fsmon

package
v1.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 6, 2023 License: Apache-2.0 Imports: 24 Imported by: 0

Documentation

Overview

The fanotify package provides a simple fanotify api

Index

Constants

View Source 
const (
	/* flags used for fanotify_init() */
	FAN_CLOEXEC  = 0x00000001
	FAN_NONBLOCK = 0x00000002

	/* These are NOT bitwise flags.  Both bits are used togther.  */
	FAN_CLASS_NOTIF       = 0x00000000
	FAN_CLASS_CONTENT     = 0x00000004
	FAN_CLASS_PRE_CONTENT = 0x00000008

	FAN_ALL_CLASS_BITS = FAN_CLASS_NOTIF |
		FAN_CLASS_CONTENT |
		FAN_CLASS_PRE_CONTENT

	FAN_UNLIMITED_QUEUE = 0x00000010
	FAN_UNLIMITED_MARKS = 0x00000020

	FAN_ALL_INIT_FLAGS = FAN_CLOEXEC |
		FAN_NONBLOCK |
		FAN_ALL_CLASS_BITS |
		FAN_UNLIMITED_QUEUE |
		FAN_UNLIMITED_MARKS
)

Flags used as first parameter to Initiliaze

View Source 
const (
	/* flags used for fanotify_modify_mark() */
	FAN_MARK_ADD                 = 0x00000001
	FAN_MARK_REMOVE              = 0x00000002
	FAN_MARK_DONT_FOLLOW         = 0x00000004
	FAN_MARK_ONLYDIR             = 0x00000008
	FAN_MARK_MOUNT               = 0x00000010
	FAN_MARK_IGNORED_MASK        = 0x00000020
	FAN_MARK_IGNORED_SURV_MODIFY = 0x00000040
	FAN_MARK_FLUSH               = 0x00000080

	FAN_ALL_MARK_FLAGS = FAN_MARK_ADD |
		FAN_MARK_REMOVE |
		FAN_MARK_DONT_FOLLOW |
		FAN_MARK_ONLYDIR |
		FAN_MARK_MOUNT |
		FAN_MARK_IGNORED_MASK |
		FAN_MARK_IGNORED_SURV_MODIFY |
		FAN_MARK_FLUSH
)

Flags used for the Mark Method

View Source 
const (
	FAN_ACCESS        = 0x00000001 /* File was accessed */
	FAN_MODIFY        = 0x00000002 /* File was modified */
	FAN_CLOSE_WRITE   = 0x00000008 /* Writtable file closed */
	FAN_CLOSE_NOWRITE = 0x00000010 /* Unwrittable file closed */
	FAN_OPEN          = 0x00000020 /* File was opened */

	FAN_Q_OVERFLOW = 0x00004000 /* Event queued overflowed */

	FAN_OPEN_PERM   = 0x00010000 /* File open in perm check */
	FAN_ACCESS_PERM = 0x00020000 /* File accessed in perm check */

	FAN_ONDIR = 0x40000000 /* event occurred against dir */

	FAN_EVENT_ON_CHILD = 0x08000000 /* interested in child events */

	/* helper events */
	FAN_CLOSE = FAN_CLOSE_WRITE | FAN_CLOSE_NOWRITE /* close */

	/*
	 * All of the events - we build the list by hand so that we can add flags in
	 * the future and not break backward compatibility.  Apps will get only the
	 * events that they originally wanted.  Be sure to add new events here!
	 */
	FAN_ALL_EVENTS = FAN_ACCESS |
		FAN_MODIFY |
		FAN_CLOSE |
		FAN_OPEN

		/*
		 * All events which require a permission response from userspace
		 */
	FAN_ALL_PERM_EVENTS = FAN_OPEN_PERM |
		FAN_ACCESS_PERM

	FAN_ALL_OUTGOING_EVENTS = FAN_ALL_EVENTS |
		FAN_ALL_PERM_EVENTS |
		FAN_Q_OVERFLOW

	FANOTIFY_METADATA_VERSION = 3

	FAN_ALLOW = 0x01
	FAN_DENY  = 0x02
	FAN_NOFD  = -1
)

Event types

Variables

View Source 
var DefaultContainerConf share.CLUSFileMonitorProfile = share.CLUSFileMonitorProfile{
	Filters: ImportantFiles,
}
View Source 
var ImportantFiles []share.CLUSFileMonitorFilter = []share.CLUSFileMonitorFilter{
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/var/lib/dpkg/status", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/var/lib/rpm/Packages", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib/apk/db/installed", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/hosts", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/passwd", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/shadow", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/etc/resolv\\.conf", Regex: ""},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/home/.*/\\.ssh", Regex: ".*"},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib", Regex: "ld-linux\\..*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib", Regex: "libc\\..*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib", Regex: "libpthread.*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib64", Regex: "ld-linux.*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib64", Regex: "libc\\..*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/lib64", Regex: "libpthread.*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/bin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/sbin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/bin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/sbin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/local/bin", Regex: ".*", Recursive: true},
	share.CLUSFileMonitorFilter{Behavior: share.FileAccessBehaviorMonitor, Path: "/usr/local/sbin", Regex: ".*", Recursive: true},
}

Functions

func ParseMonitorPath 

func ParseMonitorPath(path string) (int, string, error)

use the path prefix for container index

Types

type EstimateRuleSrcCallback 

type EstimateRuleSrcCallback func(id, path string, bBlocked bool) string

type EventMetadata 

type EventMetadata struct {
	Len         uint32
	Version     uint8
	Reserved    uint8
	MetadataLen uint16
	Mask        uint64
	File        *os.File
	Pid         int32
}

Event struct returned from NotifyFD.GetEvent

The File member needs to be Closed after usage, to prevent an Fd leak

type FaMonProbeData 

type FaMonProbeData struct {
	NRoots    int
	NMntRoots int
	NDirMarks int
	NRules    int
	NPaths    int
	NDirs     int
}

type FaNotify 

type FaNotify struct {
	// contains filtered or unexported fields
}

func NewFaNotify 

func NewFaNotify(endFaChan chan bool, cb PidLookupCallback, sys *system.SystemTools) (*FaNotify, error)

func (*FaNotify) AddMonitorDirFile 

func (fn *FaNotify) AddMonitorDirFile(path string, filter interface{}, protect, userAdded bool, files map[string]interface{}, cb NotifyCallback, params interface{}) bool

///

func (*FaNotify) AddMonitorFile 

func (fn *FaNotify) AddMonitorFile(path string, filter interface{}, protect, userAdded bool, cb NotifyCallback, params interface{}) bool

//

func (*FaNotify) AddMonitorFileOnTheFly 

func (fn *FaNotify) AddMonitorFileOnTheFly(path string, filter interface{}, protect, userAdded bool, cb NotifyCallback, params interface{}) bool

// TODO

func (*FaNotify) Close 

func (fn *FaNotify) Close()

///

func (*FaNotify) ContainerCleanup 

func (fn *FaNotify) ContainerCleanup(rootPid int)

func (*FaNotify) GetProbeData 

func (fn *FaNotify) GetProbeData(m *FaMonProbeData)

//////

func (*FaNotify) GetWatchFileList 

func (fn *FaNotify) GetWatchFileList(rootPid int) []*share.CLUSFileMonitorFile

func (*FaNotify) GetWatches 

func (fn *FaNotify) GetWatches() []*share.CLUSFileMonitorFile

func (*FaNotify) MonitorFileEvents 

func (fn *FaNotify) MonitorFileEvents()

///

func (*FaNotify) RemoveMonitorFile 

func (fn *FaNotify) RemoveMonitorFile(path string)

////

func (*FaNotify) SetMode 

func (fn *FaNotify) SetMode(rootPid int, access, perm, capBlock, bNeuvectorSvc bool)

set file monitor policy mode. but not update the watches. the upper layer need to re-add the watches.

func (*FaNotify) StartMonitor 

func (fn *FaNotify) StartMonitor(rootPid int) bool

///

func (*FaNotify) UpdateAccessRule 

func (fn *FaNotify) UpdateAccessRule(rootPid int, conf *share.CLUSFileAccessRule) error

type FileMonitorConfig 

type FileMonitorConfig struct {
	IsAufs         bool
	EnableTrace    bool
	EndChan        chan bool
	WalkerTask     *workerlet.Tasker
	PidLookup      PidLookupCallback
	SendReport     SendAggregateReportCallback
	SendAccessRule SendFileAccessRuleCallback
	EstRule        EstimateRuleSrcCallback
}

type FileWatch 

type FileWatch struct {
	// contains filtered or unexported fields
}

func NewFileWatcher 

func NewFileWatcher(config *FileMonitorConfig) (*FileWatch, error)

func (*FileWatch) AddProcessFile 

func (w *FileWatch) AddProcessFile(id string, rootPid int, pid int)

func (*FileWatch) Close 

func (w *FileWatch) Close()

func (*FileWatch) ContainerCleanup 

func (w *FileWatch) ContainerCleanup(rootPid int)

func (*FileWatch) GetAllFileMonitorFile 

func (w *FileWatch) GetAllFileMonitorFile() []*share.CLUSFileMonitorFile

func (*FileWatch) GetProbeData 

func (w *FileWatch) GetProbeData() *FmonProbeData

//////

func (*FileWatch) GetWatchFileList 

func (w *FileWatch) GetWatchFileList(rootPid int) []*share.CLUSFileMonitorFile

func (*FileWatch) HandleWatchedFiles 

func (w *FileWatch) HandleWatchedFiles()

func (*FileWatch) SetMonitorTrace 

func (w *FileWatch) SetMonitorTrace(bEnable bool)

func (*FileWatch) StartWatch 

func (w *FileWatch) StartWatch(id string, rootPid int, conf *FsmonConfig, capBlock, bNeuvectorSvc bool)

func (*FileWatch) UpdateAccessRules 

func (w *FileWatch) UpdateAccessRules(name string, rootPid int, conf *share.CLUSFileAccessRule)

type FmonProbeData 

type FmonProbeData struct {
	NFileEvents int
	NGroups     int
	Fan         FaMonProbeData
	Ino         IMonProbeData
}

type FsmonConfig 

type FsmonConfig struct {
	Profile *share.CLUSFileMonitorProfile
	Rule    *share.CLUSFileAccessRule
}

type IFile 

type IFile struct {
	// contains filtered or unexported fields
}

type IMonProbeData 

type IMonProbeData struct {
	NWds   int
	NPaths int
	NDirs  int
}

type Inotify 

type Inotify struct {
	// contains filtered or unexported fields
}

func NewInotify 

func NewInotify() (*Inotify, error)

func (*Inotify) AddMonitorDirFile 

func (n *Inotify) AddMonitorDirFile(path string, files map[string]interface{},
	cb NotifyCallback, params interface{}) bool

func (*Inotify) AddMonitorFile 

func (n *Inotify) AddMonitorFile(path string, cb NotifyCallback, params interface{}) bool

func (*Inotify) CheckMonitorFileExist 

func (n *Inotify) CheckMonitorFileExist(path string) (interface{}, bool)

func (*Inotify) Close 

func (n *Inotify) Close()

func (*Inotify) ContainerCleanup 

func (n *Inotify) ContainerCleanup(rootPid int)

func (*Inotify) GetProbeData 

func (n *Inotify) GetProbeData(m *IMonProbeData)

//////

func (*Inotify) GetWatchCount 

func (n *Inotify) GetWatchCount() uint32

func (*Inotify) GetWatchFileList 

func (n *Inotify) GetWatchFileList(rootPid int) []string

func (*Inotify) GetWatches 

func (n *Inotify) GetWatches() []string

func (*Inotify) MonitorFileEvents 

func (n *Inotify) MonitorFileEvents()

func (*Inotify) RemoveMonitorFile 

func (n *Inotify) RemoveMonitorFile(path string)

type MonitorMessage 

type MonitorMessage struct {
	ID        string
	Path      string
	Package   bool
	ProcName  string
	ProcPath  string
	ProcCmds  []string
	ProcPid   int
	ProcEUid  int
	ProcEUser string
	ProcPPid  int
	ProcPName string
	ProcPPath string
	Group     string
	Msg       string
	Count     int
	StartAt   time.Time
	Action    string
}

type NotifyCallback 

type NotifyCallback func(path string, mask uint32, params interface{}, pInfo *ProcInfo)

type NotifyFD 

type NotifyFD struct {
	// contains filtered or unexported fields
}

A notify handle, used by all notify functions

func Initialize 

func Initialize(faflags, openflags int) (*NotifyFD, error)

Initialize the notify support

func (*NotifyFD) Close 

func (nd *NotifyFD) Close()

func (*NotifyFD) GetEvent 

func (nd *NotifyFD) GetEvent() (*EventMetadata, error)

Get an event from the fanotify handle

func (*NotifyFD) GetFd 

func (nd *NotifyFD) GetFd() int32

func (*NotifyFD) Mark 

func (nd *NotifyFD) Mark(flags int, mask uint64, dfd int, path string) error

Add/Delete/Modify an Fanotify mark

func (*NotifyFD) Response 

func (nd *NotifyFD) Response(ev *EventMetadata, allow bool) error

Send an allow message back to fanotify, used for permission checks If allow is set to true, access is granted

type PidLookupCallback 

type PidLookupCallback func(pid int) *ProcInfo

type ProcInfo 

type ProcInfo struct {
	RootPid   int
	Name      string
	Path      string
	Cmds      []string
	Pid       int
	EUid      int
	EUser     string
	PPid      int
	PName     string
	PPath     string
	Deny      bool
	InProfile bool
}

type SendAggregateReportCallback 

type SendAggregateReportCallback func(fsmsg *MonitorMessage) bool

type SendFileAccessRuleCallback 

type SendFileAccessRuleCallback func(rules []*share.CLUSFileAccessRuleReq) error

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.