probe

package
v0.0.0-...-8f79cec Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 13, 2024 License: Apache-2.0 Imports: 81 Imported by: 0

Documentation ¶

Overview ¶

Package probe holds probe related files

Package probe holds probe related files

Index ¶

Constants ¶

View Source 
const (
	// EBPFOrigin eBPF origin
	EBPFOrigin = "ebpf"
	// EBPFLessOrigin eBPF less origin
	EBPFLessOrigin = "ebpfless"
)
View Source 
const (
	// DiscardRetention time a discard is retained but not discarding. This avoid race for pending event is userspace
	// pipeline for already deleted file in kernel space.
	DiscardRetention = 5 * time.Second
)
View Source 
const (
	// ServiceEnvVar environment variable used to report service
	ServiceEnvVar = "DD_SERVICE"
)

Variables ¶

View Source 
var (
	// SupportedDiscarders lists all field which supports discarders
	SupportedDiscarders = make(map[eval.Field]bool)
	// SupportedMultiDiscarder lists all supported multi discarders
	SupportedMultiDiscarder []*rules.MultiDiscarder
)
View Source 
var (
	// DiscarderConstants ebpf constants
	DiscarderConstants = []manager.ConstantEditor{
		{
			Name:  "discarder_retention",
			Value: uint64(DiscardRetention.Nanoseconds()),
		},
	}
)
View Source 
var ErrActivityDumpManagerDisabled = errors.New("ActivityDumpManager is disabled")

ErrActivityDumpManagerDisabled is returned when the activity dump manager is disabled

View Source 
var ErrSecurityProfileManagerDisabled = errors.New("SecurityProfileManager is disabled")

ErrSecurityProfileManagerDisabled is returned when the security profile manager is disabled

View Source 
var InvalidDiscarders = map[eval.Field][]string{
	"open.file.path":               dentryInvalidDiscarder,
	"unlink.file.path":             dentryInvalidDiscarder,
	"chmod.file.path":              dentryInvalidDiscarder,
	"chown.file.path":              dentryInvalidDiscarder,
	"mkdir.file.path":              dentryInvalidDiscarder,
	"rmdir.file.path":              dentryInvalidDiscarder,
	"rename.file.path":             dentryInvalidDiscarder,
	"rename.file.destination.path": dentryInvalidDiscarder,
	"utimes.file.path":             dentryInvalidDiscarder,
	"link.file.path":               dentryInvalidDiscarder,
	"link.file.destination.path":   dentryInvalidDiscarder,
	"process.file.path":            dentryInvalidDiscarder,
	"setxattr.file.path":           dentryInvalidDiscarder,
	"removexattr.file.path":        dentryInvalidDiscarder,
	"chdir.file.path":              dentryInvalidDiscarder,
}

InvalidDiscarders exposes list of values that are not discarders

Functions ¶

func AppendProbeRequestsToFetcher ¶ 

func AppendProbeRequestsToFetcher(constantFetcher constantfetch.ConstantFetcher, kv *kernel.Version)

AppendProbeRequestsToFetcher returns the offsets and struct sizes constants, from a constant fetcher

func NewAbnormalEvent ¶ 

func NewAbnormalEvent(id string, description string, event *model.Event, err error) (*rules.Rule, *events.CustomEvent)

NewAbnormalEvent returns the rule and a populated custom event for a abnormal event

func NewEBPFEvent ¶ 

func NewEBPFEvent(fh *EBPFFieldHandlers) *model.Event

NewEBPFEvent returns a new event

func NewEBPFLessEvent ¶ 

func NewEBPFLessEvent(fh *EBPFLessFieldHandlers) *model.Event

NewEBPFLessEvent returns a new event

func NewEBPFLessHelloMsgEvent ¶ 

func NewEBPFLessHelloMsgEvent(msg *ebpfless.HelloMsg, scrubber *procutil.DataScrubber) (*rules.Rule, *events.CustomEvent)

NewEBPFLessHelloMsgEvent returns a eBPFLess hello custom event

func NewEBPFLessModel ¶ 

func NewEBPFLessModel() *model.Model

NewEBPFLessModel returns a new model with some extra field validation

func NewEBPFModel ¶ 

func NewEBPFModel(probe *EBPFProbe) *model.Model

NewEBPFModel returns a new model with some extra field validation

func NewEventLostReadEvent ¶ 

func NewEventLostReadEvent(mapName string, lost float64) (*rules.Rule, *events.CustomEvent)

NewEventLostReadEvent returns the rule and a populated custom event for a lost_events_read event

func NewEventLostWriteEvent ¶ 

func NewEventLostWriteEvent(mapName string, perEventPerCPU map[string]uint64) (*rules.Rule, *events.CustomEvent)

NewEventLostWriteEvent returns the rule and a populated custom event for a lost_events_write event

Types ¶

type AbnormalEvent ¶ 

type AbnormalEvent struct {
	events.CustomEventCommonFields
	Event *serializers.EventSerializer `json:"triggering_event"`
	Error string                       `json:"error"`
}

AbnormalEvent is used to report that a path resolution failed for a suspicious reason easyjson:json

func (AbnormalEvent) MarshalEasyJSON ¶ 

func (v AbnormalEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (AbnormalEvent) ToJSON ¶ 

func (a AbnormalEvent) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*AbnormalEvent) UnmarshalEasyJSON ¶ 

func (v *AbnormalEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type CustomEventHandler ¶ 

type CustomEventHandler interface {
	HandleCustomEvent(rule *rules.Rule, event *events.CustomEvent)
}

CustomEventHandler represents an handler for the custom events sent by the probe

type Discarder ¶ 

type Discarder struct {
	Field eval.Field
}

Discarder represents a discarder which is basically the field that we know for sure that the value will be always rejected by the rules

type DiscarderParams ¶ 

type DiscarderParams struct {
	EventMask  uint64                                                                   `yaml:"event_mask"`
	Timestamps [model.LastDiscarderEventType + 1 - model.FirstDiscarderEventType]uint64 `yaml:"-"`
	ExpireAt   uint64                                                                   `yaml:"expire_at"`
	IsRetained uint32                                                                   `yaml:"is_retained"`
	Revision   uint32
}

DiscarderParams describes a map value

type DiscarderPushedCallback ¶ 

type DiscarderPushedCallback func(eventType string, event *model.Event, field string)

DiscarderPushedCallback describe the callback used to retrieve pushed discarders information

type DiscardersDump ¶ 

type DiscardersDump struct {
	Date   time.Time                  `yaml:"date"`
	Inodes []InodeDiscarderDump       `yaml:"inodes"`
	Pids   []PidDiscarderDump         `yaml:"pids"`
	Stats  map[string]discarder.Stats `yaml:"stats"`
}

DiscardersDump describes a dump of discarders

type EBPFFieldHandlers ¶ 

type EBPFFieldHandlers struct {
	// contains filtered or unexported fields
}

EBPFFieldHandlers defines a field handlers

func (*EBPFFieldHandlers) GetProcessCacheEntry ¶ 

func (fh *EBPFFieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)

GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFFieldHandlers) ResolveAsync ¶ 

func (fh *EBPFFieldHandlers) ResolveAsync(ev *model.Event) bool

ResolveAsync resolves the async flag

func (*EBPFFieldHandlers) ResolveChownGID ¶ 

func (fh *EBPFFieldHandlers) ResolveChownGID(ev *model.Event, e *model.ChownEvent) string

ResolveChownGID resolves the group id of a chown event to a group name

func (*EBPFFieldHandlers) ResolveChownUID ¶ 

func (fh *EBPFFieldHandlers) ResolveChownUID(ev *model.Event, e *model.ChownEvent) string

ResolveChownUID resolves the ResolveProcessCacheEntry id of a chown event to a username

func (*EBPFFieldHandlers) ResolveContainerContext ¶ 

func (fh *EBPFFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)

ResolveContainerContext queries the cgroup resolver to retrieve the ContainerContext of the event

func (*EBPFFieldHandlers) ResolveContainerCreatedAt ¶ 

func (fh *EBPFFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int

ResolveContainerCreatedAt resolves the container creation time of the event

func (*EBPFFieldHandlers) ResolveContainerID ¶ 

func (fh *EBPFFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string

ResolveContainerID resolves the container ID of the event

func (*EBPFFieldHandlers) ResolveContainerTags ¶ 

func (fh *EBPFFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string

ResolveContainerTags resolves the container tags of the event

func (*EBPFFieldHandlers) ResolveEventTime ¶ 

func (fh *EBPFFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time

ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFFieldHandlers) ResolveEventTimestamp ¶ 

func (fh *EBPFFieldHandlers) ResolveEventTimestamp(ev *model.Event, e *model.BaseEvent) int

ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFFieldHandlers) ResolveFileBasename ¶ 

func (fh *EBPFFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string

ResolveFileBasename resolves the inode to a full path

func (*EBPFFieldHandlers) ResolveFileFieldsGroup ¶ 

func (fh *EBPFFieldHandlers) ResolveFileFieldsGroup(ev *model.Event, e *model.FileFields) string

ResolveFileFieldsGroup resolves the group id of the file to a group name

func (*EBPFFieldHandlers) ResolveFileFieldsInUpperLayer ¶ 

func (fh *EBPFFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, f *model.FileFields) bool

ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer

func (*EBPFFieldHandlers) ResolveFileFieldsUser ¶ 

func (fh *EBPFFieldHandlers) ResolveFileFieldsUser(ev *model.Event, e *model.FileFields) string

