ebpftracer

package
v1.5.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 25, 2024 License: Apache-2.0 Imports: 49 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	TailVfsWrite  uint32 = iota // Index of a function to be used in a bpf tailcall.
	TailVfsWritev               // Matches defined values in ebpf code for prog_array map.
	TailSendBin
	TailSendBinTP
	TailKernelWrite
	TailSchedProcessExecEventSubmit
	TailVfsRead
	TailVfsReadv
	TailExecBinprm1
	TailExecBinprm2
	TailHiddenKernelModuleProc
	TailHiddenKernelModuleKset
	TailHiddenKernelModuleModTree
	TailHiddenKernelModuleNewModOnly
	MaxTail
)
View Source 
const (
	ProbeSysEnter handle = iota
	ProbeSysExit
	ProbeSyscallEnter__Internal
	ProbeSyscallExit__Internal
	ProbeSchedProcessFork
	ProbeSchedProcessExec
	ProbeSchedProcessExit
	ProbeSchedProcessFree
	ProbeSchedSwitch
	ProbeDoExit
	ProbeCapCapable
	ProbeVfsWrite
	ProbeVfsWriteRet
	ProbeVfsWriteV
	ProbeVfsWriteVRet
	ProbeSecurityMmapAddr
	ProbeSecurityMmapFile
	ProbeSecurityFileMProtect
	ProbeCommitCreds
	ProbeSwitchTaskNS
	ProbeKernelWrite
	ProbeKernelWriteRet
	ProbeVfsWriteMagic
	ProbeVfsWriteMagicRet
	ProbeVfsWriteVMagic
	ProbeVfsWriteVMagicRet
	ProbeKernelWriteMagic
	ProbeKernelWriteMagicRet
	ProbeCgroupAttachTask
	ProbeCgroupMkdir
	ProbeCgroupRmdir
	ProbeSecurityBPRMCheck
	ProbeSecurityFileOpen
	ProbeSecurityInodeUnlink
	ProbeSecurityInodeMknod
	ProbeSecurityInodeSymlink
	ProbeSecuritySocketCreate
	ProbeSecuritySocketListen
	ProbeSecuritySocketConnect
	ProbeSecuritySocketAccept
	ProbeSecuritySocketBind
	ProbeSecuritySocketSetsockopt
	ProbeSecuritySbMount
	ProbeSecurityBPF
	ProbeSecurityBPFMap
	ProbeSecurityKernelReadFile
	ProbeSecurityKernelPostReadFile
	ProbeDoSplice
	ProbeDoSpliceRet
	ProbeProcCreate
	ProbeRegisterKprobe
	ProbeRegisterKprobeRet
	ProbeCallUsermodeHelper
	ProbeDebugfsCreateFile
	ProbeDebugfsCreateDir
	ProbeDeviceAdd
	ProbeRegisterChrdev
	ProbeRegisterChrdevRet
	ProbeDoInitModule
	ProbeDoInitModuleRet
	ProbeLoadElfPhdrs
	ProbeFilldir64
	ProbeSecurityFilePermission
	ProbeTaskRename
	ProbePrintSyscallTable
	ProbePrintNetSeqOps
	ProbeSecurityInodeRename
	ProbeDoSigaction
	ProbeSecurityBpfProg
	ProbeSecurityFileIoctl
	ProbeCheckHelperCall
	ProbeCheckMapFuncCompatibility
	ProbeKallsymsLookupName
	ProbeKallsymsLookupNameRet
	ProbeSockAllocFile
	ProbeSockAllocFileRet
	ProbeSecuritySkClone
	ProbeSecuritySocketRecvmsg
	ProbeSecuritySocketSendmsg
	ProbeCgroupBPFRunFilterSKB
	ProbeCgroupSKBIngress
	ProbeCgroupSKBEgress
	ProbeDoMmap
	ProbeDoMmapRet
	ProbePrintMemDump
	ProbeVfsRead
	ProbeVfsReadRet
	ProbeVfsReadV
	ProbeVfsReadVRet
	ProbeVfsUtimes
	ProbeUtimesCommon
	ProbeDoTruncate
	ProbeFileUpdateTime
	ProbeFileUpdateTimeRet
	ProbeFileModified
	ProbeFileModifiedRet
	ProbeFdInstall
	ProbeFilpClose
	ProbeInotifyFindInode
	ProbeInotifyFindInodeRet
	ProbeBpfCheck
	ProbeExecBinprm
	ProbeExecBinprmRet
	ProbeHiddenKernelModuleSeeker
	ProbeTpProbeRegPrioMayExist
	ProbeHiddenKernelModuleVerifier
	ProbeModuleLoad
	ProbeModuleFree
	ProbeLayoutAndAllocate
	ProbeInetSockSetState
	ProbeOomMarkVictim
	ProbeTtyOpen

	// Signal probes
	SignalCgroupMkdir
	SignalCgroupRmdir
	SignalSchedProcessFork
	SignalSchedProcessExec
	SignalSchedProcessExit
)

Variables

View Source 
var (
	FilterPass                    error = nil
	FilterErrRateLimit                  = errors.New("rate limit")
	FilterErrEmptyDNSResponse           = errors.New("empty dns response")
	FilterErrDNSDuplicateDetected       = errors.New("dns duplicate detected")
)
View Source 
var ErrPanic = errors.New("encountered panic")

Error indicating that the resulting error was caught from a panic

Functions

This section is empty.

Types

type ActualDestinationGetter 

type ActualDestinationGetter interface {
	GetDestination(src, dst netip.AddrPort) (netip.AddrPort, bool)
}

ActualDestinationGetter is used to find actual destination ip. Usually this info is obtained from conntrack.

type ArgType 

type ArgType uint8

type CgroupClient added in v1.3.0 

type CgroupClient interface {
	LoadCgroup(id cgroup.ID, path string)
	CleanupCgroup(cgroup cgroup.ID)
	IsDefaultHierarchy(uint32) bool
}

type Config 

type Config struct {
	BTFPath                 string
	EventsPerCPUBuffer      int
	EventsOutputChanSize    int
	GCInterval              time.Duration
	DefaultCgroupsVersion   string `validate:"required,oneof=V1 V2"`
	ActualDestinationGetter ActualDestinationGetter
	DebugEnabled            bool
	ContainerClient         ContainerClient
	CgroupClient            CgroupClient
	EnrichEvent             SubmitForEnrichment
	MountNamespacePIDStore  *types.PIDsPerNamespace
	// All PIPs reported from ebpf will be normalized to this PID namespace
	HomePIDNS     proc.NamespaceID
	AllowAnyEvent bool
}

type ContainerClient 

type ContainerClient interface {
	GetContainerForCgroup(ctx context.Context, cgroup cgroup.ID) (*containers.Container, error)
	CleanupCgroup(cgroup cgroup.ID)
}

type EventFilter 

type EventFilter func(event *castpb.Event) error

EventFilter allows for filtering of events before they are send to the server

type EventFilterGenerator 

type EventFilterGenerator func() EventFilter

EventFilterGenerator Produces an event filter for each call

func DeduplicateDnsEvents 

func DeduplicateDnsEvents(l *logging.Logger, size uint32, ttl time.Duration) EventFilterGenerator

DeduplicateDnsEvents creates a filter that will drop any DNS event with questions already seen in `ttl` time

func FilterAnd 

func FilterAnd(filtersGenerators ...EventFilterGenerator) EventFilterGenerator

func FilterEmptyDnsAnswers 

func FilterEmptyDnsAnswers(l *logging.Logger) EventFilterGenerator

FilterEmptyDnsAnswers will drop any DNS event, that is missing an answer section

func GlobalEventFilterGenerator 

func GlobalEventFilterGenerator(filter EventFilter) EventFilterGenerator

GlobalEventFilterGenerator always returns the given filter on each generator invocation. This is useful, if you want some global filtering across cgroups.

func RateLimit 

func RateLimit(spec RateLimitPolicy) EventFilterGenerator

type EventPolicy 

type EventPolicy struct {
	ID                 events.ID
	PreFilterGenerator PreEventFilterGenerator
	FilterGenerator    EventFilterGenerator
}

type EventProbe 

type EventProbe struct {
	// contains filtered or unexported fields
}

type KSymbol 

type KSymbol struct {
	// contains filtered or unexported fields
}

type LRUPolicy 

type LRUPolicy struct {
	Size int
}

type Policy 

type Policy struct {
	SystemEvents    []events.ID // List of events required for internal tasks such as cache cleanup
	SignatureEngine *signature.SignatureEngine
	Events          []*EventPolicy
	Output          PolicyOutputConfig
}

type PolicyOutputConfig 

type PolicyOutputConfig struct {
	StackAddresses bool
	ExecEnv        bool
	RelativeTime   bool
	ExecHash       bool

	ParseArguments    bool
	ParseArgumentsFDs bool
	EventsSorting     bool
}

type PreEventFilter 

type PreEventFilter func(ctx *types.EventContext) error

PreEventFilter allows for filtering of events coming from the kernel before they are decoded

type PreEventFilterGenerator 

type PreEventFilterGenerator func() PreEventFilter

EventFilterGenerator Produces an pre event filter for each call

func GlobalPreEventFilterGenerator 

func GlobalPreEventFilterGenerator(filter PreEventFilter) PreEventFilterGenerator

GlobalPreEventFilterGenerator always returns the given filter on each generator invocation. This is useful, if you want some global filtering across cgroups.

func PreRateLimit 

func PreRateLimit(spec RateLimitPolicy) PreEventFilterGenerator

PreRateLimit creates an pre event filter that limits the amount of events that will be processed accoring to the specified limits

type RateLimitPolicy 

type RateLimitPolicy struct {
	// If interval is set rate limit can be used as interval based sampling. In such case burst is always 1.
	Interval time.Duration

	// Rate is events per second.
	Rate  float64
	Burst int
}

RateLimitPolicy allows to configure event rate limiting.

type SubmitForEnrichment added in v1.1.0 

type SubmitForEnrichment func(*enrichment.EnrichRequest) bool

type SyscallID 

type SyscallID uint32

func (SyscallID) String 

func (s SyscallID) String() string

type SyscallStats 

type SyscallStats struct {
	ID    SyscallID
	Count uint64
}

type SyscallStatsKeyCgroupID 

type SyscallStatsKeyCgroupID uint64

type TailCall 

type TailCall struct {
	// contains filtered or unexported fields
}

type Tracer 

type Tracer struct {
	// contains filtered or unexported fields
}

func New 

func New(log *logging.Logger, cfg Config) *Tracer

func (*Tracer) ApplyPolicy 

func (t *Tracer) ApplyPolicy(policy *Policy) error

func (*Tracer) Close 

func (t *Tracer) Close() error

func (*Tracer) Events 

func (t *Tracer) Events() <-chan *castpb.Event

func (*Tracer) GetEventName added in v1.4.0 

func (t *Tracer) GetEventName(id events.ID) string

func (*Tracer) IsCgroupMuted 

func (t *Tracer) IsCgroupMuted(cgroup uint64) bool

func (*Tracer) Load 

func (t *Tracer) Load() error

func (*Tracer) MuteEventsFromCgroup 

func (t *Tracer) MuteEventsFromCgroup(cgroup uint64) error

func (*Tracer) MuteEventsFromCgroups 

func (t *Tracer) MuteEventsFromCgroups(cgroups []uint64) error

func (*Tracer) ReadSyscallStats 

func (t *Tracer) ReadSyscallStats() (map[SyscallStatsKeyCgroupID][]SyscallStats, error)

func (*Tracer) Run 

func (t *Tracer) Run(ctx context.Context) error

func (*Tracer) UnmuteEventsFromCgroup 

func (t *Tracer) UnmuteEventsFromCgroup(cgroup uint64) error

func (*Tracer) UnmuteEventsFromCgroups 

func (t *Tracer) UnmuteEventsFromCgroups(cgroups []uint64) error

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.