fsmon

package
v1.0.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 3, 2023 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

The fanotify package provides a simple fanotify api

Index

Constants

View Source
const (
	/* flags used for fanotify_init() */
	FAN_CLOEXEC  = 0x00000001
	FAN_NONBLOCK = 0x00000002

	/* These are NOT bitwise flags.  Both bits are used togther.  */
	FAN_CLASS_NOTIF       = 0x00000000
	FAN_CLASS_CONTENT     = 0x00000004
	FAN_CLASS_PRE_CONTENT = 0x00000008

	FAN_ALL_CLASS_BITS = FAN_CLASS_NOTIF |
		FAN_CLASS_CONTENT |
		FAN_CLASS_PRE_CONTENT

	FAN_UNLIMITED_QUEUE = 0x00000010
	FAN_UNLIMITED_MARKS = 0x00000020

	FAN_ALL_INIT_FLAGS = FAN_CLOEXEC |
		FAN_NONBLOCK |
		FAN_ALL_CLASS_BITS |
		FAN_UNLIMITED_QUEUE |
		FAN_UNLIMITED_MARKS
)

Flags used as first parameter to Initiliaze

View Source
const (
	/* flags used for fanotify_modify_mark() */
	FAN_MARK_ADD                 = 0x00000001
	FAN_MARK_REMOVE              = 0x00000002
	FAN_MARK_DONT_FOLLOW         = 0x00000004
	FAN_MARK_ONLYDIR             = 0x00000008
	FAN_MARK_MOUNT               = 0x00000010
	FAN_MARK_IGNORED_MASK        = 0x00000020
	FAN_MARK_IGNORED_SURV_MODIFY = 0x00000040
	FAN_MARK_FLUSH               = 0x00000080

	FAN_ALL_MARK_FLAGS = FAN_MARK_ADD |
		FAN_MARK_REMOVE |
		FAN_MARK_DONT_FOLLOW |
		FAN_MARK_ONLYDIR |
		FAN_MARK_MOUNT |
		FAN_MARK_IGNORED_MASK |
		FAN_MARK_IGNORED_SURV_MODIFY |
		FAN_MARK_FLUSH
)

Flags used for the Mark Method

View Source
const (
	FAN_ACCESS        = 0x00000001 /* File was accessed */
	FAN_MODIFY        = 0x00000002 /* File was modified */
	FAN_CLOSE_WRITE   = 0x00000008 /* Writtable file closed */
	FAN_CLOSE_NOWRITE = 0x00000010 /* Unwrittable file closed */
	FAN_OPEN          = 0x00000020 /* File was opened */

	FAN_Q_OVERFLOW = 0x00004000 /* Event queued overflowed */

	FAN_OPEN_PERM   = 0x00010000 /* File open in perm check */
	FAN_ACCESS_PERM = 0x00020000 /* File accessed in perm check */

	FAN_ONDIR = 0x40000000 /* event occurred against dir */

	FAN_EVENT_ON_CHILD = 0x08000000 /* interested in child events */

	/* helper events */
	FAN_CLOSE = FAN_CLOSE_WRITE | FAN_CLOSE_NOWRITE /* close */

	/*
	 * All of the events - we build the list by hand so that we can add flags in
	 * the future and not break backward compatibility.  Apps will get only the
	 * events that they originally wanted.  Be sure to add new events here!
	 */
	FAN_ALL_EVENTS = FAN_ACCESS |
		FAN_MODIFY |
		FAN_CLOSE |
		FAN_OPEN

		/*
		 * All events which require a permission response from userspace
		 */
	FAN_ALL_PERM_EVENTS = FAN_OPEN_PERM |
		FAN_ACCESS_PERM

	FAN_ALL_OUTGOING_EVENTS = FAN_ALL_EVENTS |
		FAN_ALL_PERM_EVENTS |
		FAN_Q_OVERFLOW

	FANOTIFY_METADATA_VERSION = 3

	FAN_ALLOW = 0x01
	FAN_DENY  = 0x02
	FAN_NOFD  = -1
)

Event types

Variables

View Source
var ImportantFiles []share.CLUSFileMonitorFilter = []share.CLUSFileMonitorFilter{
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/var/lib/dpkg/status", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/var/lib/rpm/Packages", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib/apk/db/installed", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/hosts", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/passwd", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/shadow", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/resolv\\.conf", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/home/.*/\\.ssh", Regex: ".*"},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib", Regex: "ld-linux\\..*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib", Regex: "libc\\..*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib", Regex: "libpthread.*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib64", Regex: "ld-linux.*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib64", Regex: "libc\\..*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib64", Regex: "libpthread.*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/bin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/sbin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/bin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/sbin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/local/bin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/local/sbin", Regex: ".*", Recursive: true},
}

Functions

func ParseMonitorPath

func ParseMonitorPath(path string) (int, string, error)

use the path prefix for container index

Types

type EstimateRuleSrcCallback

type EstimateRuleSrcCallback func(id, path string, bBlocked bool) string

type EventMetadata

type EventMetadata struct {
	Len         uint32
	Version     uint8
	Reserved    uint8
	MetadataLen uint16
	Mask        uint64
	File        *os.File
	Pid         int32
}

Event struct returned from NotifyFD.GetEvent

The File member needs to be Closed after usage, to prevent an Fd leak

type FaMonProbeData

type FaMonProbeData struct {
	NRoots    int
	NMntRoots int
	NDirMarks int
	NRules    int
	NPaths    int
	NDirs     int
}

type FaNotify

type FaNotify struct {
	// contains filtered or unexported fields
}

func NewFaNotify

func NewFaNotify(endFaChan chan bool, cb PidLookupCallback, sys *system.SystemTools) (*FaNotify, error)

func (*FaNotify) AddMonitorDirFile

func (fn *FaNotify) AddMonitorDirFile(path string, filter interface{}, protect, userAdded bool, files map[string]interface{}, cb NotifyCallback, params interface{}) bool

///

func (*FaNotify) AddMonitorFile

func (fn *FaNotify) AddMonitorFile(path string, filter interface{}, protect, userAdded bool, cb NotifyCallback, params interface{}) bool

//

func (*FaNotify) AddMonitorFileOnTheFly

func (fn *FaNotify) AddMonitorFileOnTheFly(path string, filter interface{}, protect, userAdded bool, cb NotifyCallback, params interface{}) bool

// TODO

func (*FaNotify) Close

func (fn *FaNotify) Close()

///

func (*FaNotify) ContainerCleanup

func (fn *FaNotify) ContainerCleanup(rootPid int)

func (*FaNotify) GetProbeData

func (fn *FaNotify) GetProbeData(m *FaMonProbeData)

//////

func (*FaNotify) GetWatchFileList

func (fn *FaNotify) GetWatchFileList(rootPid int) []*share.CLUSFileMonitorFile

func (*FaNotify) GetWatches

func (fn *FaNotify) GetWatches() []*share.CLUSFileMonitorFile

func (*FaNotify) MonitorFileEvents

func (fn *FaNotify) MonitorFileEvents()

///

func (*FaNotify) RemoveMonitorFile

func (fn *FaNotify) RemoveMonitorFile(path string)

////

func (*FaNotify) SetMode

func (fn *FaNotify) SetMode(rootPid int, access, perm, capBlock, bNeuvectorSvc bool)

set file monitor policy mode. but not update the watches. the upper layer need to re-add the watches.

func (*FaNotify) StartMonitor

func (fn *FaNotify) StartMonitor(rootPid int) bool

///

func (*FaNotify) UpdateAccessRule

func (fn *FaNotify) UpdateAccessRule(rootPid int, conf *share.CLUSFileAccessRule) error

type FileMonitorConfig

type FileMonitorConfig struct {
	IsAufs         bool
	EnableTrace    bool
	EndChan        chan bool
	WalkerTask     *workerlet.Tasker
	PidLookup      PidLookupCallback
	SendReport     SendAggregateReportCallback
	SendAccessRule SendFileAccessRuleCallback
	EstRule        EstimateRuleSrcCallback
}

type FileWatch

type FileWatch struct {
	// contains filtered or unexported fields
}

func NewFileWatcher

func NewFileWatcher(config *FileMonitorConfig) (*FileWatch, error)

func (*FileWatch) AddProcessFile

func (w *FileWatch) AddProcessFile(id string, rootPid int, pid int)

func (*FileWatch) Close

func (w *FileWatch) Close()

func (*FileWatch) ContainerCleanup

func (w *FileWatch) ContainerCleanup(rootPid int)

func (*FileWatch) GetAllFileMonitorFile

func (w *FileWatch) GetAllFileMonitorFile() []*share.CLUSFileMonitorFile

func (*FileWatch) GetProbeData

func (w *FileWatch) GetProbeData() *FmonProbeData

//////

func (*FileWatch) GetWatchFileList

func (w *FileWatch) GetWatchFileList(rootPid int) []*share.CLUSFileMonitorFile

func (*FileWatch) HandleWatchedFiles

func (w *FileWatch) HandleWatchedFiles()