ResolveFileFieldsUser resolves the user id of the file to a username

func (*EBPFFieldHandlers) ResolveFileFilesystem ¶ 

func (fh *EBPFFieldHandlers) ResolveFileFilesystem(ev *model.Event, f *model.FileEvent) string

ResolveFileFilesystem resolves the filesystem a file resides in

func (*EBPFFieldHandlers) ResolveFilePath ¶ 

func (fh *EBPFFieldHandlers) ResolveFilePath(ev *model.Event, f *model.FileEvent) string

ResolveFilePath resolves the inode to a full path

func (*EBPFFieldHandlers) ResolveHashes ¶ 

func (fh *EBPFFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string

ResolveHashes resolves the hashes of the requested file event

func (*EBPFFieldHandlers) ResolveHashesFromEvent ¶ 

func (fh *EBPFFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string

ResolveHashesFromEvent resolves the hashes of the requested event

func (*EBPFFieldHandlers) ResolveK8SGroups ¶ 

func (fh *EBPFFieldHandlers) ResolveK8SGroups(_ *model.Event, evtCtx *model.UserSessionContext) []string

ResolveK8SGroups resolves the k8s groups of the event

func (*EBPFFieldHandlers) ResolveK8SUID ¶ 

func (fh *EBPFFieldHandlers) ResolveK8SUID(_ *model.Event, evtCtx *model.UserSessionContext) string

ResolveK8SUID resolves the k8s UID of the event

func (*EBPFFieldHandlers) ResolveK8SUsername ¶ 

func (fh *EBPFFieldHandlers) ResolveK8SUsername(_ *model.Event, evtCtx *model.UserSessionContext) string

ResolveK8SUsername resolves the k8s username of the event

func (*EBPFFieldHandlers) ResolveModuleArgs ¶ 

func (fh *EBPFFieldHandlers) ResolveModuleArgs(_ *model.Event, module *model.LoadModuleEvent) string

ResolveModuleArgs resolves the correct args if the arguments were truncated, if not return module.Args

func (*EBPFFieldHandlers) ResolveModuleArgv ¶ 

func (fh *EBPFFieldHandlers) ResolveModuleArgv(_ *model.Event, module *model.LoadModuleEvent) []string

ResolveModuleArgv resolves the unscrubbed args of the module as an array. Use with caution.

func (*EBPFFieldHandlers) ResolveMountPointPath ¶ 

func (fh *EBPFFieldHandlers) ResolveMountPointPath(ev *model.Event, e *model.MountEvent) string

ResolveMountPointPath resolves a mount point path

func (*EBPFFieldHandlers) ResolveMountRootPath ¶ 

func (fh *EBPFFieldHandlers) ResolveMountRootPath(ev *model.Event, e *model.MountEvent) string

ResolveMountRootPath resolves a mount root path

func (*EBPFFieldHandlers) ResolveMountSourcePath ¶ 

func (fh *EBPFFieldHandlers) ResolveMountSourcePath(ev *model.Event, e *model.MountEvent) string

ResolveMountSourcePath resolves a mount source path

func (*EBPFFieldHandlers) ResolveNetworkDeviceIfName ¶ 

func (fh *EBPFFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, device *model.NetworkDeviceContext) string

ResolveNetworkDeviceIfName returns the network iterface name from the network context

func (*EBPFFieldHandlers) ResolvePackageName ¶ 

func (fh *EBPFFieldHandlers) ResolvePackageName(ev *model.Event, f *model.FileEvent) string

ResolvePackageName resolves the name of the package providing this file

func (*EBPFFieldHandlers) ResolvePackageSourceVersion ¶ 

func (fh *EBPFFieldHandlers) ResolvePackageSourceVersion(ev *model.Event, f *model.FileEvent) string

ResolvePackageSourceVersion resolves the version of the source package of the package providing this file

func (*EBPFFieldHandlers) ResolvePackageVersion ¶ 

func (fh *EBPFFieldHandlers) ResolvePackageVersion(ev *model.Event, f *model.FileEvent) string

ResolvePackageVersion resolves the version of the package providing this file

func (*EBPFFieldHandlers) ResolveProcessArgs ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string

ResolveProcessArgs resolves the args of the event

func (*EBPFFieldHandlers) ResolveProcessArgsFlags ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)

ResolveProcessArgsFlags resolves the arguments flags of the event

func (*EBPFFieldHandlers) ResolveProcessArgsOptions ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)

ResolveProcessArgsOptions resolves the arguments options of the event

func (*EBPFFieldHandlers) ResolveProcessArgsScrubbed ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string

ResolveProcessArgsScrubbed resolves the args of the event

func (*EBPFFieldHandlers) ResolveProcessArgsTruncated ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessArgsTruncated returns whether the args are truncated

func (*EBPFFieldHandlers) ResolveProcessArgv ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string

ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.

func (*EBPFFieldHandlers) ResolveProcessArgv0 ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string

