process

package

v0.10.0-rc1 Latest Latest Go to latest Published: Jul 11, 2023 License: Apache-2.0 Imports: 32 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/tetragon

Documentation ¶

Overview ¶

SPDX-License-Identifier: Apache-2.0 Copyright Authors of Tetragon

Index ¶

func AddCloneEvent(event *tetragonAPI.MsgCloneEvent) error
func ArgsDecoder(s string, flags uint32) (string, string)
func FreeCache()
func GetExecID(proc *tetragonAPI.MsgProcess) string
func GetExecIDFromKey(key *tetragonAPI.MsgExecveKey) string
func GetParentProcessInternal(pid uint32, ktime uint64) (*ProcessInternal, *ProcessInternal)
func GetPodInfo(cid, bin, args string, nspid uint32) (*tetragon.Pod, *hubblev1.Endpoint)
func GetProcessEndpoint(p *tetragon.Process) *hubblev1.Endpoint
func GetProcessID(pid uint32, ktime uint64) string
func InitCache(w watcher.K8sResourceWatcher, size int) error
func UpdateEventProcessTid(process *tetragon.Process, tid *uint32)
type Cache
- func NewCache(processCacheSize int) (*Cache, error)
- func (pc *Cache) Purge()
type ProcessInternal
- func AddExecEvent(event *tetragonAPI.MsgExecveEventUnix) *ProcessInternal
- func Get(execId string) (*ProcessInternal, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AddCloneEvent ¶

func AddCloneEvent(event *tetragonAPI.MsgCloneEvent) error

AddCloneEvent adds a new process into the cache from a CloneEvent

func ArgsDecoder ¶

func ArgsDecoder(s string, flags uint32) (string, string)

func FreeCache ¶

func FreeCache()

func GetExecID ¶

func GetExecID(proc *tetragonAPI.MsgProcess) string

func GetExecIDFromKey ¶

func GetExecIDFromKey(key *tetragonAPI.MsgExecveKey) string

func GetParentProcessInternal ¶

func GetParentProcessInternal(pid uint32, ktime uint64) (*ProcessInternal, *ProcessInternal)

func GetPodInfo ¶

func GetPodInfo(cid, bin, args string, nspid uint32) (*tetragon.Pod, *hubblev1.Endpoint)

GetPodInfo() constructs and returns the Kubernetes Pod information associated with the Container ID and the PID inside this container.

func GetProcessEndpoint ¶

func GetProcessEndpoint(p *tetragon.Process) *hubblev1.Endpoint

func GetProcessID ¶

func GetProcessID(pid uint32, ktime uint64) string

func InitCache ¶

func InitCache(w watcher.K8sResourceWatcher, size int) error

func UpdateEventProcessTid ¶ added in v0.10.0

func UpdateEventProcessTid(process *tetragon.Process, tid *uint32)

UpdateEventProcessTID Updates the Process.Tid of the event on the fly.

From BPF side as we track processes by their TGID we do not cache TIDs, this is done on purpose since we only track clone and execve where TGID == TID, and also to simplify things. From user space perspective this works in general without any problem especially for execve events. A cached process (user space procCache) will always have its TGID == TID.

However for other events we want to be precise and report the right thread that triggered an event. For such cases call this helper to set the Process.Tid to the corresponding thread ID that was reported from BPF side.

There is no point on calling this helper on clone or execve events, however on all other events it is perfectly fine.

Types ¶

type Cache ¶

type Cache struct {
	// contains filtered or unexported fields
}

func NewCache ¶

func NewCache(
	processCacheSize int,
) (*Cache, error)

func (*Cache) Purge ¶

func (pc *Cache) Purge()

type ProcessInternal ¶

type ProcessInternal struct {
	// contains filtered or unexported fields
}

ProcessInternal is the internal representation of a process. nolint:revive // This is an acceptable case of "stuttering" since the name "Internal" wouldn't make much sense by itself.

func AddExecEvent ¶

func AddExecEvent(event *tetragonAPI.MsgExecveEventUnix) *ProcessInternal

AddExecEvent constructs a new ProcessInternal structure from an Execve event, adds it to the cache, and also returns it

func Get ¶

func Get(execId string) (*ProcessInternal, error)

func (*ProcessInternal) AddPodInfo ¶

func (pi *ProcessInternal) AddPodInfo(pod *tetragon.Pod)

func (*ProcessInternal) AnnotateProcess ¶

func (pi *ProcessInternal) AnnotateProcess(cred, ns bool) error

func (*ProcessInternal) GetProcessCopy ¶

func (pi *ProcessInternal) GetProcessCopy() *tetragon.Process

GetProcessCopy() duplicates tetragon.Process and returns it

func (*ProcessInternal) RefDec ¶

func (pi *ProcessInternal) RefDec()

func (*ProcessInternal) RefGet ¶

func (pi *ProcessInternal) RefGet() uint32

func (*ProcessInternal) RefInc ¶

func (pi *ProcessInternal) RefInc()

func (*ProcessInternal) UnsafeGetProcess ¶

func (pi *ProcessInternal) UnsafeGetProcess() *tetragon.Process

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL