Documentation ¶
Index ¶
- Constants
- Variables
- type ActualDestinationGetter
- type ArgType
- type CgroupClient
- type Config
- type ContainerClient
- type EventFilter
- type EventFilterGenerator
- func DeduplicateDnsEvents(l *logging.Logger, size uint32, ttl time.Duration) EventFilterGenerator
- func FilterAnd(filtersGenerators ...EventFilterGenerator) EventFilterGenerator
- func FilterEmptyDnsAnswers(l *logging.Logger) EventFilterGenerator
- func GlobalEventFilterGenerator(filter EventFilter) EventFilterGenerator
- func RateLimit(spec RateLimitPolicy) EventFilterGenerator
- type EventPolicy
- type EventProbe
- type KSymbol
- type LRUPolicy
- type Policy
- type PolicyOutputConfig
- type PreEventFilter
- type PreEventFilterGenerator
- type RateLimitPolicy
- type SubmitForEnrichment
- type SyscallID
- type SyscallStats
- type SyscallStatsKeyCgroupID
- type TailCall
- type Tracer
- func (t *Tracer) ApplyPolicy(policy *Policy) error
- func (t *Tracer) Close() error
- func (t *Tracer) Events() <-chan *castpb.Event
- func (t *Tracer) GetEventName(id events.ID) string
- func (t *Tracer) IsCgroupMuted(cgroup uint64) bool
- func (t *Tracer) Load() error
- func (t *Tracer) MuteEventsFromCgroup(cgroup uint64) error
- func (t *Tracer) MuteEventsFromCgroups(cgroups []uint64) error
- func (t *Tracer) ReadSyscallStats() (map[SyscallStatsKeyCgroupID][]SyscallStats, error)
- func (t *Tracer) Run(ctx context.Context) error
- func (t *Tracer) UnmuteEventsFromCgroup(cgroup uint64) error
- func (t *Tracer) UnmuteEventsFromCgroups(cgroups []uint64) error
Constants ¶
const ( TailVfsWrite uint32 = iota // Index of a function to be used in a bpf tailcall. TailVfsWritev // Matches defined values in ebpf code for prog_array map. TailSendBin TailSendBinTP TailKernelWrite TailSchedProcessExecEventSubmit TailVfsRead TailVfsReadv TailExecBinprm1 TailExecBinprm2 TailHiddenKernelModuleProc TailHiddenKernelModuleKset TailHiddenKernelModuleModTree TailHiddenKernelModuleNewModOnly MaxTail )
const ( ProbeSysEnter handle = iota ProbeSysExit ProbeSyscallEnter__Internal ProbeSyscallExit__Internal ProbeSchedProcessFork ProbeSchedProcessExec ProbeSchedProcessExit ProbeSchedProcessFree ProbeSchedSwitch ProbeDoExit ProbeCapCapable ProbeVfsWrite ProbeVfsWriteRet ProbeVfsWriteV ProbeVfsWriteVRet ProbeSecurityMmapAddr ProbeSecurityMmapFile ProbeSecurityFileMProtect ProbeCommitCreds ProbeSwitchTaskNS ProbeKernelWrite ProbeKernelWriteRet ProbeVfsWriteMagic ProbeVfsWriteMagicRet ProbeVfsWriteVMagic ProbeVfsWriteVMagicRet ProbeKernelWriteMagic ProbeKernelWriteMagicRet ProbeCgroupAttachTask ProbeCgroupMkdir ProbeCgroupRmdir ProbeSecurityBPRMCheck ProbeSecurityFileOpen ProbeSecurityInodeUnlink ProbeSecurityInodeMknod ProbeSecurityInodeSymlink ProbeSecuritySocketCreate ProbeSecuritySocketListen ProbeSecuritySocketConnect ProbeSecuritySocketAccept ProbeSecuritySocketBind ProbeSecuritySocketSetsockopt ProbeSecuritySbMount ProbeSecurityBPF ProbeSecurityBPFMap ProbeSecurityKernelReadFile ProbeSecurityKernelPostReadFile ProbeDoSplice ProbeDoSpliceRet ProbeProcCreate ProbeRegisterKprobe ProbeRegisterKprobeRet ProbeCallUsermodeHelper ProbeDebugfsCreateFile ProbeDebugfsCreateDir ProbeDeviceAdd ProbeRegisterChrdev ProbeRegisterChrdevRet ProbeDoInitModule ProbeDoInitModuleRet ProbeLoadElfPhdrs ProbeFilldir64 ProbeSecurityFilePermission ProbeTaskRename ProbePrintSyscallTable ProbePrintNetSeqOps ProbeSecurityInodeRename ProbeDoSigaction ProbeSecurityBpfProg ProbeSecurityFileIoctl ProbeCheckHelperCall ProbeCheckMapFuncCompatibility ProbeKallsymsLookupName ProbeKallsymsLookupNameRet ProbeSockAllocFile ProbeSockAllocFileRet ProbeSecuritySkClone ProbeSecuritySocketRecvmsg ProbeSecuritySocketSendmsg ProbeCgroupBPFRunFilterSKB ProbeCgroupSKBIngress ProbeCgroupSKBEgress ProbeDoMmap ProbeDoMmapRet ProbePrintMemDump ProbeVfsRead ProbeVfsReadRet ProbeVfsReadV ProbeVfsReadVRet ProbeVfsUtimes ProbeUtimesCommon ProbeDoTruncate ProbeFileUpdateTime ProbeFileUpdateTimeRet ProbeFileModified ProbeFileModifiedRet ProbeFdInstall ProbeFilpClose ProbeInotifyFindInode ProbeInotifyFindInodeRet ProbeBpfCheck ProbeExecBinprm ProbeExecBinprmRet ProbeHiddenKernelModuleSeeker ProbeTpProbeRegPrioMayExist ProbeHiddenKernelModuleVerifier ProbeModuleLoad ProbeModuleFree ProbeLayoutAndAllocate ProbeInetSockSetState ProbeOomMarkVictim ProbeTtyOpen // Signal probes SignalCgroupMkdir SignalCgroupRmdir SignalSchedProcessFork SignalSchedProcessExec SignalSchedProcessExit )
Variables ¶
var ( FilterPass error = nil FilterErrRateLimit = errors.New("rate limit") FilterErrEmptyDNSResponse = errors.New("empty dns response") FilterErrDNSDuplicateDetected = errors.New("dns duplicate detected") )
var ErrPanic = errors.New("encountered panic")
Error indicating that the resulting error was caught from a panic
Functions ¶
This section is empty.
Types ¶
type ActualDestinationGetter ¶
type ActualDestinationGetter interface {
GetDestination(src, dst netip.AddrPort) (netip.AddrPort, bool)
}
ActualDestinationGetter is used to find actual destination ip. Usually this info is obtained from conntrack.
type CgroupClient ¶ added in v1.3.0
type Config ¶
type Config struct { BTFPath string EventsPerCPUBuffer int EventsOutputChanSize int GCInterval time.Duration DefaultCgroupsVersion string `validate:"required,oneof=V1 V2"` ActualDestinationGetter ActualDestinationGetter DebugEnabled bool ContainerClient ContainerClient CgroupClient CgroupClient EnrichEvent SubmitForEnrichment MountNamespacePIDStore *types.PIDsPerNamespace // All PIPs reported from ebpf will be normalized to this PID namespace HomePIDNS proc.NamespaceID AllowAnyEvent bool }
type ContainerClient ¶
type EventFilter ¶
EventFilter allows for filtering of events before they are send to the server
type EventFilterGenerator ¶
type EventFilterGenerator func() EventFilter
EventFilterGenerator Produces an event filter for each call
func DeduplicateDnsEvents ¶
DeduplicateDnsEvents creates a filter that will drop any DNS event with questions already seen in `ttl` time
func FilterAnd ¶
func FilterAnd(filtersGenerators ...EventFilterGenerator) EventFilterGenerator
func FilterEmptyDnsAnswers ¶
func FilterEmptyDnsAnswers(l *logging.Logger) EventFilterGenerator
FilterEmptyDnsAnswers will drop any DNS event, that is missing an answer section
func GlobalEventFilterGenerator ¶
func GlobalEventFilterGenerator(filter EventFilter) EventFilterGenerator
GlobalEventFilterGenerator always returns the given filter on each generator invocation. This is useful, if you want some global filtering across cgroups.
func RateLimit ¶
func RateLimit(spec RateLimitPolicy) EventFilterGenerator
type EventPolicy ¶
type EventPolicy struct { ID events.ID PreFilterGenerator PreEventFilterGenerator FilterGenerator EventFilterGenerator }
type EventProbe ¶
type EventProbe struct {
// contains filtered or unexported fields
}
type Policy ¶
type Policy struct { SystemEvents []events.ID // List of events required for internal tasks such as cache cleanup SignatureEngine *signature.SignatureEngine Events []*EventPolicy Output PolicyOutputConfig }
type PolicyOutputConfig ¶
type PreEventFilter ¶
type PreEventFilter func(ctx *types.EventContext) error
PreEventFilter allows for filtering of events coming from the kernel before they are decoded
type PreEventFilterGenerator ¶
type PreEventFilterGenerator func() PreEventFilter
EventFilterGenerator Produces an pre event filter for each call
func GlobalPreEventFilterGenerator ¶
func GlobalPreEventFilterGenerator(filter PreEventFilter) PreEventFilterGenerator
GlobalPreEventFilterGenerator always returns the given filter on each generator invocation. This is useful, if you want some global filtering across cgroups.
func PreRateLimit ¶
func PreRateLimit(spec RateLimitPolicy) PreEventFilterGenerator
PreRateLimit creates an pre event filter that limits the amount of events that will be processed accoring to the specified limits
type RateLimitPolicy ¶
type RateLimitPolicy struct { // If interval is set rate limit can be used as interval based sampling. In such case burst is always 1. Interval time.Duration // Rate is events per second. Rate float64 Burst int }
RateLimitPolicy allows to configure event rate limiting.
type SubmitForEnrichment ¶ added in v1.1.0
type SubmitForEnrichment func(*enrichment.EnrichRequest) bool
type SyscallStats ¶
type SyscallStatsKeyCgroupID ¶
type SyscallStatsKeyCgroupID uint64
type Tracer ¶
type Tracer struct {
// contains filtered or unexported fields
}
func (*Tracer) ApplyPolicy ¶
func (*Tracer) IsCgroupMuted ¶
func (*Tracer) MuteEventsFromCgroup ¶
func (*Tracer) MuteEventsFromCgroups ¶
func (*Tracer) ReadSyscallStats ¶
func (t *Tracer) ReadSyscallStats() (map[SyscallStatsKeyCgroupID][]SyscallStats, error)