kernel

package
v0.1.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 10, 2021 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Overview

The kernel package contains APIs to create and communicate with the running BPF.

Index

Constants

View Source 
const (
	OffsetFlagNsProxy = (1 << 0)
	OffsetFlagPidNs   = (1 << 1)
	OffsetFlagAll     = (OffsetFlagNsProxy | OffsetFlagPidNs)
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Config 

type Config struct {
	// enable kernel metrics
	EnableMetrics bool
	// enable kernel trace events
	EnableTracer bool
	// the tracepoints (names) to enable by default
	Tracepoints []string
}

Config is uhh, configuration stuff.

func NewProbeConfig 

func NewProbeConfig() *Config

NewProbeConfig returns the default configuration for a kernel probe.

type DataCallback 

type DataCallback func(msg []byte, lost uint64) error

DataCallback is used to inform the caller that there is data ready to be decoded from the kernel.

type Filter added in v0.1.4 

type Filter struct {
	// contains filtered or unexported fields
}

Filter contains all the bits to communicate with the kernel-filter

func NewFilter added in v0.1.4 

func NewFilter(mod *elf.Module) *Filter

NewFilter sets and initializes all the underlying BPF maps for working with the kernel-filter

func (*Filter) AddMetrics added in v0.1.4 

func (f *Filter) AddMetrics(ns int) error

AddMetrics is a helper function which is backwards-compatible with the old filtering logic, but uses new filtering logic for enabling metrics on a pid-namespace.

func (*Filter) AddRule added in v0.1.4 

func (f *Filter) AddRule(rule *FilterRule) error

func (*Filter) AddSampledSyscall added in v0.1.4 

func (f *Filter) AddSampledSyscall(nr interface{}, ns int, rate uint64) error

AddSampledSyscall is a helper function which is backwards-compatible with the old filtering logic, but uses new filtering logic.

func (*Filter) AddSyscall added in v0.1.4 

func (f *Filter) AddSyscall(nr interface{}, ns int) error

AddSyscall is a helper function which is backwards-compatible with the old filtering logic, but uses new filtering logic.

func (*Filter) DelRule added in v0.1.4 

func (f *Filter) DelRule(rule *FilterRule) error

func (*Filter) Enable added in v0.1.4 

func (f *Filter) Enable() error

func (*Filter) FilterSelf added in v0.1.4 

func (f *Filter) FilterSelf() error

FilterSelf will make sure that no events are emitted from the kernel that have the same PID as the caller.

func (*Filter) GetRunning added in v0.1.4 

func (f *Filter) GetRunning() ([]*FilterRule, error)

func (*Filter) RemoveMetrics added in v0.1.4 

func (f *Filter) RemoveMetrics(ns int) error

RemoveMetrics is a helper function which is backwards-compatible with the old filtering logic, but uses the new filtering logic for deleting metrics on a pid-namespace.

func (*Filter) RemoveSyscall added in v0.1.4 

func (f *Filter) RemoveSyscall(nr interface{}, ns int) error

RemoveSyscall is a helper function which is backwards-compatible with the old filtering logic, but uses new filtering logic for deleting elements created by AddSyscall()

type FilterRule added in v0.1.4 

type FilterRule struct {
	// contains filtered or unexported fields
}

FilterRule represents a single entry in the kernel-filter

func NewFilterRule added in v0.1.4 

func NewFilterRule(opts ...FilterRuleOption) (*FilterRule, error)