ResolveProcessArgv0 resolves the first arg of the event

func (*EBPFFieldHandlers) ResolveProcessArgvScrubbed ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string

ResolveProcessArgvScrubbed resolves the args of the process as an array

func (*EBPFFieldHandlers) ResolveProcessCacheEntry ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)

ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFFieldHandlers) ResolveProcessCreatedAt ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int

ResolveProcessCreatedAt resolves process creation time

func (*EBPFFieldHandlers) ResolveProcessEnvp ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string

ResolveProcessEnvp resolves the envp of the event as an array

func (*EBPFFieldHandlers) ResolveProcessEnvs ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string

ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.

func (*EBPFFieldHandlers) ResolveProcessEnvsTruncated ¶ 

func (fh *EBPFFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessEnvsTruncated returns whether the envs are truncated

func (*EBPFFieldHandlers) ResolveRights ¶ 

func (fh *EBPFFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int

ResolveRights resolves the rights of a file

func (*EBPFFieldHandlers) ResolveSELinuxBoolName ¶ 

func (fh *EBPFFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string

ResolveSELinuxBoolName resolves the boolean name of the SELinux event

func (*EBPFFieldHandlers) ResolveService ¶ 

func (fh *EBPFFieldHandlers) ResolveService(ev *model.Event, _ *model.BaseEvent) string

ResolveService returns the service tag based on the process context

func (*EBPFFieldHandlers) ResolveSetgidEGroup ¶ 

func (fh *EBPFFieldHandlers) ResolveSetgidEGroup(ev *model.Event, e *model.SetgidEvent) string

ResolveSetgidEGroup resolves the effective group of the Setgid event

func (*EBPFFieldHandlers) ResolveSetgidFSGroup ¶ 

func (fh *EBPFFieldHandlers) ResolveSetgidFSGroup(ev *model.Event, e *model.SetgidEvent) string

ResolveSetgidFSGroup resolves the file-system group of the Setgid event

func (*EBPFFieldHandlers) ResolveSetgidGroup ¶ 

func (fh *EBPFFieldHandlers) ResolveSetgidGroup(ev *model.Event, e *model.SetgidEvent) string

ResolveSetgidGroup resolves the group of the Setgid event

func (*EBPFFieldHandlers) ResolveSetuidEUser ¶ 

func (fh *EBPFFieldHandlers) ResolveSetuidEUser(ev *model.Event, e *model.SetuidEvent) string

ResolveSetuidEUser resolves the effective user of the Setuid event

func (*EBPFFieldHandlers) ResolveSetuidFSUser ¶ 

func (fh *EBPFFieldHandlers) ResolveSetuidFSUser(ev *model.Event, e *model.SetuidEvent) string

ResolveSetuidFSUser resolves the file-system user of the Setuid event

func (*EBPFFieldHandlers) ResolveSetuidUser ¶ 

func (fh *EBPFFieldHandlers) ResolveSetuidUser(ev *model.Event, e *model.SetuidEvent) string

ResolveSetuidUser resolves the user of the Setuid event

func (*EBPFFieldHandlers) ResolveUserSessionContext ¶ 

func (fh *EBPFFieldHandlers) ResolveUserSessionContext(evtCtx *model.UserSessionContext)

ResolveUserSessionContext resolves and updates the provided user session context

func (*EBPFFieldHandlers) ResolveXAttrName ¶ 

func (fh *EBPFFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrName returns the string representation of the extended attribute name

func (*EBPFFieldHandlers) ResolveXAttrNamespace ¶ 

func (fh *EBPFFieldHandlers) ResolveXAttrNamespace(ev *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrNamespace returns the string representation of the extended attribute namespace

type EBPFLessFieldHandlers ¶ 

type EBPFLessFieldHandlers struct {
	// contains filtered or unexported fields
}

EBPFLessFieldHandlers defines a field handlers

func (*EBPFLessFieldHandlers) GetProcessCacheEntry ¶ 

func (fh *EBPFLessFieldHandlers) GetProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)

GetProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFLessFieldHandlers) ResolveAsync ¶ 

func (fh *EBPFLessFieldHandlers) ResolveAsync(ev *model.Event) bool

ResolveAsync resolves the async flag

func (*EBPFLessFieldHandlers) ResolveChownGID ¶ 

func (fh *EBPFLessFieldHandlers) ResolveChownGID(_ *model.Event, e *model.ChownEvent) string

ResolveChownGID resolves the ResolveProcessCacheEntry group id of a chown event to a username

func (*EBPFLessFieldHandlers) ResolveChownUID ¶ 

func (fh *EBPFLessFieldHandlers) ResolveChownUID(_ *model.Event, e *model.ChownEvent) string

ResolveChownUID resolves the ResolveProcessCacheEntry id of a chown event to a username

func (*EBPFLessFieldHandlers) ResolveContainerContext ¶ 

func (fh *EBPFLessFieldHandlers) ResolveContainerContext(ev *model.Event) (*model.ContainerContext, bool)