func (*FileWatch) SetMonitorTrace

func (w *FileWatch) SetMonitorTrace(bEnable bool)

func (*FileWatch) StartWatch

func (w *FileWatch) StartWatch(id string, rootPid int, conf *FsmonConfig, capBlock, bNeuvectorSvc bool)

func (*FileWatch) UpdateAccessRules

func (w *FileWatch) UpdateAccessRules(name string, rootPid int, conf *share.CLUSFileAccessRule)

type FmonProbeData

type FmonProbeData struct {
	NFileEvents int
	NGroups     int
	Fan         FaMonProbeData
	Ino         IMonProbeData
}

type FsmonConfig

type FsmonConfig struct {
	Profile *share.CLUSFileMonitorProfile
	Rule    *share.CLUSFileAccessRule
}

type IFile

type IFile struct {
	// contains filtered or unexported fields
}

type IMonProbeData

type IMonProbeData struct {
	NWds   int
	NPaths int
	NDirs  int
}

type Inotify

type Inotify struct {
	// contains filtered or unexported fields
}

func NewInotify

func NewInotify() (*Inotify, error)

func (*Inotify) AddMonitorDirFile

func (n *Inotify) AddMonitorDirFile(path string, files map[string]interface{},
	cb NotifyCallback, params interface{}) bool

func (*Inotify) AddMonitorFile

func (n *Inotify) AddMonitorFile(path string, cb NotifyCallback, params interface{}) bool

func (*Inotify) CheckMonitorFileExist

func (n *Inotify) CheckMonitorFileExist(path string) (interface{}, bool)

func (*Inotify) Close

func (n *Inotify) Close()

func (*Inotify) ContainerCleanup

func (n *Inotify) ContainerCleanup(rootPid int)

func (*Inotify) GetProbeData

func (n *Inotify) GetProbeData(m *IMonProbeData)

//////

func (*Inotify) GetWatchCount

func (n *Inotify) GetWatchCount() uint32

func (*Inotify) GetWatchFileList

func (n *Inotify) GetWatchFileList(rootPid int) []string

func (*Inotify) GetWatches

func (n *Inotify) GetWatches() []string

func (*Inotify) MonitorFileEvents

func (n *Inotify) MonitorFileEvents()

func (*Inotify) RemoveMonitorFile

func (n *Inotify) RemoveMonitorFile(path string)

type MonitorMessage

type MonitorMessage struct {
	ID        string
	Path      string
	Package   bool
	ProcName  string
	ProcPath  string
	ProcCmds  []string
	ProcPid   int
	ProcEUid  int
	ProcEUser string
	ProcPPid  int
	ProcPName string
	ProcPPath string
	Group     string
	Msg       string
	Count     int
	StartAt   time.Time
	Action    string
}

type NotifyCallback

type NotifyCallback func(path string, mask uint32, params interface{}, pInfo *ProcInfo)

type NotifyFD

type NotifyFD struct {
	// contains filtered or unexported fields
}

A notify handle, used by all notify functions

func Initialize

func Initialize(faflags, openflags int) (*NotifyFD, error)

Initialize the notify support

func (*NotifyFD) Close

func (nd *NotifyFD) Close()

func (*NotifyFD) GetEvent

func (nd *NotifyFD) GetEvent() (*EventMetadata, error)

Get an event from the fanotify handle

func (*NotifyFD) GetFd

func (nd *NotifyFD) GetFd() int32

func (*NotifyFD) Mark

func (nd *NotifyFD) Mark(flags int, mask uint64, dfd int, path string) error

Add/Delete/Modify an Fanotify mark

func (*NotifyFD) Response

func (nd *NotifyFD) Response(ev *EventMetadata, allow bool) error

Send an allow message back to fanotify, used for permission checks If allow is set to true, access is granted

type PidLookupCallback

type PidLookupCallback func(pid int) *ProcInfo

type ProcInfo

type ProcInfo struct {
	RootPid   int
	Name      string
	Path      string
	Cmds      []string
	Pid       int
	EUid      int
	EUser     string
	PPid      int
	PName     string
	PPath     string
	Deny      bool
	InProfile bool
}

type SendAggregateReportCallback

type SendAggregateReportCallback func(fsmsg *MonitorMessage) bool

type SendFileAccessRuleCallback

type SendFileAccessRuleCallback func(rules []*share.CLUSFileAccessRuleReq) error

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL