probe

package
v0.0.0-...-fc2018e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 26, 2024 License: Apache-2.0 Imports: 81 Imported by: 0

Documentation

Overview

Package probe holds probe related files

Package probe holds probe related files

Index

Constants

View Source 
const (
	// EBPFOrigin eBPF origin
	EBPFOrigin = "ebpf"
	// EBPFLessOrigin eBPF less origin
	EBPFLessOrigin = "ebpfless"
)
View Source 
const (
	// DiscardRetention time a discard is retained but not discarding. This avoid race for pending event is userspace
	// pipeline for already deleted file in kernel space.
	DiscardRetention = 5 * time.Second
)
View Source 
const (
	// ServiceEnvVar environment variable used to report service
	ServiceEnvVar = "DD_SERVICE"
)

Variables

View Source 
var (
	// SupportedDiscarders lists all field which supports discarders
	SupportedDiscarders = make(map[eval.Field]bool)
	// SupportedMultiDiscarder lists all supported multi discarders
	SupportedMultiDiscarder []*rules.MultiDiscarder
)
View Source 
var (
	// DiscarderConstants ebpf constants
	DiscarderConstants = []manager.ConstantEditor{
		{
			Name:  "discarder_retention",
			Value: uint64(DiscardRetention.Nanoseconds()),
		},
	}
)
View Source 
var ErrActivityDumpManagerDisabled = errors.New("ActivityDumpManager is disabled")

ErrActivityDumpManagerDisabled is returned when the activity dump manager is disabled

View Source 
var ErrSecurityProfileManagerDisabled = errors.New("SecurityProfileManager is disabled")

ErrSecurityProfileManagerDisabled is returned when the security profile manager is disabled

View Source 
var InvalidDiscarders = map[eval.Field][]string{
	"open.file.path":               dentryInvalidDiscarder,
	"unlink.file.path":             dentryInvalidDiscarder,
	"chmod.file.path":              dentryInvalidDiscarder,
	"chown.file.path":              dentryInvalidDiscarder,
	"mkdir.file.path":              dentryInvalidDiscarder,
	"rmdir.file.path":              dentryInvalidDiscarder,
	"rename.file.path":             dentryInvalidDiscarder,
	"rename.file.destination.path": dentryInvalidDiscarder,
	"utimes.file.path":             dentryInvalidDiscarder,
	"link.file.path":               dentryInvalidDiscarder,
	"link.file.destination.path":   dentryInvalidDiscarder,
	"process.file.path":            dentryInvalidDiscarder,
	"setxattr.file.path":           dentryInvalidDiscarder,
	"removexattr.file.path":        dentryInvalidDiscarder,
	"chdir.file.path":              dentryInvalidDiscarder,
}

InvalidDiscarders exposes list of values that are not discarders

Functions

func AppendProbeRequestsToFetcher 

func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher, kv *kernel.Version)

AppendProbeRequestsToFetcher returns the offsets and struct sizes constants, from a constant fetcher

func NewAbnormalEvent 

func NewAbnormalEvent(id string, description string, event *model.Event, err error) (*rules.Rule, *events.CustomEvent)

NewAbnormalEvent returns the rule and a populated custom event for a abnormal event

func NewEBPFEvent 

func NewEBPFEvent(fh *EBPFFieldHandlers) *model.Event

NewEBPFEvent returns a new event

func NewEBPFLessEvent 

func NewEBPFLessEvent(fh *EBPFLessFieldHandlers) *model.Event

NewEBPFLessEvent returns a new event

func NewEBPFLessHelloMsgEvent 

func NewEBPFLessHelloMsgEvent(msg *ebpfless.HelloMsg, scrubber *procutil.DataScrubber) (*rules.Rule, *events.CustomEvent)

NewEBPFLessHelloMsgEvent returns a eBPFLess hello custom event

func NewEBPFLessModel 

func NewEBPFLessModel() *model.Model

NewEBPFLessModel returns a new model with some extra field validation

func NewEBPFModel 

func NewEBPFModel(probe *EBPFProbe) *model.Model

NewEBPFModel returns a new model with some extra field validation

func NewEventLostReadEvent 

func NewEventLostReadEvent(mapName string, lost float64) (*rules.Rule, *events.CustomEvent)

NewEventLostReadEvent returns the rule and a populated custom event for a lost_events_read event

func NewEventLostWriteEvent 

func NewEventLostWriteEvent(mapName string, perEventPerCPU map[string]uint64) (*rules.Rule, *events.CustomEvent)

NewEventLostWriteEvent returns the rule and a populated custom event for a lost_events_write event

Types

type AbnormalEvent 

type AbnormalEvent struct {
	events.CustomEventCommonFields
	Event *serializers.EventSerializer `json:"triggering_event"`
	Error string                       `json:"error"`
}

AbnormalEvent is used to report that a path resolution failed for a suspicious reason easyjson:json

func (AbnormalEvent) MarshalEasyJSON 

func (v AbnormalEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (AbnormalEvent) ToJSON 

func (a AbnormalEvent) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*AbnormalEvent) UnmarshalEasyJSON 

func (v *AbnormalEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type CustomEventHandler 

type CustomEventHandler interface {
	HandleCustomEvent(rule *rules.Rule, event *events.CustomEvent)
}

CustomEventHandler represents an handler for the custom events sent by the probe

type Discarder 

type Discarder struct {
	Field eval.Field
}

Discarder represents a discarder which is basically the field that we know for sure that the value will be always rejected by the rules

type DiscarderParams 

type DiscarderParams struct {
	EventMask  uint64                                                                   `yaml:"event_mask"`
	Timestamps [model.LastDiscarderEventType + 1 - model.FirstDiscarderEventType]uint64 `yaml:"-"`
	ExpireAt   uint64                                                                   `yaml:"expire_at"`
	IsRetained uint32                                                                   `yaml:"is_retained"`
	Revision   uint32
}

DiscarderParams describes a map value

type DiscarderPushedCallback 

type DiscarderPushedCallback func(eventType string, event *model.Event, field string)

DiscarderPushedCallback describe the callback used to retrieve pushed discarders information

type DiscardersDump 

type DiscardersDump struct {
	Date   time.Time                  `yaml:"date"`
	Inodes []InodeDiscarderDump       `yaml:"inodes"`
	Pids   []PidDiscarderDump         `yaml:"pids"`
	Stats  map[string]discarder.Stats `yaml:"stats"`
}

DiscardersDump describes a dump of discarders

type EBPFFieldHandlers 

type EBPFFieldHandlers struct {
	// contains filtered or unexported fields
}

EBPFFieldHandlers defines a field handlers

func (*EBPFFieldHandlers) GetProcessCacheEntry 

func (fh *EBPFFieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)

GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFFieldHandlers) ResolveAsync 

func (fh *EBPFFieldHandlers) ResolveAsync(ev *model.Event) bool

ResolveAsync resolves the async flag

func (*EBPFFieldHandlers) ResolveChownGID 

func (fh *EBPFFieldHandlers) ResolveChownGID(ev *model.Event, e *model.ChownEvent) string

ResolveChownGID resolves the group id of a chown event to a group name

func (*EBPFFieldHandlers) ResolveChownUID 

func (fh *EBPFFieldHandlers) ResolveChownUID(ev *model.Event, e *model.ChownEvent) string

ResolveChownUID resolves the ResolveProcessCacheEntry id of a chown event to a username

func (*EBPFFieldHandlers) ResolveContainerContext 

func (fh *EBPFFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)

ResolveContainerContext queries the cgroup resolver to retrieve the ContainerContext of the event

func (*EBPFFieldHandlers) ResolveContainerCreatedAt 

func (fh *EBPFFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int

ResolveContainerCreatedAt resolves the container creation time of the event

func (*EBPFFieldHandlers) ResolveContainerID 

func (fh *EBPFFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string

ResolveContainerID resolves the container ID of the event

func (*EBPFFieldHandlers) ResolveContainerTags 

func (fh *EBPFFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string

ResolveContainerTags resolves the container tags of the event

func (*EBPFFieldHandlers) ResolveEventTime 

func (fh *EBPFFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time

ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFFieldHandlers) ResolveEventTimestamp 

func (fh *EBPFFieldHandlers) ResolveEventTimestamp(ev *model.Event, e *model.BaseEvent) int

ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFFieldHandlers) ResolveFileBasename 

func (fh *EBPFFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string

ResolveFileBasename resolves the inode to a full path

func (*EBPFFieldHandlers) ResolveFileFieldsGroup 

func (fh *EBPFFieldHandlers) ResolveFileFieldsGroup(ev *model.Event, e *model.FileFields) string

ResolveFileFieldsGroup resolves the group id of the file to a group name

func (*EBPFFieldHandlers) ResolveFileFieldsInUpperLayer 

func (fh *EBPFFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, f *model.FileFields) bool

ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer

func (*EBPFFieldHandlers) ResolveFileFieldsUser 

func (fh *EBPFFieldHandlers) ResolveFileFieldsUser(ev *model.Event, e *model.FileFields) string

ResolveFileFieldsUser resolves the user id of the file to a username

func (*EBPFFieldHandlers) ResolveFileFilesystem 

func (fh *EBPFFieldHandlers) ResolveFileFilesystem(ev *model.Event, f *model.FileEvent) string

ResolveFileFilesystem resolves the filesystem a file resides in

func (*EBPFFieldHandlers) ResolveFilePath 

func (fh *EBPFFieldHandlers) ResolveFilePath(ev *model.Event, f *model.FileEvent) string

ResolveFilePath resolves the inode to a full path

func (*EBPFFieldHandlers) ResolveHashes 

func (fh *EBPFFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string

ResolveHashes resolves the hashes of the requested file event

func (*EBPFFieldHandlers) ResolveHashesFromEvent 

func (fh *EBPFFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string

ResolveHashesFromEvent resolves the hashes of the requested event

func (*EBPFFieldHandlers) ResolveK8SGroups 

func (fh *EBPFFieldHandlers) ResolveK8SGroups(_ *model.Event, evtCtx *model.UserSessionContext) []string

ResolveK8SGroups resolves the k8s groups of the event

func (*EBPFFieldHandlers) ResolveK8SUID 

func (fh *EBPFFieldHandlers) ResolveK8SUID(_ *model.Event, evtCtx *model.UserSessionContext) string

ResolveK8SUID resolves the k8s UID of the event

func (*EBPFFieldHandlers) ResolveK8SUsername 

func (fh *EBPFFieldHandlers) ResolveK8SUsername(_ *model.Event, evtCtx *model.UserSessionContext) string

ResolveK8SUsername resolves the k8s username of the event

func (*EBPFFieldHandlers) ResolveModuleArgs 

func (fh *EBPFFieldHandlers) ResolveModuleArgs(_ *model.Event, module *model.LoadModuleEvent) string

ResolveModuleArgs resolves the correct args if the arguments were truncated, if not return module.Args

func (*EBPFFieldHandlers) ResolveModuleArgv 

func (fh *EBPFFieldHandlers) ResolveModuleArgv(_ *model.Event, module *model.LoadModuleEvent) []string

ResolveModuleArgv resolves the unscrubbed args of the module as an array. Use with caution.

func (*EBPFFieldHandlers) ResolveMountPointPath 

func (fh *EBPFFieldHandlers) ResolveMountPointPath(ev *model.Event, e *model.MountEvent) string

ResolveMountPointPath resolves a mount point path

func (*EBPFFieldHandlers) ResolveMountRootPath 

func (fh *EBPFFieldHandlers) ResolveMountRootPath(ev *model.Event, e *model.MountEvent) string

ResolveMountRootPath resolves a mount root path

func (*EBPFFieldHandlers) ResolveMountSourcePath 

func (fh *EBPFFieldHandlers) ResolveMountSourcePath(ev *model.Event, e *model.MountEvent) string

ResolveMountSourcePath resolves a mount source path

func (*EBPFFieldHandlers) ResolveNetworkDeviceIfName 

func (fh *EBPFFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, device *model.NetworkDeviceContext) string

ResolveNetworkDeviceIfName returns the network iterface name from the network context

func (*EBPFFieldHandlers) ResolvePackageName 

func (fh *EBPFFieldHandlers) ResolvePackageName(ev *model.Event, f *model.FileEvent) string

ResolvePackageName resolves the name of the package providing this file

func (*EBPFFieldHandlers) ResolvePackageSourceVersion 

func (fh *EBPFFieldHandlers) ResolvePackageSourceVersion(ev *model.Event, f *model.FileEvent) string

ResolvePackageSourceVersion resolves the version of the source package of the package providing this file

func (*EBPFFieldHandlers) ResolvePackageVersion 

func (fh *EBPFFieldHandlers) ResolvePackageVersion(ev *model.Event, f *model.FileEvent) string

ResolvePackageVersion resolves the version of the package providing this file

func (*EBPFFieldHandlers) ResolveProcessArgs 

func (fh *EBPFFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string

ResolveProcessArgs resolves the args of the event

func (*EBPFFieldHandlers) ResolveProcessArgsFlags 

func (fh *EBPFFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)

ResolveProcessArgsFlags resolves the arguments flags of the event

func (*EBPFFieldHandlers) ResolveProcessArgsOptions 

func (fh *EBPFFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)

ResolveProcessArgsOptions resolves the arguments options of the event

func (*EBPFFieldHandlers) ResolveProcessArgsScrubbed 

func (fh *EBPFFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string

ResolveProcessArgsScrubbed resolves the args of the event

func (*EBPFFieldHandlers) ResolveProcessArgsTruncated 

func (fh *EBPFFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessArgsTruncated returns whether the args are truncated

func (*EBPFFieldHandlers) ResolveProcessArgv 

func (fh *EBPFFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string

ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.

func (*EBPFFieldHandlers) ResolveProcessArgv0 

func (fh *EBPFFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string

ResolveProcessArgv0 resolves the first arg of the event

func (*EBPFFieldHandlers) ResolveProcessArgvScrubbed 

func (fh *EBPFFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string

ResolveProcessArgvScrubbed resolves the args of the process as an array

func (*EBPFFieldHandlers) ResolveProcessCacheEntry 

func (fh *EBPFFieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)

ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFFieldHandlers) ResolveProcessCreatedAt 

func (fh *EBPFFieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int

ResolveProcessCreatedAt resolves process creation time

func (*EBPFFieldHandlers) ResolveProcessEnvp 

func (fh *EBPFFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string

ResolveProcessEnvp resolves the envp of the event as an array

func (*EBPFFieldHandlers) ResolveProcessEnvs 

func (fh *EBPFFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string

ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.

func (*EBPFFieldHandlers) ResolveProcessEnvsTruncated 

func (fh *EBPFFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessEnvsTruncated returns whether the envs are truncated

func (*EBPFFieldHandlers) ResolveRights 

func (fh *EBPFFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int

ResolveRights resolves the rights of a file

func (*EBPFFieldHandlers) ResolveSELinuxBoolName 

func (fh *EBPFFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string

ResolveSELinuxBoolName resolves the boolean name of the SELinux event

func (*EBPFFieldHandlers) ResolveService 

func (fh *EBPFFieldHandlers) ResolveService(ev *model.Event, _ *model.BaseEvent) string

ResolveService returns the service tag based on the process context

func (*EBPFFieldHandlers) ResolveSetgidEGroup 

func (fh *EBPFFieldHandlers) ResolveSetgidEGroup(ev *model.Event, e *model.SetgidEvent) string

ResolveSetgidEGroup resolves the effective group of the Setgid event

func (*EBPFFieldHandlers) ResolveSetgidFSGroup 

func (fh *EBPFFieldHandlers) ResolveSetgidFSGroup(ev *model.Event, e *model.SetgidEvent) string

ResolveSetgidFSGroup resolves the file-system group of the Setgid event

func (*EBPFFieldHandlers) ResolveSetgidGroup 

func (fh *EBPFFieldHandlers) ResolveSetgidGroup(ev *model.Event, e *model.SetgidEvent) string

ResolveSetgidGroup resolves the group of the Setgid event

func (*EBPFFieldHandlers) ResolveSetuidEUser 

func (fh *EBPFFieldHandlers) ResolveSetuidEUser(ev *model.Event, e *model.SetuidEvent) string

ResolveSetuidEUser resolves the effective user of the Setuid event

func (*EBPFFieldHandlers) ResolveSetuidFSUser 

func (fh *EBPFFieldHandlers) ResolveSetuidFSUser(ev *model.Event, e *model.SetuidEvent) string

ResolveSetuidFSUser resolves the file-system user of the Setuid event

func (*EBPFFieldHandlers) ResolveSetuidUser 

func (fh *EBPFFieldHandlers) ResolveSetuidUser(ev *model.Event, e *model.SetuidEvent) string

ResolveSetuidUser resolves the user of the Setuid event

func (*EBPFFieldHandlers) ResolveUserSessionContext 

func (fh *EBPFFieldHandlers) ResolveUserSessionContext(evtCtx *model.UserSessionContext)

ResolveUserSessionContext resolves and updates the provided user session context

func (*EBPFFieldHandlers) ResolveXAttrName 

func (fh *EBPFFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrName returns the string representation of the extended attribute name

func (*EBPFFieldHandlers) ResolveXAttrNamespace 

func (fh *EBPFFieldHandlers) ResolveXAttrNamespace(ev *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrNamespace returns the string representation of the extended attribute namespace

type EBPFLessFieldHandlers 

type EBPFLessFieldHandlers struct {
	// contains filtered or unexported fields
}

EBPFLessFieldHandlers defines a field handlers

func (*EBPFLessFieldHandlers) GetProcessCacheEntry 

func (fh *EBPFLessFieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)

GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFLessFieldHandlers) ResolveAsync 

func (fh *EBPFLessFieldHandlers) ResolveAsync(ev *model.Event) bool

ResolveAsync resolves the async flag

func (*EBPFLessFieldHandlers) ResolveChownGID 

func (fh *EBPFLessFieldHandlers) ResolveChownGID(_ *model.Event, e *model.ChownEvent) string

ResolveChownGID resolves the ResolveProcessCacheEntry group id of a chown event to a username

func (*EBPFLessFieldHandlers) ResolveChownUID 

func (fh *EBPFLessFieldHandlers) ResolveChownUID(_ *model.Event, e *model.ChownEvent) string

ResolveChownUID resolves the ResolveProcessCacheEntry id of a chown event to a username

func (*EBPFLessFieldHandlers) ResolveContainerContext 

func (fh *EBPFLessFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)

ResolveContainerContext retrieve the ContainerContext of the event

func (*EBPFLessFieldHandlers) ResolveContainerCreatedAt 

func (fh *EBPFLessFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int

ResolveContainerCreatedAt resolves the container creation time of the event

func (*EBPFLessFieldHandlers) ResolveContainerID 

func (fh *EBPFLessFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string

ResolveContainerID resolves the container ID of the event

func (*EBPFLessFieldHandlers) ResolveContainerTags 

func (fh *EBPFLessFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string

ResolveContainerTags resolves the container tags of the event

func (*EBPFLessFieldHandlers) ResolveEventTime 

func (fh *EBPFLessFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time

ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFLessFieldHandlers) ResolveEventTimestamp 

func (fh *EBPFLessFieldHandlers) ResolveEventTimestamp(_ *model.Event, e *model.BaseEvent) int

ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFLessFieldHandlers) ResolveFileBasename 

func (fh *EBPFLessFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string

ResolveFileBasename resolves the inode to a full path

func (*EBPFLessFieldHandlers) ResolveFileFieldsGroup 

func (fh *EBPFLessFieldHandlers) ResolveFileFieldsGroup(_ *model.Event, e *model.FileFields) string

ResolveFileFieldsGroup resolves the group id of the file to a group name

func (*EBPFLessFieldHandlers) ResolveFileFieldsInUpperLayer 

func (fh *EBPFLessFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, e *model.FileFields) bool

ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer

func (*EBPFLessFieldHandlers) ResolveFileFieldsUser 

func (fh *EBPFLessFieldHandlers) ResolveFileFieldsUser(_ *model.Event, e *model.FileFields) string

ResolveFileFieldsUser resolves the user id of the file to a username

func (*EBPFLessFieldHandlers) ResolveFileFilesystem 

func (fh *EBPFLessFieldHandlers) ResolveFileFilesystem(_ *model.Event, e *model.FileEvent) string

ResolveFileFilesystem resolves the filesystem a file resides in

func (*EBPFLessFieldHandlers) ResolveFilePath 

func (fh *EBPFLessFieldHandlers) ResolveFilePath(_ *model.Event, f *model.FileEvent) string

ResolveFilePath resolves the inode to a full path

func (*EBPFLessFieldHandlers) ResolveHashes 

func (fh *EBPFLessFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string

ResolveHashes resolves the hash of the provided file

func (*EBPFLessFieldHandlers) ResolveHashesFromEvent 

func (fh *EBPFLessFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string

ResolveHashesFromEvent resolves the hashes of the requested event

func (*EBPFLessFieldHandlers) ResolveK8SGroups 

func (fh *EBPFLessFieldHandlers) ResolveK8SGroups(_ *model.Event, e *model.UserSessionContext) []string

ResolveK8SGroups resolves the k8s groups of the event

func (*EBPFLessFieldHandlers) ResolveK8SUID 

func (fh *EBPFLessFieldHandlers) ResolveK8SUID(_ *model.Event, e *model.UserSessionContext) string

ResolveK8SUID resolves the k8s UID of the event

func (*EBPFLessFieldHandlers) ResolveK8SUsername 

func (fh *EBPFLessFieldHandlers) ResolveK8SUsername(_ *model.Event, e *model.UserSessionContext) string

ResolveK8SUsername resolves the k8s username of the event

func (*EBPFLessFieldHandlers) ResolveModuleArgs 

func (fh *EBPFLessFieldHandlers) ResolveModuleArgs(_ *model.Event, e *model.LoadModuleEvent) string

ResolveModuleArgs resolves the correct args if the arguments were truncated, if not return module.Args

func (*EBPFLessFieldHandlers) ResolveModuleArgv 

func (fh *EBPFLessFieldHandlers) ResolveModuleArgv(_ *model.Event, e *model.LoadModuleEvent) []string

ResolveModuleArgv resolves the unscrubbed args of the module as an array. Use with caution.

func (*EBPFLessFieldHandlers) ResolveMountPointPath 

func (fh *EBPFLessFieldHandlers) ResolveMountPointPath(_ *model.Event, e *model.MountEvent) string

ResolveMountPointPath resolves a mount point path

func (*EBPFLessFieldHandlers) ResolveMountRootPath 

func (fh *EBPFLessFieldHandlers) ResolveMountRootPath(_ *model.Event, e *model.MountEvent) string

ResolveMountRootPath resolves a mount root path

func (*EBPFLessFieldHandlers) ResolveMountSourcePath 

func (fh *EBPFLessFieldHandlers) ResolveMountSourcePath(_ *model.Event, e *model.MountEvent) string

ResolveMountSourcePath resolves a mount source path

func (*EBPFLessFieldHandlers) ResolveNetworkDeviceIfName 

func (fh *EBPFLessFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, e *model.NetworkDeviceContext) string

ResolveNetworkDeviceIfName returns the network iterface name from the network context

func (*EBPFLessFieldHandlers) ResolvePackageName 

func (fh *EBPFLessFieldHandlers) ResolvePackageName(_ *model.Event, e *model.FileEvent) string

ResolvePackageName resolves the name of the package providing this file

func (*EBPFLessFieldHandlers) ResolvePackageSourceVersion 

func (fh *EBPFLessFieldHandlers) ResolvePackageSourceVersion(_ *model.Event, e *model.FileEvent) string

ResolvePackageSourceVersion resolves the version of the source package of the package providing this file

func (*EBPFLessFieldHandlers) ResolvePackageVersion 

func (fh *EBPFLessFieldHandlers) ResolvePackageVersion(_ *model.Event, e *model.FileEvent) string

ResolvePackageVersion resolves the version of the package providing this file

func (*EBPFLessFieldHandlers) ResolveProcessArgs 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string

ResolveProcessArgs resolves the args of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsFlags 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)

ResolveProcessArgsFlags resolves the arguments flags of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsOptions 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)

ResolveProcessArgsOptions resolves the arguments options of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsScrubbed 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string

ResolveProcessArgsScrubbed resolves the args of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsTruncated 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessArgsTruncated returns whether the args are truncated

func (*EBPFLessFieldHandlers) ResolveProcessArgv 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string

ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.

func (*EBPFLessFieldHandlers) ResolveProcessArgv0 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string

ResolveProcessArgv0 resolves the first arg of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgvScrubbed 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string

ResolveProcessArgvScrubbed resolves the args of the process as an array

func (*EBPFLessFieldHandlers) ResolveProcessCacheEntry 

func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)

ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFLessFieldHandlers) ResolveProcessCreatedAt 

func (fh *EBPFLessFieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int

ResolveProcessCreatedAt resolves process creation time

func (*EBPFLessFieldHandlers) ResolveProcessEnvp 

func (fh *EBPFLessFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string

ResolveProcessEnvp resolves the envp of the event as an array

func (*EBPFLessFieldHandlers) ResolveProcessEnvs 

func (fh *EBPFLessFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string

ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.

func (*EBPFLessFieldHandlers) ResolveProcessEnvsTruncated 

func (fh *EBPFLessFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessEnvsTruncated returns whether the envs are truncated

func (*EBPFLessFieldHandlers) ResolveRights 

func (fh *EBPFLessFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int

ResolveRights resolves the rights of a file

func (*EBPFLessFieldHandlers) ResolveSELinuxBoolName 

func (fh *EBPFLessFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string

ResolveSELinuxBoolName resolves the boolean name of the SELinux event

func (*EBPFLessFieldHandlers) ResolveService 

func (fh *EBPFLessFieldHandlers) ResolveService(ev *model.Event, _ *model.BaseEvent) string

ResolveService returns the service tag based on the process context

func (*EBPFLessFieldHandlers) ResolveSetgidEGroup 

func (fh *EBPFLessFieldHandlers) ResolveSetgidEGroup(_ *model.Event, e *model.SetgidEvent) string

ResolveSetgidEGroup resolves the effective group of the Setgid event

func (*EBPFLessFieldHandlers) ResolveSetgidFSGroup 

func (fh *EBPFLessFieldHandlers) ResolveSetgidFSGroup(_ *model.Event, e *model.SetgidEvent) string

ResolveSetgidFSGroup resolves the file-system group of the Setgid event

func (*EBPFLessFieldHandlers) ResolveSetgidGroup 

func (fh *EBPFLessFieldHandlers) ResolveSetgidGroup(_ *model.Event, e *model.SetgidEvent) string

ResolveSetgidGroup resolves the group of the Setgid event

func (*EBPFLessFieldHandlers) ResolveSetuidEUser 

func (fh *EBPFLessFieldHandlers) ResolveSetuidEUser(_ *model.Event, e *model.SetuidEvent) string

ResolveSetuidEUser resolves the effective user of the Setuid event

func (*EBPFLessFieldHandlers) ResolveSetuidFSUser 

func (fh *EBPFLessFieldHandlers) ResolveSetuidFSUser(_ *model.Event, e *model.SetuidEvent) string

ResolveSetuidFSUser resolves the file-system user of the Setuid event

func (*EBPFLessFieldHandlers) ResolveSetuidUser 

func (fh *EBPFLessFieldHandlers) ResolveSetuidUser(_ *model.Event, e *model.SetuidEvent) string

ResolveSetuidUser resolves the user of the Setuid event

func (*EBPFLessFieldHandlers) ResolveUserSessionContext 

func (fh *EBPFLessFieldHandlers) ResolveUserSessionContext(_ *model.UserSessionContext)

ResolveUserSessionContext resolves and updates the provided user session context

func (*EBPFLessFieldHandlers) ResolveXAttrName 

func (fh *EBPFLessFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrName returns the string representation of the extended attribute name

func (*EBPFLessFieldHandlers) ResolveXAttrNamespace 

func (fh *EBPFLessFieldHandlers) ResolveXAttrNamespace(_ *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrNamespace returns the string representation of the extended attribute namespace

type EBPFLessHelloMsgEvent 

type EBPFLessHelloMsgEvent struct {
	events.CustomEventCommonFields

	NSID      uint64 `json:"nsid,omitempty"`
	Container struct {
		ID             string `json:"id,omitempty"`
		Name           string `json:"name,omitempty"`
		ImageShortName string `json:"short_name,omitempty"`
		ImageTag       string `json:"image_tag,omitempty"`
	} `json:"container,omitempty"`
	EntrypointArgs []string `json:"args,omitempty"`
}

EBPFLessHelloMsgEvent defines a hello message easyjson:json

func (EBPFLessHelloMsgEvent) MarshalEasyJSON 

func (v EBPFLessHelloMsgEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EBPFLessHelloMsgEvent) ToJSON 

func (e EBPFLessHelloMsgEvent) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*EBPFLessHelloMsgEvent) UnmarshalEasyJSON 

func (v *EBPFLessHelloMsgEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type EBPFLessProbe 

type EBPFLessProbe struct {
	sync.Mutex

	Resolvers *resolvers.EBPFLessResolvers
	// contains filtered or unexported fields
}

EBPFLessProbe defines an eBPF less probe

func NewEBPFLessProbe 

func NewEBPFLessProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFLessProbe, error)

NewEBPFLessProbe returns a new eBPF less probe

func (*EBPFLessProbe) AddDiscarderPushedCallback 

func (p *EBPFLessProbe) AddDiscarderPushedCallback(_ DiscarderPushedCallback)

AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel

func (*EBPFLessProbe) ApplyRuleSet 

func (p *EBPFLessProbe) ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)

ApplyRuleSet applies the new ruleset

func (*EBPFLessProbe) Close 

func (p *EBPFLessProbe) Close() error

Close the probe

func (*EBPFLessProbe) DispatchEvent 

func (p *EBPFLessProbe) DispatchEvent(event *model.Event)

DispatchEvent sends an event to the probe event handler

func (*EBPFLessProbe) DumpDiscarders 

func (p *EBPFLessProbe) DumpDiscarders() (string, error)

DumpDiscarders dump the discarders

func (*EBPFLessProbe) DumpProcessCache 

func (p *EBPFLessProbe) DumpProcessCache(withArgs bool) (string, error)

DumpProcessCache dumps the process cache

func (*EBPFLessProbe) FlushDiscarders 

func (p *EBPFLessProbe) FlushDiscarders() error

FlushDiscarders flush the discarders

func (*EBPFLessProbe) GetClientsCount 

func (p *EBPFLessProbe) GetClientsCount() int

GetClientsCount returns the number of connected clients

func (*EBPFLessProbe) GetEventTags 

func (p *EBPFLessProbe) GetEventTags(containerID string) []string

GetEventTags returns the event tags

func (*EBPFLessProbe) GetFieldHandlers 

func (p *EBPFLessProbe) GetFieldHandlers() model.FieldHandlers

GetFieldHandlers returns the field handlers

func (*EBPFLessProbe) HandleActions 

func (p *EBPFLessProbe) HandleActions(ctx *eval.Context, rule *rules.Rule)

HandleActions handles the rule actions

func (*EBPFLessProbe) Init 

func (p *EBPFLessProbe) Init() error

Init the probe

func (*EBPFLessProbe) NewEvent 

func (p *EBPFLessProbe) NewEvent() *model.Event

NewEvent returns a new event

func (*EBPFLessProbe) NewModel 

func (p *EBPFLessProbe) NewModel() *model.Model

NewModel returns a new Model

func (*EBPFLessProbe) OnNewDiscarder 

func (p *EBPFLessProbe) OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)

OnNewDiscarder handles discarders

func (*EBPFLessProbe) SendStats 

func (p *EBPFLessProbe) SendStats() error

SendStats send the stats

func (*EBPFLessProbe) Setup 

func (p *EBPFLessProbe) Setup() error

Setup the probe

func (*EBPFLessProbe) Snapshot 

func (p *EBPFLessProbe) Snapshot() error

Snapshot the already existing entities

func (*EBPFLessProbe) Start 

func (p *EBPFLessProbe) Start() error

Start the probe

func (*EBPFLessProbe) Stop 

func (p *EBPFLessProbe) Stop()

Stop the probe

type EBPFMonitors 

type EBPFMonitors struct {
	// contains filtered or unexported fields
}

EBPFMonitors regroups all the work we want to do to monitor the probes we pushed in the kernel

func NewEBPFMonitors 

func NewEBPFMonitors(p *EBPFProbe) *EBPFMonitors

NewEBPFMonitors returns a new instance of a ProbeMonitor

func (*EBPFMonitors) GetEventStreamMonitor 

func (m *EBPFMonitors) GetEventStreamMonitor() *eventstream.Monitor

GetEventStreamMonitor returns the perf buffer monitor

func (*EBPFMonitors) Init 

func (m *EBPFMonitors) Init() error

Init initializes the monitor

func (*EBPFMonitors) ProcessEvent 

func (m *EBPFMonitors) ProcessEvent(event *model.Event)

ProcessEvent processes an event through the various monitors and controllers of the probe

func (*EBPFMonitors) SendStats 

func (m *EBPFMonitors) SendStats() error

SendStats sends statistics about the probe to Datadog

type EBPFProbe 

type EBPFProbe struct {
	Resolvers *resolvers.EBPFResolvers

	Manager *manager.Manager

	// Approvers / discarders section
	Erpc *erpc.ERPC
	// contains filtered or unexported fields
}

EBPFProbe defines a platform probe

func NewEBPFProbe 

func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts, wmeta optional.Option[workloadmeta.Component]) (*EBPFProbe, error)

NewEBPFProbe instantiates a new runtime security agent probe

func (*EBPFProbe) AddActivityDumpHandler 

func (p *EBPFProbe) AddActivityDumpHandler(handler dump.ActivityDumpHandler)

AddActivityDumpHandler set the probe activity dump handler

func (*EBPFProbe) AddDiscarderPushedCallback 

func (p *EBPFProbe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)

AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel

func (*EBPFProbe) ApplyFilterPolicy 

func (p *EBPFProbe) ApplyFilterPolicy(eventType eval.EventType, mode kfilters.PolicyMode, flags kfilters.PolicyFlag) error

ApplyFilterPolicy is called when a passing policy for an event type is applied

func (*EBPFProbe) ApplyRuleSet 

func (p *EBPFProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)