ResolveContainerContext retrieve the ContainerContext of the event

func (*EBPFLessFieldHandlers) ResolveContainerCreatedAt ¶ 

func (fh *EBPFLessFieldHandlers) ResolveContainerCreatedAt(ev *model.Event, e *model.ContainerContext) int

ResolveContainerCreatedAt resolves the container creation time of the event

func (*EBPFLessFieldHandlers) ResolveContainerID ¶ 

func (fh *EBPFLessFieldHandlers) ResolveContainerID(ev *model.Event, e *model.ContainerContext) string

ResolveContainerID resolves the container ID of the event

func (*EBPFLessFieldHandlers) ResolveContainerTags ¶ 

func (fh *EBPFLessFieldHandlers) ResolveContainerTags(_ *model.Event, e *model.ContainerContext) []string

ResolveContainerTags resolves the container tags of the event

func (*EBPFLessFieldHandlers) ResolveEventTime ¶ 

func (fh *EBPFLessFieldHandlers) ResolveEventTime(ev *model.Event, _ *model.BaseEvent) time.Time

ResolveEventTime resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFLessFieldHandlers) ResolveEventTimestamp ¶ 

func (fh *EBPFLessFieldHandlers) ResolveEventTimestamp(_ *model.Event, e *model.BaseEvent) int

ResolveEventTimestamp resolves the monolitic kernel event timestamp to an absolute time

func (*EBPFLessFieldHandlers) ResolveFileBasename ¶ 

func (fh *EBPFLessFieldHandlers) ResolveFileBasename(_ *model.Event, f *model.FileEvent) string

ResolveFileBasename resolves the inode to a full path

func (*EBPFLessFieldHandlers) ResolveFileFieldsGroup ¶ 

func (fh *EBPFLessFieldHandlers) ResolveFileFieldsGroup(_ *model.Event, e *model.FileFields) string

ResolveFileFieldsGroup resolves the group id of the file to a group name

func (*EBPFLessFieldHandlers) ResolveFileFieldsInUpperLayer ¶ 

func (fh *EBPFLessFieldHandlers) ResolveFileFieldsInUpperLayer(_ *model.Event, e *model.FileFields) bool

ResolveFileFieldsInUpperLayer resolves whether the file is in an upper layer

func (*EBPFLessFieldHandlers) ResolveFileFieldsUser ¶ 

func (fh *EBPFLessFieldHandlers) ResolveFileFieldsUser(_ *model.Event, e *model.FileFields) string

ResolveFileFieldsUser resolves the user id of the file to a username

func (*EBPFLessFieldHandlers) ResolveFileFilesystem ¶ 

func (fh *EBPFLessFieldHandlers) ResolveFileFilesystem(_ *model.Event, e *model.FileEvent) string

ResolveFileFilesystem resolves the filesystem a file resides in

func (*EBPFLessFieldHandlers) ResolveFilePath ¶ 

func (fh *EBPFLessFieldHandlers) ResolveFilePath(_ *model.Event, f *model.FileEvent) string

ResolveFilePath resolves the inode to a full path

func (*EBPFLessFieldHandlers) ResolveHashes ¶ 

func (fh *EBPFLessFieldHandlers) ResolveHashes(eventType model.EventType, process *model.Process, file *model.FileEvent) []string

ResolveHashes resolves the hash of the provided file

func (*EBPFLessFieldHandlers) ResolveHashesFromEvent ¶ 

func (fh *EBPFLessFieldHandlers) ResolveHashesFromEvent(ev *model.Event, f *model.FileEvent) []string

ResolveHashesFromEvent resolves the hashes of the requested event

func (*EBPFLessFieldHandlers) ResolveK8SGroups ¶ 

func (fh *EBPFLessFieldHandlers) ResolveK8SGroups(_ *model.Event, e *model.UserSessionContext) []string

ResolveK8SGroups resolves the k8s groups of the event

func (*EBPFLessFieldHandlers) ResolveK8SUID ¶ 

func (fh *EBPFLessFieldHandlers) ResolveK8SUID(_ *model.Event, e *model.UserSessionContext) string

ResolveK8SUID resolves the k8s UID of the event

func (*EBPFLessFieldHandlers) ResolveK8SUsername ¶ 

func (fh *EBPFLessFieldHandlers) ResolveK8SUsername(_ *model.Event, e *model.UserSessionContext) string

ResolveK8SUsername resolves the k8s username of the event

func (*EBPFLessFieldHandlers) ResolveModuleArgs ¶ 

func (fh *EBPFLessFieldHandlers) ResolveModuleArgs(_ *model.Event, e *model.LoadModuleEvent) string

ResolveModuleArgs resolves the correct args if the arguments were truncated, if not return module.Args

func (*EBPFLessFieldHandlers) ResolveModuleArgv ¶ 

func (fh *EBPFLessFieldHandlers) ResolveModuleArgv(_ *model.Event, e *model.LoadModuleEvent) []string

ResolveModuleArgv resolves the unscrubbed args of the module as an array. Use with caution.

func (*EBPFLessFieldHandlers) ResolveMountPointPath ¶ 

func (fh *EBPFLessFieldHandlers) ResolveMountPointPath(_ *model.Event, e *model.MountEvent) string

ResolveMountPointPath resolves a mount point path

func (*EBPFLessFieldHandlers) ResolveMountRootPath ¶ 

func (fh *EBPFLessFieldHandlers) ResolveMountRootPath(_ *model.Event, e *model.MountEvent) string

ResolveMountRootPath resolves a mount root path

func (*EBPFLessFieldHandlers) ResolveMountSourcePath ¶ 

func (fh *EBPFLessFieldHandlers) ResolveMountSourcePath(_ *model.Event, e *model.MountEvent) string

ResolveMountSourcePath resolves a mount source path

func (*EBPFLessFieldHandlers) ResolveNetworkDeviceIfName ¶ 

func (fh *EBPFLessFieldHandlers) ResolveNetworkDeviceIfName(_ *model.Event, e *model.NetworkDeviceContext) string

ResolveNetworkDeviceIfName returns the network iterface name from the network context

func (*EBPFLessFieldHandlers) ResolvePackageName ¶ 

func (fh *EBPFLessFieldHandlers) ResolvePackageName(_ *model.Event, e *model.FileEvent) string

ResolvePackageName resolves the name of the package providing this file

func (*EBPFLessFieldHandlers) ResolvePackageSourceVersion ¶ 

func (fh *EBPFLessFieldHandlers) ResolvePackageSourceVersion(_ *model.Event, e *model.FileEvent) string

ResolvePackageSourceVersion resolves the version of the source package of the package providing this file

func (*EBPFLessFieldHandlers) ResolvePackageVersion ¶ 

func (fh *EBPFLessFieldHandlers) ResolvePackageVersion(_ *model.Event, e *model.FileEvent) string

ResolvePackageVersion resolves the version of the package providing this file

func (*EBPFLessFieldHandlers) ResolveProcessArgs ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgs(ev *model.Event, process *model.Process) string

ResolveProcessArgs resolves the args of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsFlags ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsFlags(ev *model.Event, process *model.Process) (flags []string)

ResolveProcessArgsFlags resolves the arguments flags of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsOptions ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsOptions(ev *model.Event, process *model.Process) (options []string)

ResolveProcessArgsOptions resolves the arguments options of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsScrubbed ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsScrubbed(ev *model.Event, process *model.Process) string

ResolveProcessArgsScrubbed resolves the args of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgsTruncated ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessArgsTruncated returns whether the args are truncated

func (*EBPFLessFieldHandlers) ResolveProcessArgv ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgv(_ *model.Event, process *model.Process) []string

ResolveProcessArgv resolves the unscrubbed args of the process as an array. Use with caution.

func (*EBPFLessFieldHandlers) ResolveProcessArgv0 ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgv0(_ *model.Event, process *model.Process) string

ResolveProcessArgv0 resolves the first arg of the event

func (*EBPFLessFieldHandlers) ResolveProcessArgvScrubbed ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessArgvScrubbed(_ *model.Event, process *model.Process) []string

ResolveProcessArgvScrubbed resolves the args of the process as an array

func (*EBPFLessFieldHandlers) ResolveProcessCacheEntry ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessCacheEntry(ev *model.Event) (*model.ProcessCacheEntry, bool)

ResolveProcessCacheEntry queries the ProcessResolver to retrieve the ProcessContext of the event

func (*EBPFLessFieldHandlers) ResolveProcessCreatedAt ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessCreatedAt(_ *model.Event, e *model.Process) int

ResolveProcessCreatedAt resolves process creation time

func (*EBPFLessFieldHandlers) ResolveProcessEnvp ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessEnvp(_ *model.Event, process *model.Process) []string

ResolveProcessEnvp resolves the envp of the event as an array

func (*EBPFLessFieldHandlers) ResolveProcessEnvs ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessEnvs(_ *model.Event, process *model.Process) []string

ResolveProcessEnvs resolves the unscrubbed envs of the event. Use with caution.

func (*EBPFLessFieldHandlers) ResolveProcessEnvsTruncated ¶ 

func (fh *EBPFLessFieldHandlers) ResolveProcessEnvsTruncated(_ *model.Event, process *model.Process) bool

ResolveProcessEnvsTruncated returns whether the envs are truncated

func (*EBPFLessFieldHandlers) ResolveRights ¶ 

func (fh *EBPFLessFieldHandlers) ResolveRights(_ *model.Event, e *model.FileFields) int

ResolveRights resolves the rights of a file

func (*EBPFLessFieldHandlers) ResolveSELinuxBoolName ¶ 

func (fh *EBPFLessFieldHandlers) ResolveSELinuxBoolName(_ *model.Event, e *model.SELinuxEvent) string

ResolveSELinuxBoolName resolves the boolean name of the SELinux event

func (*EBPFLessFieldHandlers) ResolveService ¶ 

func (fh *EBPFLessFieldHandlers) ResolveService(ev *model.Event, _ *model.BaseEvent) string

ResolveService returns the service tag based on the process context

func (*EBPFLessFieldHandlers) ResolveSetgidEGroup ¶ 

func (fh *EBPFLessFieldHandlers) ResolveSetgidEGroup(_ *model.Event, e *model.SetgidEvent) string

ResolveSetgidEGroup resolves the effective group of the Setgid event

func (*EBPFLessFieldHandlers) ResolveSetgidFSGroup ¶ 

func (fh *EBPFLessFieldHandlers) ResolveSetgidFSGroup(_ *model.Event, e *model.SetgidEvent) string

ResolveSetgidFSGroup resolves the file-system group of the Setgid event

func (*EBPFLessFieldHandlers) ResolveSetgidGroup ¶ 

func (fh *EBPFLessFieldHandlers) ResolveSetgidGroup(_ *model.Event, e *model.SetgidEvent) string

ResolveSetgidGroup resolves the group of the Setgid event

func (*EBPFLessFieldHandlers) ResolveSetuidEUser ¶ 

func (fh *EBPFLessFieldHandlers) ResolveSetuidEUser(_ *model.Event, e *model.SetuidEvent) string

ResolveSetuidEUser resolves the effective user of the Setuid event

func (*EBPFLessFieldHandlers) ResolveSetuidFSUser ¶ 

func (fh *EBPFLessFieldHandlers) ResolveSetuidFSUser(_ *model.Event, e *model.SetuidEvent) string

ResolveSetuidFSUser resolves the file-system user of the Setuid event

func (*EBPFLessFieldHandlers) ResolveSetuidUser ¶ 

func (fh *EBPFLessFieldHandlers) ResolveSetuidUser(_ *model.Event, e *model.SetuidEvent) string

ResolveSetuidUser resolves the user of the Setuid event

func (*EBPFLessFieldHandlers) ResolveUserSessionContext ¶ 

func (fh *EBPFLessFieldHandlers) ResolveUserSessionContext(_ *model.UserSessionContext)

ResolveUserSessionContext resolves and updates the provided user session context

func (*EBPFLessFieldHandlers) ResolveXAttrName ¶ 

func (fh *EBPFLessFieldHandlers) ResolveXAttrName(_ *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrName returns the string representation of the extended attribute name

func (*EBPFLessFieldHandlers) ResolveXAttrNamespace ¶ 

func (fh *EBPFLessFieldHandlers) ResolveXAttrNamespace(_ *model.Event, e *model.SetXAttrEvent) string

ResolveXAttrNamespace returns the string representation of the extended attribute namespace

type EBPFLessHelloMsgEvent ¶ 

type EBPFLessHelloMsgEvent struct {
	events.CustomEventCommonFields

	NSID      uint64 `json:"nsid,omitempty"`
	Container struct {
		ID             string `json:"id,omitempty"`
		Name           string `json:"name,omitempty"`
		ImageShortName string `json:"short_name,omitempty"`
		ImageTag       string `json:"image_tag,omitempty"`
	} `json:"container,omitempty"`
	EntrypointArgs []string `json:"args,omitempty"`
}

EBPFLessHelloMsgEvent defines a hello message easyjson:json

func (EBPFLessHelloMsgEvent) MarshalEasyJSON ¶ 

func (v EBPFLessHelloMsgEvent) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EBPFLessHelloMsgEvent) ToJSON ¶ 

func (e EBPFLessHelloMsgEvent) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*EBPFLessHelloMsgEvent) UnmarshalEasyJSON ¶ 

func (v *EBPFLessHelloMsgEvent) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type EBPFLessProbe ¶ 

type EBPFLessProbe struct {
	sync.Mutex

	Resolvers *resolvers.EBPFLessResolvers
	// contains filtered or unexported fields
}

EBPFLessProbe defines an eBPF less probe

func NewEBPFLessProbe ¶ 

func NewEBPFLessProbe(probe *Probe, config *config.Config, opts Opts) (*EBPFLessProbe, error)

NewEBPFLessProbe returns a new eBPF less probe

func (*EBPFLessProbe) AddDiscarderPushedCallback ¶ 

func (p *EBPFLessProbe) AddDiscarderPushedCallback(_ DiscarderPushedCallback)

AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel

func (*EBPFLessProbe) ApplyRuleSet ¶ 

func (p *EBPFLessProbe) ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)

