ebpftracer

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 17, 2024 License: Apache-2.0 Imports: 49 Imported by: 0

Documentation

Index

Constants

View Source
const (
	TailVfsWrite  uint32 = iota // Index of a function to be used in a bpf tailcall.
	TailVfsWritev               // Matches defined values in ebpf code for prog_array map.
	TailSendBin
	TailSendBinTP
	TailKernelWrite
	TailSchedProcessExecEventSubmit
	TailVfsRead
	TailVfsReadv
	TailExecBinprm1
	TailExecBinprm2
	TailHiddenKernelModuleProc
	TailHiddenKernelModuleKset
	TailHiddenKernelModuleModTree
	TailHiddenKernelModuleNewModOnly
	MaxTail
)
View Source
const (
	ProbeSysEnter handle = iota
	ProbeSysExit
	ProbeSyscallEnter__Internal
	ProbeSyscallExit__Internal
	ProbeSchedProcessFork
	ProbeSchedProcessExec
	ProbeSchedProcessExit
	ProbeSchedProcessFree
	ProbeSchedSwitch
	ProbeDoExit
	ProbeCapCapable
	ProbeVfsWrite
	ProbeVfsWriteRet
	ProbeVfsWriteV
	ProbeVfsWriteVRet
	ProbeSecurityMmapAddr
	ProbeSecurityMmapFile
	ProbeSecurityFileMProtect
	ProbeCommitCreds
	ProbeSwitchTaskNS
	ProbeKernelWrite
	ProbeKernelWriteRet
	ProbeVfsWriteMagic
	ProbeVfsWriteMagicRet
	ProbeVfsWriteVMagic
	ProbeVfsWriteVMagicRet
	ProbeKernelWriteMagic
	ProbeKernelWriteMagicRet
	ProbeCgroupAttachTask
	ProbeCgroupMkdir
	ProbeCgroupRmdir
	ProbeSecurityBPRMCheck
	ProbeSecurityFileOpen
	ProbeSecurityInodeUnlink
	ProbeSecurityInodeMknod
	ProbeSecurityInodeSymlink
	ProbeSecuritySocketCreate
	ProbeSecuritySocketListen
	ProbeSecuritySocketConnect
	ProbeSecuritySocketAccept
	ProbeSecuritySocketBind
	ProbeSecuritySocketSetsockopt
	ProbeSecuritySbMount
	ProbeSecurityBPF
	ProbeSecurityBPFMap
	ProbeSecurityKernelReadFile
	ProbeSecurityKernelPostReadFile
	ProbeDoSplice
	ProbeDoSpliceRet
	ProbeProcCreate
	ProbeRegisterKprobe
	ProbeRegisterKprobeRet
	ProbeCallUsermodeHelper
	ProbeDebugfsCreateFile
	ProbeDebugfsCreateDir
	ProbeDeviceAdd
	ProbeRegisterChrdev
	ProbeRegisterChrdevRet
	ProbeDoInitModule
	ProbeDoInitModuleRet
	ProbeLoadElfPhdrs
	ProbeFilldir64
	ProbeSecurityFilePermission
	ProbeTaskRename
	ProbePrintSyscallTable
	ProbePrintNetSeqOps
	ProbeSecurityInodeRename
	ProbeDoSigaction
	ProbeSecurityBpfProg
	ProbeSecurityFileIoctl
	ProbeCheckHelperCall
	ProbeCheckMapFuncCompatibility
	ProbeKallsymsLookupName
	ProbeKallsymsLookupNameRet
	ProbeSockAllocFile
	ProbeSockAllocFileRet
	ProbeSecuritySkClone
	ProbeSecuritySocketRecvmsg
	ProbeSecuritySocketSendmsg
	ProbeCgroupBPFRunFilterSKB
	ProbeCgroupSKBIngress
	ProbeCgroupSKBEgress
	ProbeDoMmap
	ProbeDoMmapRet
	ProbePrintMemDump
	ProbeVfsRead
	ProbeVfsReadRet
	ProbeVfsReadV
	ProbeVfsReadVRet
	ProbeVfsUtimes
	ProbeUtimesCommon
	ProbeDoTruncate
	ProbeFileUpdateTime
	ProbeFileUpdateTimeRet
	ProbeFileModified
	ProbeFileModifiedRet
	ProbeFdInstall
	ProbeFilpClose
	ProbeInotifyFindInode
	ProbeInotifyFindInodeRet
	ProbeBpfCheck
	ProbeExecBinprm
	ProbeExecBinprmRet
	ProbeHiddenKernelModuleSeeker
	ProbeTpProbeRegPrioMayExist
	ProbeHiddenKernelModuleVerifier
	ProbeModuleLoad
	ProbeModuleFree
	ProbeLayoutAndAllocate
	ProbeInetSockSetState
	ProbeOomMarkVictim
	ProbeTtyOpen

