Documentation ¶
Index ¶
- Constants
- type Binary
- type KernelStats
- type MsgCapabilities
- type MsgCgroupData
- type MsgCgroupEvent
- type MsgCloneEvent
- type MsgCommon
- type MsgExec
- type MsgExecveEvent
- type MsgExecveEventUnix
- type MsgExecveKey
- type MsgExitEvent
- type MsgExitInfo
- type MsgGenericCred
- type MsgK8s
- type MsgK8sUnix
- type MsgNamespaces
- type MsgProcess
- type MsgUserNamespace
Constants ¶
View Source
const ( // DOCKER_ID_LENGTH to match BPF side buffer size where we read the // cgroup of the task DOCKER_ID_LENGTH = 128 // Length of the cgroup name as it is returned from BPF side CGROUP_NAME_LENGTH = 128 // Length of the cgroup path as it is returned from BPF side CGROUP_PATH_LENGTH = 4096 MSG_SIZEOF_MAXARG = 100 MSG_SIZEOF_EXECVE = 56 MSG_SIZEOF_CWD = 256 MSG_SIZEOF_ARGS = 1024 MSG_SIZEOF_BUFFER = MSG_SIZEOF_ARGS + MSG_SIZEOF_CWD + MSG_SIZEOF_EXECVE + MSG_SIZEOF_EXECVE + MSG_SIZEOF_MAXARG // MsgUnixSize of msg MsgUnixSize uint32 = 640 /* Execve extra flags */ ExecveSetuid = 0x01 ExecveSetgid = 0x02 /* Execve flags received from BPF */ ExecveFileCaps = 0x04 // This binary execution gained new capabilities through file capabilities execution ExecveSetuidRoot = 0x08 // This binary execution gained new capabilities through setuid root execution ExecveSetgidRoot = 0x10 // This binary execution gained new capabilities through setgid root execution // flags of MsgCommon MSG_COMMON_FLAG_RETURN = 0x1 MSG_COMMON_FLAG_KERNEL_STACKTRACE = 0x2 MSG_COMMON_FLAG_USER_STACKTRACE = 0x4 BINARY_PATH_MAX_LEN = 256 )
View Source
const (
// UnresolvedMountPoints = 0x1 // (deprecated)
UnresolvedPathComponents = 0x2
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type Binary ¶ added in v1.1.0
type Binary struct { PathLength int64 Path [BINARY_PATH_MAX_LEN]byte }
type KernelStats ¶ added in v1.0.1
type KernelStats struct {
SentFailed [256]uint64 `align:"sent_failed"`
}
type MsgCapabilities ¶
type MsgCgroupData ¶ added in v0.8.4
type MsgCgroupData struct { State int32 `align:"state"` // State of cgroup HierarchyId uint32 `align:"hierarchy_id"` // Unique id for the hierarchy Level uint32 `align:"level"` // The depth this cgroup is at Pad uint32 `align:"pad"` Name [CGROUP_NAME_LENGTH]byte `align:"name"` // Cgroup kernfs_node name }
MsgCgroupData is complementary cgroup data that is collected from BPF side on various cgroup events.
type MsgCgroupEvent ¶ added in v0.8.4
type MsgCgroupEvent struct { Common MsgCommon `align:"common"` Parent MsgExecveKey `align:"parent"` CgrpOp uint32 `align:"cgrp_op"` // Current cgroup operation PID uint32 `align:"pid"` NSPID uint32 `align:"nspid"` Flags uint32 `align:"flags"` Ktime uint64 `align:"ktime"` CgrpidTracker uint64 `align:"cgrpid_tracker"` // The tracking cgroup ID Cgrpid uint64 `align:"cgrpid"` // Current cgroup ID CgrpData MsgCgroupData `align:"cgrp_data"` // Complementary cgroup data Path [CGROUP_PATH_LENGTH]byte `align:"path"` // Full path of the cgroup on fs }
MsgCgroupEvent is the data that is sent from BPF side on cgroup events into ring buffer.
type MsgCloneEvent ¶
type MsgCommon ¶
type MsgCommon struct { Op uint8 // Flags is used to: // - distinguish between an entry and a return kprobe event // - indicate if a stack trace id was passed in the event Flags uint8 Pad_v2 [2]uint8 Size uint32 Ktime uint64 }
API between Kernel BPF and Userspace tetragon Golang agent
type MsgExecveEvent ¶
type MsgExecveEvent struct { Common MsgCommon Kube MsgK8s Parent MsgExecveKey ParentFlags uint64 Creds MsgGenericCred Namespaces MsgNamespaces CleanupProcess MsgExecveKey }
type MsgExecveEventUnix ¶
type MsgExecveEventUnix struct { Msg *MsgExecveEvent Kube MsgK8sUnix Process MsgProcess }
type MsgExecveKey ¶
type MsgExitEvent ¶
type MsgExitEvent struct { Common MsgCommon `align:"common"` ProcessKey MsgExecveKey `align:"current"` Info MsgExitInfo `align:"info"` }
type MsgExitInfo ¶
type MsgGenericCred ¶ added in v1.1.0
type MsgK8s ¶
type MsgK8s struct { NetNS uint32 Cid uint32 Cgrpid uint64 Docker [DOCKER_ID_LENGTH]byte }
type MsgK8sUnix ¶
type MsgK8sUnix struct {
Docker string
}
type MsgNamespaces ¶
Click to show internal directories.
Click to hide internal directories.