process

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2024 License: Apache-2.0 Imports: 37 Imported by: 0

Documentation

Overview

SPDX-License-Identifier: Apache-2.0 Copyright Authors of Tetragon

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrProcessInfoMissing = errors.New("failed process info missing")
)

Functions

func AddCloneEvent 

func AddCloneEvent(event *tetragonAPI.MsgCloneEvent) error

AddCloneEvent adds a new process into the cache from a CloneEvent

func ArgsDecoder 

func ArgsDecoder(s string, flags uint32) (string, string)

func FreeCache 

func FreeCache()

func GetExecID 

func GetExecID(proc *tetragonAPI.MsgProcess) string

func GetExecIDFromKey 

func GetExecIDFromKey(key *tetragonAPI.MsgExecveKey) string

func GetK8s added in v0.11.0 

func GetK8s() watcher.K8sResourceWatcher

GetK8s returns K8sResourceWatcher. You must call InitCache before calling this function to ensure that k8s has been initialized.

func GetParentProcessInternal 

func GetParentProcessInternal(pid uint32, ktime uint64) (*ProcessInternal, *ProcessInternal)

func GetPodInfo 

func GetPodInfo(cid, bin, args string, nspid uint32) *tetragon.Pod

GetPodInfo constructs and returns the Kubernetes Pod information associated with the Container ID and the PID inside this container.

func GetProcessID 

func GetProcessID(pid uint32, ktime uint64) string

func GetWorkloadMetaFromPod added in v1.0.0 

func GetWorkloadMetaFromPod(pod *corev1.Pod) (v1alpha1.WorkloadObjectMeta, metav1.TypeMeta)

GetWorkloadMetaFromPod heuristically derives workload metadata from the pod spec.

func InitCache 

func InitCache(w watcher.K8sResourceWatcher, size int) error

func NewBPFCollector added in v1.0.0 

func NewBPFCollector() prometheus.Collector

func UpdateEventProcessTid added in v0.10.0 

func UpdateEventProcessTid(process *tetragon.Process, tid *uint32)

UpdateEventProcessTID Updates the Process.Tid of the event on the fly.

From BPF side as we track processes by their TGID we do not cache TIDs, this is done on purpose since we only track clone and execve where TGID == TID, and also to simplify things. From user space perspective this works in general without any problem especially for execve events. A cached process (user space procCache) will always have its TGID == TID.

However for other events we want to be precise and report the right thread that triggered an event. For such cases call this helper to set the Process.Tid to the corresponding thread ID that was reported from BPF side.

There is no point on calling this helper on clone or execve events, however on all other events it is perfectly fine.

Types

type Cache 

type Cache struct {
	// contains filtered or unexported fields
}

func NewCache 

func NewCache(
	processCacheSize int,
) (*Cache, error)

func (*Cache) Purge 

func (pc *Cache) Purge()

type ProcessInternal 

type ProcessInternal struct {
	// contains filtered or unexported fields
}

ProcessInternal is the internal representation of a process. nolint:revive // This is an acceptable case of "stuttering" since the name "Internal" wouldn't make much sense by itself.

func AddExecEvent 

func AddExecEvent(event *tetragonAPI.MsgExecveEventUnix) *ProcessInternal

AddExecEvent constructs a new ProcessInternal structure from an Execve event, adds it to the cache, and also returns it

func Get 

func Get(execId string) (*ProcessInternal, error)

func (*ProcessInternal) AddPodInfo 

func (pi *ProcessInternal) AddPodInfo(pod *tetragon.Pod)

func (*ProcessInternal) AnnotateProcess 

func (pi *ProcessInternal) AnnotateProcess(cred, ns bool) error

func (*ProcessInternal) GetProcessCopy 

func (pi *ProcessInternal) GetProcessCopy() *tetragon.Process

GetProcessCopy() duplicates tetragon.Process and returns it

func (*ProcessInternal) RefDec 

func (pi *ProcessInternal) RefDec()

func (*ProcessInternal) RefGet 

func (pi *ProcessInternal) RefGet() uint32

func (*ProcessInternal) RefInc 

func (pi *ProcessInternal) RefInc()

func (*ProcessInternal) UnsafeGetProcess 

func (pi *ProcessInternal) UnsafeGetProcess() *tetragon.Process

func (*ProcessInternal) UpdateExecOutsideCache added in v1.0.0 

func (pi *ProcessInternal) UpdateExecOutsideCache(cred bool) (*tetragon.Process, bool)

UpdateExecOutsideCache() checks if we must augment the ProcessExec.Process with more fields without propagating again those fields into the process cache. This means that those added fields will only show up for the returned ProcessExec.Process.

This is usually the case where we have the core information of the process that was handled directly or through some event cache retries, in all cases the ProcessInternal.process is properly set and referenced and can't disappear, so we don't take any locks here. It operates on the direct reference and if some fields have to be added then a deep copy will be performed.

Returns:

  1. The updated Process in case of new or updated fields, otherwise the old same Process reference.
  2. A boolean to indicate if a process information update was performed

Current rules to make a copy and add fields for Process part of ProcessExec event are:

  1. process_exec.process.binary_properties: a. if it is a setuid execution b. if it is a setgid execution c. if it is a filesystem capability execution

    a b and c are subject to the --enable-process-creds flag

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.