ebpf

package

v0.19.0 Latest Latest Go to latest Published: Dec 1, 2023 License: Apache-2.0 Imports: 55 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/khulnasoft-lab/tracker

Documentation ¶

Index ¶

Constants
func FindingToEvent(f detect.Finding) (*trace.Event, error)
func GetCaptureEventsList(cfg config.Config) map[events.ID]events.EventState
func LoadKallsymsValues(ksymsTable helpers.KernelSymbolTable, ksymbols []string) map[string]*helpers.KernelSymbol
func MergeErrors(cs ...<-chan error) <-chan error
func SendKsymbolsToMap(bpfKsymsMap *libbpfgo.BPFMap, ksymbols map[string]*helpers.KernelSymbol) error
type BPFLog
type BPFLogType
- func (b BPFLogType) String() string
type InitValues
type Tracker
- func New(cfg config.Config) (*Tracker, error)

Constants ¶

View Source

const (
	IterateShared int = iota
	Iterate
)

View Source

const BPFMaxLogFileLen = 72 // BPF_MAX_LOG_FILE_LEN

Variables ¶

This section is empty.

Functions ¶

func FindingToEvent ¶

func FindingToEvent(f detect.Finding) (*trace.Event, error)

FindingToEvent converts a detect.Finding into a trace.Event This is used because the pipeline expects trace.Event, but the rule engine returns detect.Finding

func GetCaptureEventsList ¶

func GetCaptureEventsList(cfg config.Config) map[events.ID]events.EventState

GetCaptureEventsList sets events used to capture data.

func LoadKallsymsValues ¶

func LoadKallsymsValues(ksymsTable helpers.KernelSymbolTable, ksymbols []string) map[string]*helpers.KernelSymbol

func MergeErrors ¶

func MergeErrors(cs ...<-chan error) <-chan error

MergeErrors merges multiple channels of errors (https://blog.golang.org/pipelines)

func SendKsymbolsToMap ¶

func SendKsymbolsToMap(bpfKsymsMap *libbpfgo.BPFMap, ksymbols map[string]*helpers.KernelSymbol) error

Types ¶

type BPFLog ¶

type BPFLog struct {
	// contains filtered or unexported fields
}

BPFLog struct contains aggregated data about a bpf log origin

func (BPFLog) CPU ¶

func (b BPFLog) CPU() uint32

func (BPFLog) Count ¶

func (b BPFLog) Count() uint32

func (*BPFLog) Decode ¶

func (b *BPFLog) Decode(rawBuffer []byte) error

func (BPFLog) Error ¶

func (b BPFLog) Error() string

func (BPFLog) File ¶

func (b BPFLog) File() []byte

func (BPFLog) FileAsString ¶

func (b BPFLog) FileAsString() string

func (BPFLog) ID ¶

func (b BPFLog) ID() uint32

func (BPFLog) Line ¶

func (b BPFLog) Line() uint32

func (BPFLog) LogLevel ¶

func (b BPFLog) LogLevel() logger.Level

func (BPFLog) Return ¶

func (b BPFLog) Return() int64

func (BPFLog) Size ¶

func (b BPFLog) Size() int

func (BPFLog) Type ¶

func (b BPFLog) Type() BPFLogType

type BPFLogType ¶

type BPFLogType uint32

const (
	BPFLogIDUnspec BPFLogType = iota // BPF_LOG_ID_UNSPEC

	// tracker functions
	BPFLogIDInitContext // BPF_LOG_ID_INIT_CONTEXT

	// bpf helpers functions
	BPFLogIDMapLookupElem  // BPF_LOG_ID_MAP_LOOKUP_ELEM
	BPFLogIDMapUpdateElem  // BPF_LOG_ID_MAP_UPDATE_ELEM
	BPFLogIDMapDeleteElem  // BPF_LOG_ID_MAP_DELETE_ELEM
	BPFLogIDGetCurrentComm // BPF_LOG_ID_GET_CURRENT_COMM
	BPFLogIDTailCall       // BPF_LOG_ID_TAIL_CALL
	BPFLogIDMemRead        // BPF_LOG_ID_MEM_READ
)

func (BPFLogType) String ¶

func (b BPFLogType) String() string

type InitValues ¶

type InitValues struct {
	Kallsyms bool
}

InitValues determines if to initialize values that might be needed by eBPF programs

type Tracker ¶

type Tracker struct {
	OutDir *os.File // use utils.XXX functions to create or write to this file

	// BPF Maps
	StackAddressesMap *bpf.BPFMap
	FDArgPathMap      *bpf.BPFMap
	// contains filtered or unexported fields
}

Tracker traces system calls and system events using eBPF

func New ¶

func New(cfg config.Config) (*Tracker, error)

New creates a new Tracker instance based on a given valid Config. It is expected that it won't cause external system side effects (reads, writes, etc).

func (*Tracker) AddReadyCallback ¶

func (t *Tracker) AddReadyCallback(f func(ctx gocontext.Context))

AddReadyCallback sets a callback function to be called when the tracker started all its probes and is ready to receive events

func (*Tracker) Close ¶

func (t *Tracker) Close()

Close cleans up created resources

func (*Tracker) DisableEvent ¶ added in v0.17.2

func (t *Tracker) DisableEvent(eventName string) error

func (*Tracker) DisableRule ¶ added in v0.17.2

func (t *Tracker) DisableRule(policyNames []string, ruleId string) error

DisableRule disables a rule in the specified policies

func (*Tracker) EnableEvent ¶ added in v0.17.2

func (t *Tracker) EnableEvent(eventName string) error

func (*Tracker) EnableRule ¶ added in v0.17.2

func (t *Tracker) EnableRule(policyNames []string, ruleId string) error

EnableRule enables a rule in the specified policies

func (*Tracker) Init ¶

func (t *Tracker) Init(ctx gocontext.Context) error

Init initialize tracker instance and it's various subsystems, potentially performing external system operations to initialize them. NOTE: any initialization logic, especially one that causes side effects, should go here and not New().

func (*Tracker) NewKernelSymbols ¶

func (t *Tracker) NewKernelSymbols() error

func (*Tracker) PrepareBuiltinDataSources ¶

func (t *Tracker) PrepareBuiltinDataSources() []detect.DataSource

PrepareBuiltinDataSources returns a list of all data sources tracker makes available built-in

func (*Tracker) RegisterEventDerivation ¶

func (t *Tracker) RegisterEventDerivation(deriveFrom events.ID, deriveTo events.ID, deriveCondition func() bool, deriveLogic derive.DeriveFunction) error

RegisterEventDerivation registers an event derivation handler for tracker to use in the event pipeline

func (*Tracker) RegisterEventProcessor ¶

func (t *Tracker) RegisterEventProcessor(id events.ID, proc func(evt *trace.Event) error)

RegisterEventProcessor registers a new event processor for a specific event id.

func (*Tracker) Run ¶

func (t *Tracker) Run(ctx gocontext.Context) error

Run starts the trace. it will run until ctx is cancelled

func (*Tracker) Running ¶

func (t *Tracker) Running() bool

Running returns true if the tracker is running

func (*Tracker) Stats ¶

func (t *Tracker) Stats() *metrics.Stats

func (t *Tracker) Subscribe(policyNames []string) (*streams.Stream, error)

Subscribe returns a stream subscribed to selected policies

func (*Tracker) SubscribeAll ¶ added in v0.17.2

func (t *Tracker) SubscribeAll() *streams.Stream

SubscribeAll returns a stream subscribed to all policies

func (*Tracker) Unsubscribe ¶ added in v0.17.2

func (t *Tracker) Unsubscribe(s *streams.Stream)

Unsubscribe unsubscribes stream

func (*Tracker) UpdateBPFKsymbolsMap ¶

func (t *Tracker) UpdateBPFKsymbolsMap() error

func (*Tracker) UpdateKallsyms ¶

func (t *Tracker) UpdateKallsyms() error

func (*Tracker) UpdateKernelSymbols ¶

func (t *Tracker) UpdateKernelSymbols() error

func (*Tracker) WaitForPipeline ¶

func (t *Tracker) WaitForPipeline(errs ...<-chan error) error

WaitForPipeline waits for results from all error channels.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
controlplane
initialization
probes

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL