monitor

package
v0.0.0-...-2cfc2e2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Nov 7, 2024 License: Apache-2.0 Imports: 22 Imported by: 1

Documentation

Overview

Package monitor is the component responsible for monitoring syscalls and communicating with eBPF Programs

Index

Constants

View Source 
const (
	SysOpen     = 2
	SysOpenAt   = 257
	SysClose    = 3
	SysUnlink   = 87
	SysUnlinkAt = 263
	SysRmdir    = 84
	SysChown    = 92
	SysFChownAt = 260

	SysSetuid = 105
	SysSetgid = 106

	SysMount  = 165
	SysUmount = 166

	SysSocket  = 41
	SysConnect = 42
	SysAccept  = 43
	SysBind    = 49
	SysListen  = 50

	SysExecve   = 59
	SysExecveAt = 322

	SysPtrace = 101

	DoExit            = 351
	SecurityBprmCheck = 352

	TCPConnect   = 400
	TCPAccept    = 401
	TCPConnectv6 = 402
	TCPAcceptv6  = 403

	FileOpen       = 450
	FilePermission = 451
	FileMknod      = 452
	FileUnlink     = 453
	FileMkdir      = 454

	FileRmdir   = 455
	FileSymlink = 456

	FileLink     = 457
	FileRename   = 458
	FileChmod    = 459
	FileTruncate = 460

	SocketCreate  = 461
	SocketConnect = 462
	SocketAccept  = 463

	Capable = 464

	DropAlert = 0
)

Syscall numbers - x86

View Source 
const (
	PermissionDenied = -13
	MaxStringLen     = 4096
	PinPath          = "/sys/fs/bpf"

	// how many event the channel can hold
	SyscallChannelSize   = 1 << 13 //8192
	DefaultVisibilityKey = uint32(0xc0ffee)
)

SystemMonitor Constant Values

Variables

View Source 
var CapToCode = map[string]uint8{
	"CAP_AUDIT_CONTROL":    unix.CAP_AUDIT_CONTROL,
	"CAP_AUDIT_READ":       unix.CAP_AUDIT_READ,
	"CAP_AUDIT_WRITE":      unix.CAP_AUDIT_WRITE,
	"CAP_DAC_READ_SEARCH":  unix.CAP_DAC_READ_SEARCH,
	"CAP_DAC_OVERRIDE":     unix.CAP_DAC_OVERRIDE,
	"CAP_LINUX_IMMUTABLE":  unix.CAP_LINUX_IMMUTABLE,
	"CAP_NET_BROADCAST":    unix.CAP_NET_BROADCAST,
	"CAP_NET_ADMIN":        unix.CAP_NET_ADMIN,
	"CAP_NET_BIND_SERVICE": unix.CAP_NET_BIND_SERVICE,
	"CAP_NET_RAW":          unix.CAP_NET_RAW,
	"CAP_IPC_LOCK":         unix.CAP_IPC_LOCK,
	"CAP_IPC_OWNER":        unix.CAP_IPC_OWNER,
	"CAP_SYS_MODULE":       unix.CAP_SYS_MODULE,
	"CAP_SYS_RAWIO":        unix.CAP_SYS_RAWIO,
	"CAP_SYS_PTRACE":       unix.CAP_SYS_PTRACE,
	"CAP_SYS_PACCT":        unix.CAP_SYS_PACCT,
	"CAP_SYS_ADMIN":        unix.CAP_SYS_ADMIN,
	"CAP_SYS_BOOT":         unix.CAP_SYS_BOOT,
	"CAP_SYS_NICE":         unix.CAP_SYS_NICE,
	"CAP_SYS_RESOURCE":     unix.CAP_SYS_RESOURCE,
	"CAP_SYS_TIME":         unix.CAP_SYS_TIME,
	"CAP_SYS_TTY_CONFIG":   unix.CAP_SYS_TTY_CONFIG,
	"CAP_SYS_CHROOT":       unix.CAP_SYS_CHROOT,
	"CAP_SYSLOG":           unix.CAP_SYSLOG,
	"CAP_LEASE":            unix.CAP_LEASE,
	"CAP_MAC_OVERRIDE":     unix.CAP_MAC_OVERRIDE,
	"CAP_MAC_ADMIN":        unix.CAP_MAC_ADMIN,
	"CAP_WAKE_ALARM":       unix.CAP_WAKE_ALARM,
	"CAP_BLOCK_SUSPEND":    unix.CAP_BLOCK_SUSPEND,
	"CAP_CHOWN":            unix.CAP_CHOWN,
	"CAP_FOWNER":           unix.CAP_FOWNER,
	"CAP_FSETID":           unix.CAP_FSETID,
	"CAP_KILL":             unix.CAP_KILL,
	"CAP_SETGID":           unix.CAP_SETGID,
	"CAP_SETUID":           unix.CAP_SETUID,
	"CAP_SETPCAP":          unix.CAP_SETPCAP,
	"CAP_PERFMON":          unix.CAP_PERFMON,
	"CAP_MKNOD":            unix.CAP_MKNOD,
	"CAP_SETFCAP":          unix.CAP_SETFCAP,
	"CAP_BPF":              unix.CAP_BPF,
}
View Source 
var Capabilities = map[int32]string{
	0:  "CAP_CHOWN",
	1:  "CAP_DAC_OVERRIDE",
	2:  "CAP_DAC_READ_SEARCH",
	3:  "CAP_FOWNER",
	4:  "CAP_FSETID",
	5:  "CAP_KILL",
	6:  "CAP_SETGID",
	7:  "CAP_SETUID",
	8:  "CAP_SETPCAP",
	9:  "CAP_LINUX_IMMUTABLE",
	10: "CAP_NET_BIND_SERVICE",
	11: "CAP_NET_BROADCAST",
	12: "CAP_NET_ADMIN",
	13: "CAP_NET_RAW",
	14: "CAP_IPC_LOCK",
	15: "CAP_IPC_OWNER",
	16: "CAP_SYS_MODULE",
	17: "CAP_SYS_RAWIO",
	18: "CAP_SYS_CHROOT",
	19: "CAP_SYS_PTRACE",
	20: "CAP_SYS_PACCT",
	21: "CAP_SYS_ADMIN",
	22: "CAP_SYS_BOOT",
	23: "CAP_SYS_NICE",
	24: "CAP_SYS_RESOURCE",
	25: "CAP_SYS_TIME",
	26: "CAP_SYS_TTY_CONFIG",
	27: "CAP_MKNOD",
	28: "CAP_LEASE",
	29: "CAP_AUDIT_WRITE",
	30: "CAP_AUDIT_CONTROL",
	31: "CAP_SETFCAP",
	32: "CAP_MAC_OVERRIDE",
	33: "CAP_MAC_ADMIN",
	34: "CAP_SYSLOG",
	35: "CAP_WAKE_ALARM",
	36: "CAP_BLOCK_SUSPEND",
	37: "CAP_AUDIT_READ",
}