func NewFilterRuleN added in v0.1.4 

func NewFilterRuleN(opts ...FilterRuleOption) *FilterRule

NewRuleN is an error-wrapper aound NewFilterRule

func (*FilterRule) String added in v0.1.4 

func (r *FilterRule) String() string

type FilterRuleOption added in v0.1.4 

type FilterRuleOption func(*FilterRule) error

func FilterRuleSetActionAllow added in v0.1.4 

func FilterRuleSetActionAllow() FilterRuleOption

func FilterRuleSetActionDrop added in v0.1.4 

func FilterRuleSetActionDrop() FilterRuleOption

func FilterRuleSetModeMetrics added in v0.1.4 

func FilterRuleSetModeMetrics() FilterRuleOption

func FilterRuleSetModeSyscall added in v0.1.4 

func FilterRuleSetModeSyscall() FilterRuleOption

func FilterRuleSetPid added in v0.1.4 

func FilterRuleSetPid(pid int) FilterRuleOption

func FilterRuleSetPidNamespace added in v0.1.4 

func FilterRuleSetPidNamespace(ns int) FilterRuleOption

func FilterRuleSetSampleRate added in v0.1.4 

func FilterRuleSetSampleRate(rate int) FilterRuleOption

func FilterRuleSetSyscall added in v0.1.4 

func FilterRuleSetSyscall(sc interface{}) FilterRuleOption

type Offset 

type Offset struct {
	Type  OffsetType
	Value OffsetValue
}

Offset is a structure that represents a single offset configuration entry in the ebpf.

func NewOffset 

func NewOffset(t OffsetType, offs OffsetValue) *Offset

NewOffset creates a new offset context

type OffsetType 

type OffsetType uint8
const (
	// ebpf configuration for the offset to task_struct's `nsproxy` member
	OffsetNSProxy OffsetType = 1
	// ebpf configuration for the offset to pid_namespace's `ns` member
	OffsetPidNSCommon OffsetType = 2
)

type OffsetValue 

type OffsetValue uint32

type Offsetter 

type Offsetter struct {
	// contains filtered or unexported fields
}

The Offsetter class holds all the pertinent information to store offsets in the running kernel's offset lookup table.

func NewOffsetter 

func NewOffsetter(mod *elf.Module) (*Offsetter, error)

NewOffsetter creates and initializes a new Offsetter context from the ebpf module.

func (*Offsetter) Set 

func (o *Offsetter) Set(t interface{}, offset OffsetValue) error

Set will set the bpf offset configuration based on the type `t`. `t` can either be a string (nsproxy, pid_ns_common), or its native OffsetType. The value of which is the offset where this structure member lives.

type Probe 

type Probe struct {
	// contains filtered or unexported fields
}

Probe contains underlying structures to control the kernel probe.

func NewProbe 

func NewProbe(bpf *bytes.Reader, cfg *Config) (*Probe, error)

NewProbe creates a new instance of the BPF controller

func (*Probe) Close 

func (p *Probe) Close() error

Close cleans up the BPF handlers for a clean exit

func (*Probe) DetectAndSetOffsets added in v0.1.3 

func (p *Probe) DetectAndSetOffsets() error

DetectAndSetOffsets is a wrapper around the kernel Offseter. For now it requires `objdump` to be installed, and will attempt to find offsets within the `struct task_struct` structure that are required to run the probe with.

func (*Probe) InitProbe 

func (p *Probe) InitProbe(opts ...ProbeInitOption) error

InitProbe will initialize the BPF and all of the communication channels for interaction

func (*Probe) InitTracepoints 

func (p *Probe) InitTracepoints() error

InitTracepoints enables the BPF tracepoints on all of the necessary BPF hooks

func (*Probe) Module 

func (p *Probe) Module() *elf.Module

Module returns the gobpf.elf module reference for use in other apis (like filtering)

func (*Probe) Run 

func (p *Probe) Run(ctx context.Context, cb DataCallback) error

Run will start polling the BPF for events and for each event, executes the DataCallback

type ProbeInitOption added in v0.1.3 

type ProbeInitOption func(*Probe) error

ProbeInitOption is a callback to be executed during the initialization phase of the BPF setup.

func WithDefaultFilter added in v0.1.3 

func WithDefaultFilter() ProbeInitOption

WithDefaultFilter is a prober initialization step which writes the default filters to the running BPF

func WithOffsetDetection added in v0.1.3 

func WithOffsetDetection() ProbeInitOption

WithOffsetDetection is a probe initialization step which attempts to find and set the offset configuration from the running kernel into the running BPF

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.