventID
	OldunameEventID
	IdleEventID
	Vm86oldEventID
	IpcEventID
	SigreturnEventID
	SigprocmaskEventID
	BdflushEventID
	Afs_syscallEventID
	LlseekEventID
	OldSelectEventID
	Vm86EventID
	OldGetrlimitEventID
	Mmap2EventID
	Truncate64EventID
	Ftruncate64EventID
	Stat64EventID
	Lstat64EventID
	Fstat64EventID
	Lchown16EventID
	Getuid16EventID
	Getgid16EventID
	Geteuid16EventID
	Getegid16EventID
	Setreuid16EventID
	Setregid16EventID
	Getgroups16EventID
	Setgroups16EventID
	Fchown16EventID
	Setresuid16EventID
	Getresuid16EventID
	Setresgid16EventID
	Getresgid16EventID
	Chown16EventID
	Setuid16EventID
	Setgid16EventID
	Setfsuid16EventID
	Setfsgid16EventID
	Fcntl64EventID
	Sendfile32EventID
	Statfs64EventID
	Fstatfs64EventID
	Fadvise64_64EventID
	ClockGettime32EventID
	ClockSettime32EventID
	ClockAdjtime64EventID
	ClockGetresTime32EventID
	ClockNanosleepTime32EventID
	TimerGettime32EventID
	TimerSettime32EventID
	TimerfdGettime32EventID
	TimerfdSettime32EventID
	UtimensatTime32EventID
	Pselect6Time32EventID
	PpollTime32EventID
	IoPgeteventsTime32EventID
	RecvmmsgTime32EventID
	MqTimedsendTime32EventID
	MqTimedreceiveTime32EventID
	RtSigtimedwaitTime32EventID
	FutexTime32EventID
	SchedRrGetInterval32EventID
	Unique32BitSyscallsEndID
)

Set of events IDs for 32bit syscalls which have no parallel 64bit syscall

View Source 
const (
	SysEnterEventID int32 = iota + 1000
	SysExitEventID
	SchedProcessForkEventID
	SchedProcessExecEventID
	SchedProcessExitEventID
	SchedSwitchEventID
	DoExitEventID
	CapCapableEventID
	VfsWriteEventID
	VfsWritevEventID
	MemProtAlertEventID
	CommitCredsEventID
	SwitchTaskNSEventID
	MagicWriteEventID
	CgroupAttachTaskEventID
	CgroupMkdirEventID
	CgroupRmdirEventID
	SecurityBprmCheckEventID
	SecurityFileOpenEventID
	SecurityInodeUnlinkEventID
	SecuritySocketCreateEventID
	SecuritySocketListenEventID
	SecuritySocketConnectEventID
	SecuritySocketAcceptEventID
	SecuritySocketBindEventID
	SecuritySbMountEventID
	SecurityBPFEventID
	SecurityBPFMapEventID
	SecurityKernelReadFileEventID
	SecurityInodeMknodEventID
	SecurityPostReadFileEventID
	SocketDupEventID
	HiddenInodesEventID
	MaxCommonEventID
)

Common events (used by all architectures) events should match defined values in ebpf code

View Source 
const (
	NetPacket uint32 = iota
	DebugNetSecurityBind
	DebugNetUdpSendmsg
	DebugNetUdpDisconnect
	DebugNetUdpDestroySock
	DebugNetUdpV6DestroySock
	DebugNetInetSockSetState
	DebugNetTcpConnect
)
View Source 
const (
	LessNotSetUint    uint64 = 0
	GreaterNotSetUint uint64 = math.MaxUint64
	LessNotSetInt     int64  = math.MinInt64
	GreaterNotSetInt  int64  = math.MaxInt64
)

Set default inequality values val<0 and val>math.MaxUint64 should never be used by the user as they give an empty set

View Source 
const (
	CONFIG_ARCH_HAS_SYSCALL_WRAPPER helpers.KernelConfigOption = iota + helpers.CUSTOM_OPTION_START
)

Custom KernelConfigOption's to extend kernel_config helper support Add here all kconfig variables used within tracee.bpf.c

View Source 
const (
	InitNamespacesEventID int32 = iota + 2000
)

Events originated from user-space

View Source 
const InitProcNsDir = "/proc/1/ns"
View Source 
const Unique32BitSyscallsStartID = 3000

Variables

View Source 
var EventsDefinitions = map[int32]EventDefinition{}/* 480 elements not displayed */

Functions

func CopyFileByPath 

func CopyFileByPath(src, dst string) error

CopyFileByPath copies a file from src to dst

func CreateInitNamespacesEvent 

func CreateInitNamespacesEvent() (external.Event, error)

CreateInitNamespacesEvent collect the init process namespaces and create event from them.

func MergeErrors 

func MergeErrors(cs ...<-chan error) <-chan error

MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.

func ParseKernelReadFileId 

func ParseKernelReadFileId(id int32) (string, error)

func Print16BytesSliceIP 

func Print16BytesSliceIP(in []byte) string

Print16BytesSliceIP prints the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable lenth slice, but that would cause unnecessary memory copying and type conversions

func PrintUint32IP 

func PrintUint32IP(in uint32) string

PrintUint32IP prints the IP address encoded as a uint32

Types

type ArgFilter 

type ArgFilter struct {
	Filters map[int32]map[string]ArgFilterVal // key to the first map is event id, and to the second map the argument name
	Enabled bool
}

func (*ArgFilter) Parse 

func (argFilter *ArgFilter) Parse(filterName string, operatorAndValues string, eventsNameToID map[string]int32) error

type ArgFilterVal 

type ArgFilterVal struct {
	Equal    []string
	NotEqual []string
}

type BoolFilter 

type BoolFilter struct {
	Value   bool
	Enabled bool
}

func (*BoolFilter) Parse 

func (boolFilter *BoolFilter) Parse(value string) error

func (*BoolFilter) Set 

func (filter *BoolFilter) Set(bpfModule *bpf.Module, configFilter bpfConfig) error

type CaptureConfig 

type CaptureConfig struct {
	OutputPath      string
	FileWrite       bool
	Module          bool
	FilterFileWrite []string
	Exec            bool
	Mem             bool
	Profile         bool
	NetIfaces       []string
}

type Config 

type Config struct {
	Filter             *Filter
	Capture            *CaptureConfig
	Output             *OutputConfig
	PerfBufferSize     int
	BlobPerfBufferSize int
	Debug              bool

	BTFObjPath   string
	BPFObjPath   string
	BPFObjBytes  []byte
	KernelConfig *helpers.KernelConfig
	ChanEvents   chan external.Event
	ChanErrors   chan error
	ChanDone     chan struct{}
	// contains filtered or unexported fields
}

Config is a struct containing user defined configuration of tracee

func (Config) Validate 

func (tc Config) Validate() error

Validate does static validation of the configuration

type EventDefinition 

type EventDefinition struct {
	ID32Bit        int32
	Name           string
	Probes         []probe
	Dependencies   []dependency
	EssentialEvent bool
	Sets           []string
	Params         []external.ArgMeta
}

EventDefinition is a struct describing an event configuration

type Filter 

type Filter struct {
	EventsToTrace     []int32
	UIDFilter         *UintFilter
	PIDFilter         *UintFilter
	NewPidFilter      *BoolFilter
	MntNSFilter       *UintFilter
	PidNSFilter       *UintFilter
	UTSFilter         *StringFilter
	CommFilter        *StringFilter
	ContFilter        *BoolFilter
	NewContFilter     *BoolFilter
	RetFilter         *RetFilter
	ArgFilter         *ArgFilter
	ProcessTreeFilter *ProcessTreeFilter
	Follow            bool
}

type IntFilter 

type IntFilter struct {
	Equal    []int64
	NotEqual []int64
	Greater  int64
	Less     int64
	Is32Bit  bool
	Enabled  bool
}

func (*IntFilter) Parse 

func (intFilter *IntFilter) Parse(operatorAndValues string) error

type OutputConfig 

type OutputConfig struct {
	StackAddresses bool
	DetectSyscall  bool
	ExecEnv        bool
	RelativeTime   bool
	ExecHash       bool
	ParseArguments bool
}

type ProcessCtx 

type ProcessCtx struct {
	StartTime   int
	ContainerID string
	Pid         uint32
	Tid         uint32
	Ppid        uint32
	HostTid     uint32
	HostPid     uint32
	HostPpid    uint32
	Uid         uint32
	MntId       uint32
	PidId       uint32
}

type ProcessTree 

type ProcessTree struct {
	// contains filtered or unexported fields
}

func NewProcessTree 

func NewProcessTree() (*ProcessTree, error)

initialize new process-tree

type ProcessTreeFilter 

type ProcessTreeFilter struct {
	PIDs    map[uint32]bool // PIDs is a map where k=pid and v represents whether it and its descendents should be traced or not
	Enabled bool
}

func (*ProcessTreeFilter) Parse 

func (procTreeFilter *ProcessTreeFilter) Parse(operatorAndValues string) error

func (*ProcessTreeFilter) Set 

func (filter *ProcessTreeFilter) Set(bpfModule *bpf.Module) error

type RetFilter 

type RetFilter struct {
	Filters map[int32]IntFilter
	Enabled bool
}

func (*RetFilter) Parse 

func (retFilter *RetFilter) Parse(filterName string, operatorAndValues string, eventsNameToID map[string]int32) error

type StringFilter 

type StringFilter struct {
	Equal    []string
	NotEqual []string
	Enabled  bool
}

func (*StringFilter) Parse 

func (stringFilter *StringFilter) Parse(operatorAndValues string) error

func (*StringFilter) Set 

func (filter *StringFilter) Set(bpfModule *bpf.Module, filterMapName string, configFilter bpfConfig) error

type Tracee 

type Tracee struct {
	StackAddressesMap *bpf.BPFMap
	// contains filtered or unexported fields
}

Tracee traces system calls and system events using eBPF

func New 

func New(cfg Config) (*Tracee, error)

New creates a new Tracee instance based on a given valid Config

func (*Tracee) Close 

func (t *Tracee) Close()

Close cleans up created resources

func (*Tracee) GetStats 

func (t *Tracee) GetStats() external.Stats

func (*Tracee) ParseProcessContext 

func (t *Tracee) ParseProcessContext(ctx []byte) (ProcessCtx, error)

func (*Tracee) Run 

func (t *Tracee) Run() error

Run starts the trace. it will run until interrupted

func (*Tracee) WaitForPipeline 

func (t *Tracee) WaitForPipeline(errs ...<-chan error) error

WaitForPipeline waits for results from all error channels.

type UintFilter 

type UintFilter struct {
	Equal    []uint64
	NotEqual []uint64
	Greater  uint64
	Less     uint64
	Is32Bit  bool
	Enabled  bool
}

func (*UintFilter) Parse 

func (uintFilter *UintFilter) Parse(operatorAndValues string) error

func (*UintFilter) Set 

func (filter *UintFilter) Set(bpfModule *bpf.Module, filterMapName string, configFilter bpfConfig, lessIdx uint32) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.