Capabilities code to name

View Source 
var StopChan chan struct{}

StopChan Channel

Functions

func GetArgs 

func GetArgs(dataBuff *bytes.Buffer, Argnum int32) ([]interface{}, error)

GetArgs Function

func GetProtocol 

func GetProtocol(proto int32) string

getProtocol Function

func GetSocketType 

func GetSocketType(st uint32) string

GetSocketType Function

func GetSyscallName 

func GetSyscallName(sc int32) string

GetSyscallName Function

func Min 

func Min(a, b int) int

Min Function

Types

type ContextCombined 

type ContextCombined struct {
	ContainerID string
	ContextSys  SyscallContext
	ContextArgs []interface{}
}

ContextCombined Structure

type NsKey 

type NsKey struct {
	PidNS uint32
	MntNS uint32
}

NsKey Structure

type NsVisibility 

type NsVisibility struct {
	NsKeys     []NsKey
	File       bool
	Process    bool
	Capability bool
	Network    bool
}

NsVisibility Structure

type SyscallContext 

type SyscallContext struct {
	Ts uint64

	PidID uint32
	MntID uint32

	HostPPID uint32
	HostPID  uint32

	PPID uint32
	PID  uint32
	UID  uint32

	EventID int32
	Argnum  int32
	Retval  int64

	Comm [16]byte
	Cwd  [80]byte
	TTY  [64]byte
	OID  uint32
}

SyscallContext Structure

type SystemMonitor 

type SystemMonitor struct {
	// node
	Node     *tp.Node
	NodeLock **sync.RWMutex

	// logs
	Logger *fd.Feeder

	// container id -> cotnainer
	Containers     *map[string]tp.Container
	ContainersLock **sync.RWMutex

	// container id -> host pid
	ActiveHostPidMap *map[string]tp.PidMap
	ActivePidMapLock **sync.RWMutex

	// PidID + MntID -> container id
	NsMap     map[NsKey]string
	NsMapLock *sync.RWMutex

	// system monitor
	BpfModule            *cle.Collection
	BpfConfigMap         *cle.Map
	BpfNsVisibilityMap   *cle.Map
	BpfVisibilityMapSpec cle.MapSpec

	NsVisibilityMap  map[NsKey]*cle.Map
	NamespacePidsMap map[string]NsVisibility
	BpfMapLock       *sync.RWMutex
	PinPath          string

