derive

package
v0.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 1, 2023 License: Apache-2.0 Imports: 33 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ProcModules uint32 = 1 << 0 // A hidden module detected by /proc/modules logic

	NewMod       = 1 << 3  // A new modules only scan - without HiddenModule flag on, this is not yet a detection. See newModsCheckForHidden
	FullScan     = 1 << 30 // Do a full scan - received after a new module was loaded (and finished running his init function)
	HiddenModule = 1 << 31 // Submit the module as event to user
)
View Source 
const (
	IPPROTO_TCP uint8 = 6
	IPPROTO_UDP uint8 = 17
)

Variables

View Source 
var NetSeqOps = [6]string{
	"tcp4_seq_ops",
	"tcp6_seq_ops",
	"udp_seq_ops",
	"udp6_seq_ops",
	"raw_seq_ops",
	"raw6_seq_ops",
}

Struct names for the interfaces HookedSeqOpsEventID checks for hooks The show,start,next and stop operation function pointers will be checked for each of those

View Source 
var NetSeqOpsFuncs = [4]string{
	"show",
	"start",
	"next",
	"stop",
}

Functions

func ClearModulesState 

func ClearModulesState() error

ClearModulesState clears the map (while not scanning)

func FillModulesFromProcFs 

func FillModulesFromProcFs() error

FillModulesFromProcFs fills a map with modules from /proc/modules, to be checked in kernel-space for inconsistencies.

func GetWakeupChannelRead 

func GetWakeupChannelRead() <-chan ScanRequest

GetWakeupChannelRead returns the reading-end of the channel

func InitHiddenKernelModules 

func InitHiddenKernelModules(
	modsMap *bpf.BPFMap,
	newModMap *bpf.BPFMap,
	deletedModMap *bpf.BPFMap,
	insertedModMap *bpf.BPFMap,
) error

InitHiddenKernelModules initializes the module components

func InitHookedSyscall added in v0.17.2 

func InitHookedSyscall() error

InitHookedSyscall initialize lru

Types

type DeriveFunction 

type DeriveFunction func(trace.Event) ([]trace.Event, []error)

DeriveFunction is a function prototype for a function that receives an event as argument and may produce a new event if relevant. It returns a derived or empty event, depending on successful derivation, and an error if one occurred.

func ContainerCreate 

func ContainerCreate(cts *containers.Containers) DeriveFunction

ContainerCreate receives a containers as a closure argument to track it's containers. If it receives a cgroup_mkdir event, it can derive a container_create event from it.

func ContainerRemove 

func ContainerRemove(cts *containers.Containers) DeriveFunction

ContainerRemove receives a containers.Containers object as a closure argument to track it's containers. If it receives a cgroup_rmdir event, it can derive a container_remove event from it.

func DetectHookedSyscall 

func DetectHookedSyscall(kernelSymbols helpers.KernelSymbolTable) DeriveFunction

func HiddenKernelModule 

func HiddenKernelModule() DeriveFunction

func HookedSeqOps 

func HookedSeqOps(kernelSymbols helpers.KernelSymbolTable) DeriveFunction

func NetPacketDNS 

func NetPacketDNS() DeriveFunction

func NetPacketDNSRequest 

func NetPacketDNSRequest() DeriveFunction

func NetPacketDNSResponse 

func NetPacketDNSResponse() DeriveFunction

func NetPacketHTTP 

func NetPacketHTTP() DeriveFunction

func NetPacketHTTPRequest 

func NetPacketHTTPRequest() DeriveFunction

func NetPacketHTTPResponse 

func NetPacketHTTPResponse() DeriveFunction

func NetPacketICMP 

func NetPacketICMP() DeriveFunction

func NetPacketICMPv6 

func NetPacketICMPv6() DeriveFunction

func NetPacketIPv4 

func NetPacketIPv4() DeriveFunction

func NetPacketIPv6 

func NetPacketIPv6() DeriveFunction

func NetPacketTCP 

func NetPacketTCP() DeriveFunction

func NetPacketUDP 

func NetPacketUDP() DeriveFunction

func SymbolsCollision 

func SymbolsCollision(soLoader sharedobjs.DynamicSymbolsLoader, policies *policy.Policies,
) DeriveFunction

func SymbolsLoaded 

func SymbolsLoaded(
	soLoader sharedobjs.DynamicSymbolsLoader,
	policies *policy.Policies,
) DeriveFunction

type ScanRequest 

type ScanRequest struct {
	Address uint64
	Flags   uint32
}

ScanRequest the structure that is passed in the wake up channel

type SymbolsCollisionArgsGenerator 

type SymbolsCollisionArgsGenerator struct {
	// contains filtered or unexported fields
}

SymbolsCollisionArgsGenerator creates the shared object symbols collisions derived events. To do so, it uses multiple caches to accelerate performance and reduce chances for failure.

type Table 

type Table map[events.ID]map[events.ID]struct {
	DeriveFunction DeriveFunction
	Enabled        func() bool
}

Table defines a table between events and events they can be derived into corresponding to a deriveFunction The Enabled flag is used in order to skip derivation of unneeded events.

func (Table) DeriveEvent 

func (t Table) DeriveEvent(event trace.Event) ([]trace.Event, []error)

DeriveEvent takes a trace.Event and checks if it can derive additional events from it as defined by a derivationTable.

func (Table) Register 

func (t Table) Register(deriveFrom, deriveTo events.ID, deriveCondition func() bool, deriveLogic DeriveFunction) error

Register registers a new derivation handler

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.