ApplyRuleSet apply the required update to handle the new ruleset

func (*EBPFProbe) Close 

func (p *EBPFProbe) Close() error

Close the probe

func (*EBPFProbe) DispatchEvent 

func (p *EBPFProbe) DispatchEvent(event *model.Event)

DispatchEvent sends an event to the probe event handler

func (*EBPFProbe) DumpDiscarders 

func (p *EBPFProbe) DumpDiscarders() (string, error)

DumpDiscarders dump the discarders

func (*EBPFProbe) DumpProcessCache 

func (p *EBPFProbe) DumpProcessCache(withArgs bool) (string, error)

DumpProcessCache dumps the process cache

func (*EBPFProbe) EventMarshallerCtor 

func (p *EBPFProbe) EventMarshallerCtor(event *model.Event) func() events.EventMarshaler

EventMarshallerCtor returns the event marshaller ctor

func (*EBPFProbe) FlushDiscarders 

func (p *EBPFProbe) FlushDiscarders() error

FlushDiscarders flush the discarders

func (*EBPFProbe) FlushNetworkNamespace 

func (p *EBPFProbe) FlushNetworkNamespace(namespace *netns.NetworkNamespace)

FlushNetworkNamespace removes all references and stops all TC programs in the provided network namespace. This method flushes the network namespace in the network namespace resolver as well.

func (*EBPFProbe) GetConstantFetcherStatus 

func (p *EBPFProbe) GetConstantFetcherStatus() (*constantfetch.ConstantFetcherStatus, error)

GetConstantFetcherStatus returns the status of the constant fetcher associated with this probe

func (*EBPFProbe) GetDiscarders 

func (p *EBPFProbe) GetDiscarders() (*DiscardersDump, error)

GetDiscarders retrieve the discarders

func (*EBPFProbe) GetEventTags 

func (p *EBPFProbe) GetEventTags(containerID string) []string

GetEventTags returns the event tags

func (*EBPFProbe) GetFieldHandlers 

func (p *EBPFProbe) GetFieldHandlers() model.FieldHandlers

GetFieldHandlers returns the field handlers

func (*EBPFProbe) GetKernelVersion 

func (p *EBPFProbe) GetKernelVersion() *kernel.Version

GetKernelVersion computes and returns the running kernel version

func (*EBPFProbe) GetMonitors 

func (p *EBPFProbe) GetMonitors() *EBPFMonitors

GetMonitors returns the monitor of the probe

func (*EBPFProbe) GetOffsetConstants 

func (p *EBPFProbe) GetOffsetConstants() (map[string]uint64, error)

GetOffsetConstants returns the offsets and struct sizes constants

func (*EBPFProbe) GetProfileManagers 

func (p *EBPFProbe) GetProfileManagers() *SecurityProfileManagers

GetProfileManagers returns the security profile managers

func (*EBPFProbe) HandleActions 

func (p *EBPFProbe) HandleActions(ctx *eval.Context, rule *rules.Rule)

HandleActions handles the rule actions

func (*EBPFProbe) Init 

func (p *EBPFProbe) Init() error

Init initializes the probe

func (*EBPFProbe) IsRuntimeCompiled 

func (p *EBPFProbe) IsRuntimeCompiled() bool

IsRuntimeCompiled returns true if the eBPF programs where successfully runtime compiled

func (*EBPFProbe) NewEvent 

func (p *EBPFProbe) NewEvent() *model.Event

NewEvent returns a new event

func (*EBPFProbe) NewModel 

func (p *EBPFProbe) NewModel() *model.Model

NewModel returns a new Model

func (*EBPFProbe) OnNewDiscarder 

func (p *EBPFProbe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)

OnNewDiscarder handles new discarders

func (*EBPFProbe) RefreshUserCache 

func (p *EBPFProbe) RefreshUserCache(containerID string) error

RefreshUserCache refreshes the user cache

func (*EBPFProbe) SendStats 

func (p *EBPFProbe) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*EBPFProbe) SetApprovers 

func (p *EBPFProbe) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error

SetApprovers applies approvers and removes the unused ones

func (*EBPFProbe) Setup 

func (p *EBPFProbe) Setup() error

Setup the probe

func (*EBPFProbe) Snapshot 

func (p *EBPFProbe) Snapshot() error

Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system

func (*EBPFProbe) Start 

func (p *EBPFProbe) Start() error

Start the probe

func (*EBPFProbe) Stop 

func (p *EBPFProbe) Stop()

Stop the probe

func (*EBPFProbe) UseRingBuffers 

func (p *EBPFProbe) UseRingBuffers() bool

UseRingBuffers returns true if eBPF ring buffers are supported and used

func (*EBPFProbe) VerifyEnvironment 

func (p *EBPFProbe) VerifyEnvironment() *multierror.Error

VerifyEnvironment returns an error if the current environment seems to be misconfigured

func (*EBPFProbe) VerifyOSVersion 

func (p *EBPFProbe) VerifyOSVersion() error

VerifyOSVersion returns an error if the current kernel version is not supported

type ErrDiscarderNotSupported 

type ErrDiscarderNotSupported struct {
	Field string
}

ErrDiscarderNotSupported is returned when trying to discover a discarder on a field that doesn't support them

func (ErrDiscarderNotSupported) Error 

func (e ErrDiscarderNotSupported) Error() string

type EventHandler 

type EventHandler interface {
	HandleEvent(event any)
	Copy(_ *model.Event) any
}

EventHandler represents a handler for events sent by the probe. This handler makes a copy of the event upon receipt

type EventLostRead 

type EventLostRead struct {
	events.CustomEventCommonFields
	Name string  `json:"map"`
	Lost float64 `json:"lost"`
}

EventLostRead is the event used to report lost events detected from user space easyjson:json

func (EventLostRead) MarshalEasyJSON 

func (v EventLostRead) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EventLostRead) ToJSON 

func (e EventLostRead) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*EventLostRead) UnmarshalEasyJSON 

func (v *EventLostRead) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type EventLostWrite 

type EventLostWrite struct {
	events.CustomEventCommonFields
	Name string            `json:"map"`
	Lost map[string]uint64 `json:"per_event"`
}

EventLostWrite is the event used to report lost events detected from kernel space easyjson:json

func (EventLostWrite) MarshalEasyJSON 

func (v EventLostWrite) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EventLostWrite) ToJSON 

func (e EventLostWrite) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*EventLostWrite) UnmarshalEasyJSON 

func (v *EventLostWrite) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type EventStream 

type EventStream interface {
	Init(*manager.Manager, *pconfig.Config) error
	SetMonitor(eventstream.LostEventCounter)
	Start(*sync.WaitGroup) error
	Pause() error
	Resume() error
}

EventStream describes the interface implemented by reordered perf maps or ring buffers

type FullAccessEventHandler 

type FullAccessEventHandler interface {
	HandleEvent(event *model.Event)
}

FullAccessEventHandler represents a handler for events sent by the probe that needs access to all the fields in the SECL model

type InodeDiscarderDump 

type InodeDiscarderDump struct {
	Index                int `yaml:"index"`
	InodeDiscarderParams `yaml:"value"`
	FilePath             string `yaml:"path"`
	Inode                uint64
	MountID              uint32 `yaml:"mount_id"`
}

InodeDiscarderDump describes a dump of an inode discarder

type InodeDiscarderEntry 

type InodeDiscarderEntry struct {
	Inode     uint64
	MountID   uint32
	Timestamp uint64
}

InodeDiscarderEntry describes a map entry

type InodeDiscarderMapEntry 

type InodeDiscarderMapEntry struct {
	PathKey model.PathKey
	IsLeaf  uint32
	Padding uint32
}

InodeDiscarderMapEntry describes a map entry

type InodeDiscarderParams 

type InodeDiscarderParams struct {
	DiscarderParams `yaml:"params"`
	Revision        uint32
}

InodeDiscarderParams describes a map value

type JKillActionReport 

type JKillActionReport struct {
	Type       string              `json:"type"`
	Signal     string              `json:"signal"`
	Scope      string              `json:"scope"`
	CreatedAt  utils.EasyjsonTime  `json:"created_at"`
	DetectedAt utils.EasyjsonTime  `json:"detected_at"`
	KilledAt   utils.EasyjsonTime  `json:"killed_at"`
	ExitedAt   *utils.EasyjsonTime `json:"exited_at,omitempty"`
	TTR        string              `json:"ttr,omitempty"`
}

JKillActionReport used to serialize date easyjson:json

func (JKillActionReport) MarshalEasyJSON 

func (v JKillActionReport) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (*JKillActionReport) UnmarshalEasyJSON 

func (v *JKillActionReport) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type KillActionReport 

type KillActionReport struct {
	sync.RWMutex

	Signal     string
	Scope      string
	Pid        uint32
	CreatedAt  time.Time
	DetectedAt time.Time
	KilledAt   time.Time
	ExitedAt   time.Time
	// contains filtered or unexported fields
}

KillActionReport defines a kill action reports

func (*KillActionReport) ToJSON 

func (k *KillActionReport) ToJSON() ([]byte, bool, error)

ToJSON marshal the action

type Opts 

type Opts struct {
	// DontDiscardRuntime do not discard the runtime. Mostly used by functional tests
	DontDiscardRuntime bool
	// StatsdClient to be used for probe stats
	StatsdClient statsd.ClientInterface
	// PathResolutionEnabled defines if the path resolution is enabled
	PathResolutionEnabled bool
	// TagsResolver will override the default one. Mainly here for tests.
	TagsResolver tags.Resolver
	// SyscallsMonitorEnabled enable syscalls map monitor
	SyscallsMonitorEnabled bool
	// TTYFallbackEnabled enable the tty procfs fallback
	TTYFallbackEnabled bool
	// EBPFLessEnabled use ebpfless source
	EBPFLessEnabled bool
}

Opts defines some probe options

type PidDiscarderDump 

type PidDiscarderDump struct {
	Index              int `yaml:"index"`
	PidDiscarderParams `yaml:"value"`
}

PidDiscarderDump describes a dump of a pid discarder

type PidDiscarderParams 

type PidDiscarderParams struct {
	DiscarderParams `yaml:"params"`
}

PidDiscarderParams describes a map value

type PlatformProbe 

type PlatformProbe interface {
	Setup() error
	Init() error
	Start() error
	Stop()
	SendStats() error
	Snapshot() error
	Close() error
	NewModel() *model.Model
	DumpDiscarders() (string, error)
	FlushDiscarders() error
	ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)
	OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)
	HandleActions(_ *eval.Context, _ *rules.Rule)
	NewEvent() *model.Event
	GetFieldHandlers() model.FieldHandlers
	DumpProcessCache(_ bool) (string, error)
	AddDiscarderPushedCallback(_ DiscarderPushedCallback)
	GetEventTags(_ string) []string
}

PlatformProbe defines a platform dependant probe

type Probe 

type Probe struct {
	PlatformProbe PlatformProbe

	// Constants and configuration
	Opts         Opts
	Config       *config.Config
	StatsdClient statsd.ClientInterface
	// contains filtered or unexported fields
}

Probe represents the runtime security eBPF probe in charge of setting up the required kProbes and decoding events sent from the kernel

func NewProbe 

func NewProbe(config *config.Config, opts Opts, wmeta optional.Option[workloadmeta.Component]) (*Probe, error)

NewProbe instantiates a new runtime security agent probe

func (*Probe) AddCustomEventHandler 

func (p *Probe) AddCustomEventHandler(eventType model.EventType, handler CustomEventHandler) error

AddCustomEventHandler set the probe event handler

func (*Probe) AddDiscarderPushedCallback 

func (p *Probe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)

AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel

func (*Probe) AddEventHandler 

func (p *Probe) AddEventHandler(eventType model.EventType, handler EventHandler) error

AddEventHandler sets a probe event handler

func (*Probe) AddFullAccessEventHandler 

func (p *Probe) AddFullAccessEventHandler(handler FullAccessEventHandler) error

AddFullAccessEventHandler sets a probe event handler for the UnknownEventType which requires access to all the struct fields

func (*Probe) ApplyRuleSet 

func (p *Probe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)

ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.

func (*Probe) Close 

func (p *Probe) Close() error

Close the probe

func (*Probe) DispatchCustomEvent 

func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *events.CustomEvent)

DispatchCustomEvent sends a custom event to the probe event handler

func (*Probe) DumpDiscarders 

func (p *Probe) DumpDiscarders() (string, error)

DumpDiscarders removes all the discarders

func (*Probe) DumpProcessCache 

func (p *Probe) DumpProcessCache(withArgs bool) (string, error)

DumpProcessCache dump the process cache

func (*Probe) FlushDiscarders 

func (p *Probe) FlushDiscarders() error

FlushDiscarders invalidates all the discarders

func (*Probe) GetDebugStats 

func (p *Probe) GetDebugStats() map[string]interface{}

GetDebugStats returns the debug stats

func (*Probe) GetEventTags 

func (p *Probe) GetEventTags(containerID string) []string

GetEventTags returns the event tags

func (*Probe) GetService 

func (p *Probe) GetService(ev *model.Event) string

GetService returns the service name from the process tree

func (*Probe) HandleActions 

func (p *Probe) HandleActions(rule *rules.Rule, event eval.Event)

HandleActions executes the actions of a triggered rule

func (*Probe) Init 

func (p *Probe) Init() error

Init initializes the probe

func (*Probe) IsActivityDumpEnabled 

func (p *Probe) IsActivityDumpEnabled() bool

IsActivityDumpEnabled returns whether activity dump is enabled

func (*Probe) IsActivityDumpTagRulesEnabled 

func (p *Probe) IsActivityDumpTagRulesEnabled() bool

IsActivityDumpTagRulesEnabled returns whether rule tags is enabled for activity dumps

func (*Probe) IsNetworkEnabled 

func (p *Probe) IsNetworkEnabled() bool

IsNetworkEnabled returns whether network is enabled

func (*Probe) IsSecurityProfileEnabled 

func (p *Probe) IsSecurityProfileEnabled() bool

IsSecurityProfileEnabled returns whether security profile is enabled

func (*Probe) NewEvaluationSet 

func (p *Probe) NewEvaluationSet(eventTypeEnabled map[eval.EventType]bool, ruleSetTagValues []string) (*rules.EvaluationSet, error)

NewEvaluationSet returns a new evaluation set with rule sets tagged by the passed-in tag values for the "ruleset" tag key

func (*Probe) OnNewDiscarder 

func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)

OnNewDiscarder is called when a new discarder is found

func (*Probe) Origin 

func (p *Probe) Origin() string

Origin returns origin

func (*Probe) SendStats 

func (p *Probe) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*Probe) Setup 

func (p *Probe) Setup() error

Setup the runtime security probe

func (*Probe) Snapshot 

func (p *Probe) Snapshot() error

Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system

func (*Probe) Start 

func (p *Probe) Start() error

Start plays the snapshot data and then start the event stream

func (*Probe) StatsPollingInterval 

func (p *Probe) StatsPollingInterval() time.Duration

StatsPollingInterval returns the stats polling interval

func (*Probe) Stop 

func (p *Probe) Stop()

Stop the probe

type ProcessKiller 

type ProcessKiller struct {
	sync.Mutex
	// contains filtered or unexported fields
}

ProcessKiller defines a process killer structure

func NewProcessKiller 

func NewProcessKiller() *ProcessKiller

NewProcessKiller returns a new ProcessKiller

func (*ProcessKiller) AddPendingReports 

func (p *ProcessKiller) AddPendingReports(report *KillActionReport)

AddPendingReports add a pending reports

func (*ProcessKiller) FlushPendingReports 

func (p *ProcessKiller) FlushPendingReports()

FlushPendingReports flush pending reports

func (*ProcessKiller) HandleProcessExited 

func (p *ProcessKiller) HandleProcessExited(event *model.Event)

HandleProcessExited handles process exited events

func (*ProcessKiller) KillAndReport 

func (p *ProcessKiller) KillAndReport(scope string, signal string, ev *model.Event, killFnc func(pid uint32, sig uint32) error)

KillAndReport kill and report

func (*ProcessKiller) KillFromUserspace 

func (p *ProcessKiller) KillFromUserspace(pid uint32, sig uint32, ev *model.Event) error

KillFromUserspace tries to kill from userspace

type QueuedNetworkDeviceError 

type QueuedNetworkDeviceError struct {
	// contains filtered or unexported fields
}

QueuedNetworkDeviceError is used to indicate that the new network device was queued until its namespace handle is resolved.

func (QueuedNetworkDeviceError) Error 

func (err QueuedNetworkDeviceError) Error() string

type SecurityProfileManagers 

type SecurityProfileManagers struct {
	// contains filtered or unexported fields
}

SecurityProfileManagers holds the security profile managers

func NewSecurityProfileManagers 

func NewSecurityProfileManagers(p *EBPFProbe) (*SecurityProfileManagers, error)

NewSecurityProfileManagers returns a new manager object

func (*SecurityProfileManagers) AddActivityDumpHandler 

func (spm *SecurityProfileManagers) AddActivityDumpHandler(handler dump.ActivityDumpHandler)

AddActivityDumpHandler add a handler

func (*SecurityProfileManagers) DumpActivity 

func (spm *SecurityProfileManagers) DumpActivity(params *api.ActivityDumpParams) (*api.ActivityDumpMessage, error)

DumpActivity handles an activity dump request

func (*SecurityProfileManagers) GenerateTranscoding 

func (spm *SecurityProfileManagers) GenerateTranscoding(params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error)

GenerateTranscoding encodes an activity dump following the input parameters

func (*SecurityProfileManagers) GetActivityDumpManager 

func (spm *SecurityProfileManagers) GetActivityDumpManager() *dump.ActivityDumpManager

GetActivityDumpManager returns the activity dump manager

func (*SecurityProfileManagers) GetActivityDumpTracedEventTypes 

func (spm *SecurityProfileManagers) GetActivityDumpTracedEventTypes() []model.EventType

GetActivityDumpTracedEventTypes returns traced event types

func (*SecurityProfileManagers) GetSecurityProfileManager 

func (spm *SecurityProfileManagers) GetSecurityProfileManager() *profile.SecurityProfileManager

GetSecurityProfileManager returns the security profile manager

func (*SecurityProfileManagers) ListActivityDumps 

func (spm *SecurityProfileManagers) ListActivityDumps(params *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error)

ListActivityDumps returns the list of active dumps

func (*SecurityProfileManagers) ListSecurityProfiles 

func (spm *SecurityProfileManagers) ListSecurityProfiles(params *api.SecurityProfileListParams) (*api.SecurityProfileListMessage, error)

ListSecurityProfiles list the profiles

func (*SecurityProfileManagers) SaveSecurityProfile 

func (spm *SecurityProfileManagers) SaveSecurityProfile(params *api.SecurityProfileSaveParams) (*api.SecurityProfileSaveMessage, error)

SaveSecurityProfile save a security profile

func (*SecurityProfileManagers) SendStats 

func (spm *SecurityProfileManagers) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*SecurityProfileManagers) SnapshotTracedCgroups 

func (spm *SecurityProfileManagers) SnapshotTracedCgroups()

SnapshotTracedCgroups snapshots traced cgroups

func (*SecurityProfileManagers) Start 

func (spm *SecurityProfileManagers) Start(ctx context.Context, wg *sync.WaitGroup)

Start triggers the goroutine of all the underlying controllers and monitors of the Monitor

func (*SecurityProfileManagers) StopActivityDump 

func (spm *SecurityProfileManagers) StopActivityDump(params *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error)

StopActivityDump stops an active activity dump

Source Files

View all Source files

Directories

Path Synopsis
Package config holds config related files
 Package config holds config related files
Package constantfetch holds constantfetch related files
 Package constantfetch holds constantfetch related files
Package erpc holds erpc related files
 Package erpc holds erpc related files
Package eventstream holds eventstream related files
 Package eventstream holds eventstream related files
reorderer
Package reorderer holds reorderer related files
 Package reorderer holds reorderer related files
ringbuffer
Package ringbuffer holds ringbuffer related files
 Package ringbuffer holds ringbuffer related files
Package kfilters holds kfilters related files
 Package kfilters holds kfilters related files
Package managerhelper holds managerhelper related files
 Package managerhelper holds managerhelper related files
monitors
approver
Package approver holds approver related files
 Package approver holds approver related files
cgroups
Package cgroups holds cgroups related files
 Package cgroups holds cgroups related files
discarder
Package discarder holds discarder related files
 Package discarder holds discarder related files
runtime
Package runtime holds runtime related files
 Package runtime holds runtime related files
syscalls
Package syscalls holds syscalls related files
 Package syscalls holds syscalls related files
Package selftests holds selftests related files
 Package selftests holds selftests related files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.