	// Signal probes
	SignalCgroupMkdir
	SignalCgroupRmdir
	SignalSchedProcessFork
	SignalSchedProcessExec
	SignalSchedProcessExit
)

Variables

View Source
var (
	FilterPass                    error = nil
	FilterErrRateLimit                  = errors.New("rate limit")
	FilterErrEmptyDNSResponse           = errors.New("empty dns response")
	FilterErrDNSDuplicateDetected       = errors.New("dns duplicate detected")
)
View Source
var ErrPanic = errors.New("encountered panic")

Error indicating that the resulting error was caught from a panic

Functions

This section is empty.

Types

type ActualDestinationGetter

type ActualDestinationGetter interface {
	GetDestination(src, dst netip.AddrPort) (netip.AddrPort, bool)
}

ActualDestinationGetter is used to find actual destination ip. Usually this info is obtained from conntrack.

type ArgType

type ArgType uint8

type CgroupClient added in v1.3.0

type CgroupClient interface {
	LoadCgroup(id cgroup.ID, path string)
	CleanupCgroup(cgroup cgroup.ID)
	IsDefaultHierarchy(uint32) bool
}

type Config

type Config struct {
	BTFPath                 string
	EventsPerCPUBuffer      int
	EventsOutputChanSize    int
	GCInterval              time.Duration
	DefaultCgroupsVersion   string `validate:"required,oneof=V1 V2"`
	ActualDestinationGetter ActualDestinationGetter
	DebugEnabled            bool
	ContainerClient         ContainerClient
	CgroupClient            CgroupClient
	EnrichEvent             SubmitForEnrichment
	MountNamespacePIDStore  *types.PIDsPerNamespace
	// All PIPs reported from ebpf will be normalized to this PID namespace
	HomePIDNS     proc.NamespaceID
	AllowAnyEvent bool
}

type ContainerClient

type ContainerClient interface {
	GetContainerForCgroup(ctx context.Context, cgroup cgroup.ID) (*containers.Container, error)
	CleanupCgroup(cgroup cgroup.ID)
}

type EventFilter

type EventFilter func(event *castpb.Event) error

EventFilter allows for filtering of events before they are send to the server

type EventFilterGenerator

type EventFilterGenerator func() EventFilter

EventFilterGenerator Produces an event filter for each call

func DeduplicateDnsEvents

func DeduplicateDnsEvents(l *logging.Logger, size uint32, ttl time.Duration) EventFilterGenerator

DeduplicateDnsEvents creates a filter that will drop any DNS event with questions already seen in `ttl` time

func FilterAnd

func FilterAnd(filtersGenerators ...EventFilterGenerator) EventFilterGenerator

func FilterEmptyDnsAnswers

func FilterEmptyDnsAnswers(l *logging.Logger) EventFilterGenerator

FilterEmptyDnsAnswers will drop any DNS event, that is missing an answer section

func GlobalEventFilterGenerator

func GlobalEventFilterGenerator(filter EventFilter) EventFilterGenerator

GlobalEventFilterGenerator always returns the given filter on each generator invocation. This is useful, if you want some global filtering across cgroups.

func RateLimit

func RateLimit(spec RateLimitPolicy) EventFilterGenerator

type EventPolicy

type EventPolicy struct {
	ID                 events.ID
	PreFilterGenerator PreEventFilterGenerator
	FilterGenerator    EventFilterGenerator
}

type EventProbe

type EventProbe struct {
	// contains filtered or unexported fields
}

type KSymbol

type KSymbol struct {
	// contains filtered or unexported fields
}

type LRUPolicy

type LRUPolicy struct {
	Size int
}

type Policy

type Policy struct {
	SystemEvents    []events.ID // List of events required for internal tasks such as cache cleanup
	SignatureEngine *signature.SignatureEngine
	Events          []*EventPolicy
	Output          PolicyOutputConfig
}

type PolicyOutputConfig

type PolicyOutputConfig struct {
	StackAddresses bool
	ExecEnv        bool
	RelativeTime   bool
	ExecHash       bool

	ParseArguments    bool
	ParseArgumentsFDs bool
	EventsSorting     bool
}

type PreEventFilter

type PreEventFilter func(ctx *types.EventContext) error

PreEventFilter allows for filtering of events coming from the kernel before they are decoded

type PreEventFilterGenerator

type PreEventFilterGenerator func() PreEventFilter

EventFilterGenerator Produces an pre event filter for each call

func GlobalPreEventFilterGenerator

func GlobalPreEventFilterGenerator(filter PreEventFilter) PreEventFilterGenerator

GlobalPreEventFilterGenerator always returns the given filter on each generator invocation. This is useful, if you want some global filtering across cgroups.

func PreRateLimit

func PreRateLimit(spec RateLimitPolicy) PreEventFilterGenerator

PreRateLimit creates an pre event filter that limits the amount of events that will be processed accoring to the specified limits

type RateLimitPolicy

type RateLimitPolicy struct {
	// If interval is set rate limit can be used as interval based sampling. In such case burst is always 1.
	Interval time.Duration

	// Rate is events per second.
	Rate  float64
	Burst int
}

RateLimitPolicy allows to configure event rate limiting.

type SubmitForEnrichment added in v1.1.0

type SubmitForEnrichment func(*enrichment.EnrichRequest) bool

type SyscallID

type SyscallID uint32

func (SyscallID) String

func (s SyscallID) String() string

type SyscallStats

type SyscallStats struct {
	ID    SyscallID
	Count uint64
}

type SyscallStatsKeyCgroupID

type SyscallStatsKeyCgroupID uint64

type TailCall

type TailCall struct {
	// contains filtered or unexported fields
}

type Tracer

type Tracer struct {
	// contains filtered or unexported fields
}

func New

func New(log *logging.Logger, cfg Config) *Tracer

func (*Tracer) ApplyPolicy

func (t *Tracer) ApplyPolicy(policy *Policy) error

func (*Tracer) Close

func (t *Tracer) Close() error

func (*Tracer) Events

func (t *Tracer) Events() <-chan *castpb.Event

func (*Tracer) GetEventName added in v1.4.0

func (t *Tracer) GetEventName(id events.ID) string

func (*Tracer) IsCgroupMuted

func (t *Tracer) IsCgroupMuted(cgroup uint64) bool

func (*Tracer) Load

func (t *Tracer) Load() error

func (*Tracer) MuteEventsFromCgroup

func (t *Tracer) MuteEventsFromCgroup(cgroup uint64) error

func (*Tracer) MuteEventsFromCgroups

func (t *Tracer) MuteEventsFromCgroups(cgroups []uint64) error

func (*Tracer) ReadSyscallStats

func (t *Tracer) ReadSyscallStats() (map[SyscallStatsKeyCgroupID][]SyscallStats, error)

func (*Tracer) Run

func (t *Tracer) Run(ctx context.Context) error

func (*Tracer) UnmuteEventsFromCgroup

func (t *Tracer) UnmuteEventsFromCgroup(cgroup uint64) error

func (*Tracer) UnmuteEventsFromCgroups

func (t *Tracer) UnmuteEventsFromCgroups(cgroups []uint64) error

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL