ebpf

Documentation

Index

• type Event
• type Tracer
  • func New() (*Tracer, error)
  • func (t *Tracer) Close() error
  • func (t *Tracer) Read() (*Event, error)

Types

type Event

type Event struct {
	Filename string `json:"filename"`
	// Argv contains the raw argv supplied to the process, including argv[0]
	// (which is equal to `filepath.Base(e.Filename)` in most circumstances).
	Argv []string `json:"argv"`
	// Truncated is true if we were unable to read all process arguments into
	// Argv because there were more than ARGLEN arguments.
	Truncated bool `json:"truncated"`

	// These values are of the new process. Keep in mind that the exec call may
	// fail and the PID will be released in such a case.
	PID uint32 `json:"pid"`
	UID uint32 `json:"uid"`
	GID uint32 `json:"gid"`

	// Comm is the "name" of the parent process, usually the filename of the
	// executable (but not always).
	Comm string `json:"comm"`
}

Event contains data about each exec event with many fields for easy filtering and logging.

type Tracer

type Tracer struct {
	// contains filtered or unexported fields
}

Tracer is the exec tracer itself. It must be closed after use.

func New

func New() (*Tracer, error)

New instantiates all of the BPF objects into the running kernel, starts tracing, and returns the created Tracer. After calling this successfully, the caller should immediately attach a for loop running `h.Read()`.

The returned Tracer MUST be closed when not needed anymore otherwise kernel resources may be leaked.

func (*Tracer) Close

func (t *Tracer) Close() error

Close gracefully closes and frees all resources associated with the eBPF tracepoints, maps and other resources. Any blocked `Read()` operations will return an error that wraps `io.EOF`.

func (*Tracer) Read

func (t *Tracer) Read() (*Event, error)

Read reads an event from the eBPF program via the ringbuf, parses it and returns it. If the *tracer is closed during the blocked call, and error that wraps io.EOF will be returned.