	// Probes Links
	Probes map[string]link.Link

	// context + args
	ContextChan chan ContextCombined

	// system events
	SyscallChannel chan []byte
	SyscallPerfMap *perf.Reader

	// lists to skip
	UntrackedNamespaces []string

	// monitor lock
	MonitorLock **sync.RWMutex

	Status          bool
	UptimeTimeStamp float64
	HostByteOrder   binary.ByteOrder
	// contains filtered or unexported fields
}

SystemMonitor Structure

func NewSystemMonitor 

func NewSystemMonitor(node *tp.Node, nodeLock **sync.RWMutex, logger *fd.Feeder, containers *map[string]tp.Container, containersLock **sync.RWMutex,
	activeHostPidMap *map[string]tp.PidMap, activePidMapLock **sync.RWMutex, monitorLock **sync.RWMutex) *SystemMonitor

NewSystemMonitor Function

func (*SystemMonitor) AddActivePid 

func (mon *SystemMonitor) AddActivePid(containerID string, node tp.PidNode)

AddActivePid Function

func (*SystemMonitor) AddContainerIDToNsMap 

func (mon *SystemMonitor) AddContainerIDToNsMap(containerID string, namespace string, pidns, mntns uint32)

AddContainerIDToNsMap Function

func (*SystemMonitor) BuildLogBase 

func (mon *SystemMonitor) BuildLogBase(eventID int32, msg ContextCombined, readlink bool) tp.Log

BuildLogBase Function

func (*SystemMonitor) BuildPidNode 

func (mon *SystemMonitor) BuildPidNode(containerID string, ctx SyscallContext, execPath string, args []string) tp.PidNode

BuildPidNode Function

func (*SystemMonitor) CleanUpExitedHostPids 

func (mon *SystemMonitor) CleanUpExitedHostPids()

CleanUpExitedHostPids Function

func (*SystemMonitor) DeleteActivePid 

func (mon *SystemMonitor) DeleteActivePid(containerID string, ctx SyscallContext)

DeleteActivePid Function

func (*SystemMonitor) DeleteContainerIDFromNsMap 

func (mon *SystemMonitor) DeleteContainerIDFromNsMap(containerID string, namespace string, pidns, mntns uint32)

DeleteContainerIDFromNsMap Function

func (*SystemMonitor) DestroyBPFMaps 

func (mon *SystemMonitor) DestroyBPFMaps()

DestroyBPFMaps Function

func (*SystemMonitor) DestroySystemMonitor 

func (mon *SystemMonitor) DestroySystemMonitor() error

DestroySystemMonitor Function

func (*SystemMonitor) GetCommand 

func (mon *SystemMonitor) GetCommand(containerID string, ctx SyscallContext, readlink bool) string

GetCommand Function

func (*SystemMonitor) GetExecPath 

func (mon *SystemMonitor) GetExecPath(containerID string, ctx SyscallContext, readlink bool) string

GetExecPath Function

func (*SystemMonitor) GetParentExecPath 

func (mon *SystemMonitor) GetParentExecPath(containerID string, ctx SyscallContext, readlink bool) string

GetParentExecPath Function

func (*SystemMonitor) InitBPF 

func (mon *SystemMonitor) InitBPF() error

InitBPF Function

func (*SystemMonitor) LookupContainerID 

func (mon *SystemMonitor) LookupContainerID(pidns, mntns, ppid, pid uint32) string

LookupContainerID Function

func (*SystemMonitor) TraceSyscall 

func (mon *SystemMonitor) TraceSyscall()

TraceSyscall Function

func (*SystemMonitor) UpdateContainerInfoByContainerID 

func (mon *SystemMonitor) UpdateContainerInfoByContainerID(log tp.Log) tp.Log

UpdateContainerInfoByContainerID Function

func (*SystemMonitor) UpdateExecPath 

func (mon *SystemMonitor) UpdateExecPath(containerID string, hostPid uint32, execPath string)

UpdateExecPath Function

func (*SystemMonitor) UpdateLogBase 

func (mon *SystemMonitor) UpdateLogBase(ctx SyscallContext, log tp.Log) tp.Log

UpdateLogBase Function (SYS_EXECVE, SYS_EXECVEAT)

func (*SystemMonitor) UpdateLogs 

func (mon *SystemMonitor) UpdateLogs()

UpdateLogs Function

func (*SystemMonitor) UpdateNsKeyMap 

func (mon *SystemMonitor) UpdateNsKeyMap(action string, nsKey NsKey, visibility tp.Visibility)

UpdateNsKeyMap Function

func (*SystemMonitor) UpdateThrottlingConfig 

func (mon *SystemMonitor) UpdateThrottlingConfig()

func (*SystemMonitor) UpdateVisibility 

func (mon *SystemMonitor) UpdateVisibility()

UpdateVisibility Function updates host visibility and global default visibility map based on the global config

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.