ebpf

package
v0.17.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 15, 2023 License: Apache-2.0 Imports: 52 Imported by: 0

Documentation

Index

Constants

View Source
const (
	IterateShared int = iota
	Iterate
)
View Source
const BPFMaxLogFileLen = 72 // BPF_MAX_LOG_FILE_LEN

Variables

This section is empty.

Functions

func FindingToEvent

func FindingToEvent(f detect.Finding) (*trace.Event, error)

FindingToEvent converts a detect.Finding into a trace.Event This is used because the pipeline expects trace.Event, but the rule engine returns detect.Finding

func GetCaptureEventsList

func GetCaptureEventsList(cfg config.Config) map[events.ID]events.EventState

GetCaptureEventsList sets events used to capture data

func GetEssentialEventsList

func GetEssentialEventsList() map[events.ID]events.EventState

GetEssentialEventsList sets the default events used by tracker

func LoadKallsymsValues

func LoadKallsymsValues(ksymsTable helpers.KernelSymbolTable, ksymbols []string) map[string]*helpers.KernelSymbol

func MergeErrors

func MergeErrors(cs ...<-chan error) <-chan error

MergeErrors merges multiple channels of errors. Based on https://blog.golang.org/pipelines.

func SendKsymbolsToMap

func SendKsymbolsToMap(bpfKsymsMap *libbpfgo.BPFMap, ksymbols map[string]*helpers.KernelSymbol) error

func ValidateKsymbolsTable

func ValidateKsymbolsTable(ksyms helpers.KernelSymbolTable) bool

ValidateKsymbolsTable checks if the addresses in the table are valid by checking a specific symbol address. The reason for the addresses to be invalid is if the capabilities required to read the kallsyms file are not given. The chosen symbol used here is "security_file_open" because it is a must-have symbol for tracker to run.

Types

type BPFLog

type BPFLog struct {
	// contains filtered or unexported fields
}

BPFLog struct contains aggregated data about a bpf log origin

func (BPFLog) CPU

func (b BPFLog) CPU() uint32

func (BPFLog) Count

func (b BPFLog) Count() uint32

func (*BPFLog) Decode

func (b *BPFLog) Decode(rawBuffer []byte) error

func (BPFLog) Error

func (b BPFLog) Error() string

func (BPFLog) File

func (b BPFLog) File() []byte

func (BPFLog) FileAsString

func (b BPFLog) FileAsString() string

func (BPFLog) ID

func (b BPFLog) ID() uint32

func (BPFLog) Line

func (b BPFLog) Line() uint32

func (BPFLog) LogLevel

func (b BPFLog) LogLevel() logger.Level

func (BPFLog) Return

func (b BPFLog) Return() int64

func (BPFLog) Size

func (b BPFLog) Size() int

func (BPFLog) Type

func (b BPFLog) Type() BPFLogType

type BPFLogType

type BPFLogType uint32
const (
	BPFLogIDUnspec BPFLogType = iota // BPF_LOG_ID_UNSPEC

	// tracker functions
	BPFLogIDInitContext // BPF_LOG_ID_INIT_CONTEXT

	// bpf helpers functions
	BPFLogIDMapLookupElem  // BPF_LOG_ID_MAP_LOOKUP_ELEM
	BPFLogIDMapUpdateElem  // BPF_LOG_ID_MAP_UPDATE_ELEM
	BPFLogIDMapDeleteElem  // BPF_LOG_ID_MAP_DELETE_ELEM
	BPFLogIDGetCurrentComm // BPF_LOG_ID_GET_CURRENT_COMM
	BPFLogIDTailCall       // BPF_LOG_ID_TAIL_CALL
	BPFLogIDMemRead        // BPF_LOG_ID_MEM_READ
)

func (BPFLogType) String

func (b BPFLogType) String() string

type InitValues

type InitValues struct {
	Kallsyms bool
}

InitValues determines if to initialize values that might be needed by eBPF programs

type Tracker

type Tracker struct {
	OutDir *os.File // use utils.XXX functions to create or write to this file

	// BPF Maps
	StackAddressesMap *bpf.BPFMap
	FDArgPathMap      *bpf.BPFMap
	// contains filtered or unexported fields
}

Tracker traces system calls and system events using eBPF

func New

func New(cfg config.Config) (*Tracker, error)

New creates a new Tracker instance based on a given valid Config. It is expected that it won't cause external system side effects (reads, writes, etc.)

func (*Tracker) AddReadyCallback

func (t *Tracker) AddReadyCallback(f func(ctx gocontext.Context))

AddReadyCallback sets a callback function to be called when the tracker started all its probes and is ready to receive events

func (*Tracker) Close

func (t *Tracker) Close()

Close cleans up created resources

func (*Tracker) Init

func (t *Tracker) Init() error

Init initialize tracker instance and it's various subsystems, potentially performing external system operations to initialize them. NOTE: any initialization logic, especially one that causes side effects, should go here and not New().

func (*Tracker) NewKernelSymbols

func (t *Tracker) NewKernelSymbols() error

func (*Tracker) PrepareBuiltinDataSources

func (t *Tracker) PrepareBuiltinDataSources() []detect.DataSource

PrepareBuiltinDataSources returns a list of all data sources tracker makes available built-in

func (*Tracker) RegisterEventDerivation

func (t *Tracker) RegisterEventDerivation(deriveFrom events.ID, deriveTo events.ID, deriveCondition func() bool, deriveLogic derive.DeriveFunction) error

RegisterEventDerivation registers an event derivation handler for tracker to use in the event pipeline

func (*Tracker) RegisterEventProcessor

func (t *Tracker) RegisterEventProcessor(id events.ID, proc func(evt *trace.Event) error) error

RegisterEventProcessor registers a pipeline processing handler for an event

func (*Tracker) Run

func (t *Tracker) Run(ctx gocontext.Context) error

Run starts the trace. it will run until ctx is cancelled

func (*Tracker) Running

func (t *Tracker) Running() bool

Running returns true if the tracker is running

func (*Tracker) Stats

func (t *Tracker) Stats() *metrics.Stats

func (*Tracker) UpdateBPFKsymbolsMap

func (t *Tracker) UpdateBPFKsymbolsMap() error

func (*Tracker) UpdateKallsyms

func (t *Tracker) UpdateKallsyms() error

func (*Tracker) UpdateKernelSymbols

func (t *Tracker) UpdateKernelSymbols() error

func (*Tracker) WaitForPipeline

func (t *Tracker) WaitForPipeline(errs ...<-chan error) error

WaitForPipeline waits for results from all error channels.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL