bpf

package
v0.26.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 27, 2024 License: MIT Imports: 23 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func LoadBpf 

func LoadBpf() (*ebpf.CollectionSpec, error)

LoadBpf returns the embedded CollectionSpec for Bpf.

func LoadBpfObjects 

func LoadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error

LoadBpfObjects loads Bpf and converts it into a struct.

The following types are suitable as obj argument: 

*BpfObjects
*BpfPrograms
*BpfMaps

See ebpf.CollectionSpec.LoadAndAssign documentation for details.

Types

type BPF 

type BPF struct {
	// contains filtered or unexported fields
}

func NewBPF 

func NewBPF() (*BPF, error)

func (*BPF) AttachCgroups added in v0.6.0 

func (b *BPF) AttachCgroups(cgroupPath string) error

func (*BPF) AttachGoTLSUprobeHooks added in v0.23.0 

func (b *BPF) AttachGoTLSUprobeHooks(exec *link.Executable, symbol string,
	funcAddr uint64, retOffset uint64, pid int) error

func (*BPF) AttachKprobes 

func (b *BPF) AttachKprobes() error

func (*BPF) AttachTcHooks 

func (b *BPF) AttachTcHooks(ifindex int, egress, ingress bool) ([]func(), error)

func (*BPF) AttachTracepoints 

func (b *BPF) AttachTracepoints() error

func (*BPF) Close 

func (b *BPF) Close()

func (*BPF) CountReport added in v0.7.0 

func (b *BPF) CountReport() types.CountReport

func (*BPF) Load 

func (b *BPF) Load(opts Options) error

func (*BPF) PullExecEvents added in v0.2.0 

func (b *BPF) PullExecEvents(ctx context.Context, chanSize int) (<-chan BpfExecEventT, error)

func (*BPF) PullExitEvents added in v0.15.0 

func (b *BPF) PullExitEvents(ctx context.Context, chanSize int) (<-chan BpfExitEventT, error)

func (*BPF) PullGoKeyLogEvents added in v0.23.0 

func (b *BPF) PullGoKeyLogEvents(ctx context.Context, chanSize int) (<-chan BpfGoKeylogEventT, error)

func (*BPF) PullMountEventEvents added in v0.25.0 

func (b *BPF) PullMountEventEvents(ctx context.Context, chanSize int) (<-chan BpfMountEventT, error)

func (*BPF) PullNetDeviceChangeEvents added in v0.25.0 

func (b *BPF) PullNetDeviceChangeEvents(ctx context.Context, chanSize int) (<-chan BpfNetdeviceChangeEventT, error)

func (*BPF) PullNewNetDeviceEvents added in v0.25.0 

func (b *BPF) PullNewNetDeviceEvents(ctx context.Context, chanSize int) (<-chan BpfNewNetdeviceEventT, error)

func (*BPF) PullPacketEvents added in v0.2.0 

func (b *BPF) PullPacketEvents(ctx context.Context, chanSize int, maxPacketSize int) (<-chan BpfPacketEventWithPayloadT, error)

func (*BPF) UpdateFlowPidMapValues added in v0.5.2 

func (b *BPF) UpdateFlowPidMapValues(data map[*BpfFlowPidKeyT]BpfProcessMetaT) error

type BpfEnterMountBufT added in v0.25.0 

type BpfEnterMountBufT struct {
	Fs   uint64
	Src  uint64
	Dest uint64
}

type BpfExecEventT 

type BpfExecEventT struct {
	Meta              BpfProcessMetaT
	FilenameTruncated uint8
	ArgsTruncated     uint8

	ArgsSize uint32
	Filename [512]int8
	Args     [4096]int8
	// contains filtered or unexported fields
}

type BpfExitEventT added in v0.15.0 

type BpfExitEventT struct{ Pid uint32 }

type BpfFlowPidKeyT 

type BpfFlowPidKeyT struct {
	Saddr [2]uint64
	Sport uint16
	// contains filtered or unexported fields
}

type BpfGconfigT added in v0.16.0 

type BpfGconfigT struct {
	HaveFilter        uint8
	FilterFollowForks uint8
	FilterComm        [16]int8
	FilterCommEnable  uint8

	MaxPayloadSize uint32
	// contains filtered or unexported fields
}

type BpfGoKeylogBufT added in v0.23.0 

type BpfGoKeylogBufT struct {
	LabelPtr     uint64
	LabelLenPtr  uint64
	RandomPtr    uint64
	RandomLenPtr uint64
	SecretPtr    uint64
	SecretLenPtr uint64
}

type BpfGoKeylogEventT added in v0.23.0 

type BpfGoKeylogEventT struct {
	Label           [32]int8
	ClientRandom    [32]int8
	Secret          [64]int8
	LabelLen        uint8
	ClientRandomLen uint8
	SecretLen       uint8
}

type BpfMapSpecs 

type BpfMapSpecs struct {
	ConfigMap             *ebpf.MapSpec `ebpf:"config_map"`
	EnterMountBufs        *ebpf.MapSpec `ebpf:"enter_mount_bufs"`
	ExecEventStack        *ebpf.MapSpec `ebpf:"exec_event_stack"`
	ExecEvents            *ebpf.MapSpec `ebpf:"exec_events"`
	ExitEvents            *ebpf.MapSpec `ebpf:"exit_events"`
	FilterByKernelCount   *ebpf.MapSpec `ebpf:"filter_by_kernel_count"`
	FilterMntnsMap        *ebpf.MapSpec `ebpf:"filter_mntns_map"`
	FilterNetnsMap        *ebpf.MapSpec `ebpf:"filter_netns_map"`
	FilterPidMap          *ebpf.MapSpec `ebpf:"filter_pid_map"`
	FilterPidnsMap        *ebpf.MapSpec `ebpf:"filter_pidns_map"`
	FlowPidMap            *ebpf.MapSpec `ebpf:"flow_pid_map"`
	GoKeylogBufStorage    *ebpf.MapSpec `ebpf:"go_keylog_buf_storage"`
	GoKeylogEvents        *ebpf.MapSpec `ebpf:"go_keylog_events"`
	MountEventStack       *ebpf.MapSpec `ebpf:"mount_event_stack"`
	MountEvents           *ebpf.MapSpec `ebpf:"mount_events"`
	NatFlowMap            *ebpf.MapSpec `ebpf:"nat_flow_map"`
	NetdeviceBufs         *ebpf.MapSpec `ebpf:"netdevice_bufs"`
	NetdeviceChangeEvents *ebpf.MapSpec `ebpf:"netdevice_change_events"`
	NewNetdeviceEvents    *ebpf.MapSpec `ebpf:"new_netdevice_events"`
	PacketEventStack      *ebpf.MapSpec `ebpf:"packet_event_stack"`
	PacketEvents          *ebpf.MapSpec `ebpf:"packet_events"`
	SockCookiePidMap      *ebpf.MapSpec `ebpf:"sock_cookie_pid_map"`
	TidNetdeviceMap       *ebpf.MapSpec `ebpf:"tid_netdevice_map"`
}

BpfMapSpecs contains maps before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfMaps 

type BpfMaps struct {
	ConfigMap             *ebpf.Map `ebpf:"config_map"`
	EnterMountBufs        *ebpf.Map `ebpf:"enter_mount_bufs"`
	ExecEventStack        *ebpf.Map `ebpf:"exec_event_stack"`
	ExecEvents            *ebpf.Map `ebpf:"exec_events"`
	ExitEvents            *ebpf.Map `ebpf:"exit_events"`
	FilterByKernelCount   *ebpf.Map `ebpf:"filter_by_kernel_count"`
	FilterMntnsMap        *ebpf.Map `ebpf:"filter_mntns_map"`
	FilterNetnsMap        *ebpf.Map `ebpf:"filter_netns_map"`
	FilterPidMap          *ebpf.Map `ebpf:"filter_pid_map"`
	FilterPidnsMap        *ebpf.Map `ebpf:"filter_pidns_map"`
	FlowPidMap            *ebpf.Map `ebpf:"flow_pid_map"`
	GoKeylogBufStorage    *ebpf.Map `ebpf:"go_keylog_buf_storage"`
	GoKeylogEvents        *ebpf.Map `ebpf:"go_keylog_events"`
	MountEventStack       *ebpf.Map `ebpf:"mount_event_stack"`
	MountEvents           *ebpf.Map `ebpf:"mount_events"`
	NatFlowMap            *ebpf.Map `ebpf:"nat_flow_map"`
	NetdeviceBufs         *ebpf.Map `ebpf:"netdevice_bufs"`
	NetdeviceChangeEvents *ebpf.Map `ebpf:"netdevice_change_events"`
	NewNetdeviceEvents    *ebpf.Map `ebpf:"new_netdevice_events"`
	PacketEventStack      *ebpf.Map `ebpf:"packet_event_stack"`
	PacketEvents          *ebpf.Map `ebpf:"packet_events"`
	SockCookiePidMap      *ebpf.Map `ebpf:"sock_cookie_pid_map"`
	TidNetdeviceMap       *ebpf.Map `ebpf:"tid_netdevice_map"`
}

BpfMaps contains all maps after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfMaps) Close 

func (m *BpfMaps) Close() error

type BpfMountEventT added in v0.25.0 

type BpfMountEventT struct {
	Fs   [8]int8
	Src  [4096]int8
	Dest [4096]int8
}

type BpfNatFlowT added in v0.9.0 

type BpfNatFlowT struct {
	Saddr [2]uint64
	Daddr [2]uint64
	Sport uint16
	Dport uint16
	// contains filtered or unexported fields
}

type BpfNetdeviceBufT added in v0.25.0 

type BpfNetdeviceBufT struct {
	Dev uint64
	Net uint64
}

type BpfNetdeviceChangeEventT added in v0.25.0 

type BpfNetdeviceChangeEventT struct {
	OldDevice BpfNetdeviceT
	NewDevice BpfNetdeviceT
}

type BpfNetdeviceT added in v0.25.0 

type BpfNetdeviceT struct {
	NetnsId uint32
	Ifindex uint32
	Name    [16]int8
}

type BpfNewNetdeviceEventT added in v0.25.0 

type BpfNewNetdeviceEventT struct{ Dev BpfNetdeviceT }

type BpfObjects 

type BpfObjects struct {
	BpfPrograms
	BpfMaps
}

BpfObjects contains all objects after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfObjects) Close 

func (o *BpfObjects) Close() error

func (*BpfObjects) FromLegacy added in v0.17.0 

func (b *BpfObjects) FromLegacy(o *BpfObjectsForLegacyKernel)

type BpfObjectsForLegacyKernel added in v0.17.0 

type BpfObjectsForLegacyKernel struct {
	KprobeDevChangeNetNamespace          *ebpf.Program `ebpf:"kprobe__dev_change_net_namespace"`
	KprobeDevChangeNetNamespaceLegacy    *ebpf.Program `ebpf:"kprobe__dev_change_net_namespace_legacy"`
	KprobeNfNatManipPkt                  *ebpf.Program `ebpf:"kprobe__nf_nat_manip_pkt"`
	KprobeNfNatPacket                    *ebpf.Program `ebpf:"kprobe__nf_nat_packet"`
	KprobeRegisterNetdevice              *ebpf.Program `ebpf:"kprobe__register_netdevice"`
	KprobeSecuritySkClassifyFlow         *ebpf.Program `ebpf:"kprobe__security_sk_classify_flow"`
	KprobeTcpSendmsg                     *ebpf.Program `ebpf:"kprobe__tcp_sendmsg"`
	KprobeUdpSendSkb                     *ebpf.Program `ebpf:"kprobe__udp_send_skb"`
	KprobeUdpSendmsg                     *ebpf.Program `ebpf:"kprobe__udp_sendmsg"`
	KretprobeDevChangeNetNamespace       *ebpf.Program `ebpf:"kretprobe__dev_change_net_namespace"`
	KretprobeDevChangeNetNamespaceLegacy *ebpf.Program `ebpf:"kretprobe__dev_change_net_namespace_legacy"`
	KretprobeDevGetByIndex               *ebpf.Program `ebpf:"kretprobe__dev_get_by_index"`
	KretprobeDevGetByIndexLegacy         *ebpf.Program `ebpf:"kretprobe__dev_get_by_index_legacy"`
	KretprobeRegisterNetdevice           *ebpf.Program `ebpf:"kretprobe__register_netdevice"`
	RawTracepointSchedProcessExec        *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exec"`
	RawTracepointSchedProcessExit        *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exit"`
	RawTracepointSchedProcessFork        *ebpf.Program `ebpf:"raw_tracepoint__sched_process_fork"`
	TcEgress                             *ebpf.Program `ebpf:"tc_egress"`
	TcIngress                            *ebpf.Program `ebpf:"tc_ingress"`
	TracepointSyscallsSysEnterMount      *ebpf.Program `ebpf:"tracepoint__syscalls__sys_enter_mount"`
	TracepointSyscallsSysExitMount       *ebpf.Program `ebpf:"tracepoint__syscalls__sys_exit_mount"`
	UprobeGoBuiltinTlsWriteKeyLog        *ebpf.Program `ebpf:"uprobe__go_builtin__tls__write_key_log"`
	UprobeGoBuiltinTlsWriteKeyLogRet     *ebpf.Program `ebpf:"uprobe__go_builtin__tls__write_key_log__ret"`

	BpfMaps
}

type BpfPacketEventMetaT added in v0.10.0 

type BpfPacketEventMetaT struct {
	Timestamp  uint64
	PacketType uint8

	Ifindex    uint32
	PayloadLen uint64
	PacketSize uint64
	Process    BpfProcessMetaT
	// contains filtered or unexported fields
}

type BpfPacketEventT 

type BpfPacketEventT struct{ Meta BpfPacketEventMetaT }

type BpfPacketEventWithPayloadT added in v0.15.0 

type BpfPacketEventWithPayloadT struct {
	BpfPacketEventT
	Payload []byte
}

type BpfProcessMetaT added in v0.10.0 

type BpfProcessMetaT struct {
	Ppid       uint32
	Pid        uint32
	PidnsId    uint32
	MntnsId    uint32
	NetnsId    uint32
	CgroupName [128]int8
}

type BpfProgramSpecs 

type BpfProgramSpecs struct {
	CgroupSockCreate                     *ebpf.ProgramSpec `ebpf:"cgroup__sock_create"`
	CgroupSockRelease                    *ebpf.ProgramSpec `ebpf:"cgroup__sock_release"`
	KprobeDevChangeNetNamespace          *ebpf.ProgramSpec `ebpf:"kprobe__dev_change_net_namespace"`
	KprobeDevChangeNetNamespaceLegacy    *ebpf.ProgramSpec `ebpf:"kprobe__dev_change_net_namespace_legacy"`
	KprobeNfNatManipPkt                  *ebpf.ProgramSpec `ebpf:"kprobe__nf_nat_manip_pkt"`
	KprobeNfNatPacket                    *ebpf.ProgramSpec `ebpf:"kprobe__nf_nat_packet"`
	KprobeRegisterNetdevice              *ebpf.ProgramSpec `ebpf:"kprobe__register_netdevice"`
	KprobeSecuritySkClassifyFlow         *ebpf.ProgramSpec `ebpf:"kprobe__security_sk_classify_flow"`
	KprobeTcpSendmsg                     *ebpf.ProgramSpec `ebpf:"kprobe__tcp_sendmsg"`
	KprobeUdpSendSkb                     *ebpf.ProgramSpec `ebpf:"kprobe__udp_send_skb"`
	KprobeUdpSendmsg                     *ebpf.ProgramSpec `ebpf:"kprobe__udp_sendmsg"`
	KretprobeDevChangeNetNamespace       *ebpf.ProgramSpec `ebpf:"kretprobe__dev_change_net_namespace"`
	KretprobeDevChangeNetNamespaceLegacy *ebpf.ProgramSpec `ebpf:"kretprobe__dev_change_net_namespace_legacy"`
	KretprobeDevGetByIndex               *ebpf.ProgramSpec `ebpf:"kretprobe__dev_get_by_index"`
	KretprobeDevGetByIndexLegacy         *ebpf.ProgramSpec `ebpf:"kretprobe__dev_get_by_index_legacy"`
	KretprobeRegisterNetdevice           *ebpf.ProgramSpec `ebpf:"kretprobe__register_netdevice"`
	RawTracepointSchedProcessExec        *ebpf.ProgramSpec `ebpf:"raw_tracepoint__sched_process_exec"`
	RawTracepointSchedProcessExit        *ebpf.ProgramSpec `ebpf:"raw_tracepoint__sched_process_exit"`
	RawTracepointSchedProcessFork        *ebpf.ProgramSpec `ebpf:"raw_tracepoint__sched_process_fork"`
	TcEgress                             *ebpf.ProgramSpec `ebpf:"tc_egress"`
	TcIngress                            *ebpf.ProgramSpec `ebpf:"tc_ingress"`
	TracepointSyscallsSysEnterMount      *ebpf.ProgramSpec `ebpf:"tracepoint__syscalls__sys_enter_mount"`
	TracepointSyscallsSysExitMount       *ebpf.ProgramSpec `ebpf:"tracepoint__syscalls__sys_exit_mount"`
	UprobeGoBuiltinTlsWriteKeyLog        *ebpf.ProgramSpec `ebpf:"uprobe__go_builtin__tls__write_key_log"`
	UprobeGoBuiltinTlsWriteKeyLogRet     *ebpf.ProgramSpec `ebpf:"uprobe__go_builtin__tls__write_key_log__ret"`
}

BpfSpecs contains programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type BpfPrograms 

type BpfPrograms struct {
	CgroupSockCreate                     *ebpf.Program `ebpf:"cgroup__sock_create"`
	CgroupSockRelease                    *ebpf.Program `ebpf:"cgroup__sock_release"`
	KprobeDevChangeNetNamespace          *ebpf.Program `ebpf:"kprobe__dev_change_net_namespace"`
	KprobeDevChangeNetNamespaceLegacy    *ebpf.Program `ebpf:"kprobe__dev_change_net_namespace_legacy"`
	KprobeNfNatManipPkt                  *ebpf.Program `ebpf:"kprobe__nf_nat_manip_pkt"`
	KprobeNfNatPacket                    *ebpf.Program `ebpf:"kprobe__nf_nat_packet"`
	KprobeRegisterNetdevice              *ebpf.Program `ebpf:"kprobe__register_netdevice"`
	KprobeSecuritySkClassifyFlow         *ebpf.Program `ebpf:"kprobe__security_sk_classify_flow"`
	KprobeTcpSendmsg                     *ebpf.Program `ebpf:"kprobe__tcp_sendmsg"`
	KprobeUdpSendSkb                     *ebpf.Program `ebpf:"kprobe__udp_send_skb"`
	KprobeUdpSendmsg                     *ebpf.Program `ebpf:"kprobe__udp_sendmsg"`
	KretprobeDevChangeNetNamespace       *ebpf.Program `ebpf:"kretprobe__dev_change_net_namespace"`
	KretprobeDevChangeNetNamespaceLegacy *ebpf.Program `ebpf:"kretprobe__dev_change_net_namespace_legacy"`
	KretprobeDevGetByIndex               *ebpf.Program `ebpf:"kretprobe__dev_get_by_index"`
	KretprobeDevGetByIndexLegacy         *ebpf.Program `ebpf:"kretprobe__dev_get_by_index_legacy"`
	KretprobeRegisterNetdevice           *ebpf.Program `ebpf:"kretprobe__register_netdevice"`
	RawTracepointSchedProcessExec        *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exec"`
	RawTracepointSchedProcessExit        *ebpf.Program `ebpf:"raw_tracepoint__sched_process_exit"`
	RawTracepointSchedProcessFork        *ebpf.Program `ebpf:"raw_tracepoint__sched_process_fork"`
	TcEgress                             *ebpf.Program `ebpf:"tc_egress"`
	TcIngress                            *ebpf.Program `ebpf:"tc_ingress"`
	TracepointSyscallsSysEnterMount      *ebpf.Program `ebpf:"tracepoint__syscalls__sys_enter_mount"`
	TracepointSyscallsSysExitMount       *ebpf.Program `ebpf:"tracepoint__syscalls__sys_exit_mount"`
	UprobeGoBuiltinTlsWriteKeyLog        *ebpf.Program `ebpf:"uprobe__go_builtin__tls__write_key_log"`
	UprobeGoBuiltinTlsWriteKeyLogRet     *ebpf.Program `ebpf:"uprobe__go_builtin__tls__write_key_log__ret"`
}

BpfPrograms contains all programs after they have been loaded into the kernel.

It can be passed to LoadBpfObjects or ebpf.CollectionSpec.LoadAndAssign.

func (*BpfPrograms) Close 

func (p *BpfPrograms) Close() error

type BpfSpecs 

type BpfSpecs struct {
	BpfProgramSpecs
	BpfMapSpecs
}

BpfSpecs contains maps and programs before they are loaded into the kernel.

It can be passed ebpf.CollectionSpec.Assign.

type Options 

type Options struct {
	// contains filtered or unexported fields
}

func (*Options) WithComm added in v0.19.0 

func (opts *Options) WithComm(comm string) *Options

func (*Options) WithFollowFork added in v0.19.0 

func (opts *Options) WithFollowFork(v bool) *Options

func (*Options) WithHookMount added in v0.25.0 

func (opts *Options) WithHookMount(v bool) *Options

func (*Options) WithHookNetDev added in v0.25.0 

func (opts *Options) WithHookNetDev(v bool) *Options

func (*Options) WithKernelTypes added in v0.19.0 

func (opts *Options) WithKernelTypes(spec *btf.Spec) *Options

func (*Options) WithMaxPayloadSize added in v0.19.0 

func (opts *Options) WithMaxPayloadSize(n uint32) *Options

func (*Options) WithMntNsIds added in v0.19.0 

func (opts *Options) WithMntNsIds(ids []uint32) *Options

func (*Options) WithNetNsIds added in v0.19.0 

func (opts *Options) WithNetNsIds(ids []uint32) *Options

func (*Options) WithPcapFilter added in v0.19.0 

func (opts *Options) WithPcapFilter(pcapFilter string) *Options

func (*Options) WithPidNsIds added in v0.19.0 

func (opts *Options) WithPidNsIds(ids []uint32) *Options

func (*Options) WithPids added in v0.19.0 

func (opts *Options) WithPids(pids []uint) *Options

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.