ApplyRuleSet applies the new ruleset

func (*EBPFLessProbe) Close ¶ 

func (p *EBPFLessProbe) Close() error

Close the probe

func (*EBPFLessProbe) DispatchEvent ¶ 

func (p *EBPFLessProbe) DispatchEvent(event *model.Event)

DispatchEvent sends an event to the probe event handler

func (*EBPFLessProbe) DumpDiscarders ¶ 

func (p *EBPFLessProbe) DumpDiscarders() (string, error)

DumpDiscarders dump the discarders

func (*EBPFLessProbe) DumpProcessCache ¶ 

func (p *EBPFLessProbe) DumpProcessCache(withArgs bool) (string, error)

DumpProcessCache dumps the process cache

func (*EBPFLessProbe) FlushDiscarders ¶ 

func (p *EBPFLessProbe) FlushDiscarders() error

FlushDiscarders flush the discarders

func (*EBPFLessProbe) GetClientsCount ¶ 

func (p *EBPFLessProbe) GetClientsCount() int

GetClientsCount returns the number of connected clients

func (*EBPFLessProbe) GetEventTags ¶ 

func (p *EBPFLessProbe) GetEventTags(containerID string) []string

GetEventTags returns the event tags

func (*EBPFLessProbe) GetFieldHandlers ¶ 

func (p *EBPFLessProbe) GetFieldHandlers() model.FieldHandlers

GetFieldHandlers returns the field handlers

func (*EBPFLessProbe) HandleActions ¶ 

func (p *EBPFLessProbe) HandleActions(ctx *eval.Context, rule *rules.Rule)

HandleActions handles the rule actions

func (*EBPFLessProbe) Init ¶ 

func (p *EBPFLessProbe) Init() error

Init the probe

func (*EBPFLessProbe) NewEvent ¶ 

func (p *EBPFLessProbe) NewEvent() *model.Event

NewEvent returns a new event

func (*EBPFLessProbe) NewModel ¶ 

func (p *EBPFLessProbe) NewModel() *model.Model

NewModel returns a new Model

func (*EBPFLessProbe) OnNewDiscarder ¶ 

func (p *EBPFLessProbe) OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)

OnNewDiscarder handles discarders

func (*EBPFLessProbe) SendStats ¶ 

func (p *EBPFLessProbe) SendStats() error

SendStats send the stats

func (*EBPFLessProbe) Setup ¶ 

func (p *EBPFLessProbe) Setup() error

Setup the probe

func (*EBPFLessProbe) Snapshot ¶ 

func (p *EBPFLessProbe) Snapshot() error

Snapshot the already existing entities

func (*EBPFLessProbe) Start ¶ 

func (p *EBPFLessProbe) Start() error

Start the probe

func (*EBPFLessProbe) Stop ¶ 

func (p *EBPFLessProbe) Stop()

Stop the probe

type EBPFMonitors ¶ 

type EBPFMonitors struct {
	// contains filtered or unexported fields
}

EBPFMonitors regroups all the work we want to do to monitor the probes we pushed in the kernel

func NewEBPFMonitors ¶ 

func NewEBPFMonitors(p *EBPFProbe) *EBPFMonitors

NewEBPFMonitors returns a new instance of a ProbeMonitor

func (*EBPFMonitors) GetEventStreamMonitor ¶ 

func (m *EBPFMonitors) GetEventStreamMonitor() *eventstream.Monitor

GetEventStreamMonitor returns the perf buffer monitor

func (*EBPFMonitors) Init ¶ 

func (m *EBPFMonitors) Init() error

Init initializes the monitor

func (*EBPFMonitors) ProcessEvent ¶ 

func (m *EBPFMonitors) ProcessEvent(event *model.Event)

ProcessEvent processes an event through the various monitors and controllers of the probe

func (*EBPFMonitors) SendStats ¶ 

func (m *EBPFMonitors) SendStats() error

SendStats sends statistics about the probe to Datadog

type EBPFProbe ¶ 

type EBPFProbe struct {
	Resolvers *resolvers.EBPFResolvers

	Manager *manager.Manager

	// Approvers / discarders section
	Erpc *erpc.ERPC
	// contains filtered or unexported fields
}

EBPFProbe defines a platform probe

func NewEBPFProbe ¶ 

func NewEBPFProbe(probe *Probe, config *config.Config, opts Opts, wmeta optional.Option[workloadmeta.Component]) (*EBPFProbe, error)

NewEBPFProbe instantiates a new runtime security agent probe

func (*EBPFProbe) AddActivityDumpHandler ¶ 

func (p *EBPFProbe) AddActivityDumpHandler(handler dump.ActivityDumpHandler)

AddActivityDumpHandler set the probe activity dump handler

func (*EBPFProbe) AddDiscarderPushedCallback ¶ 

func (p *EBPFProbe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)

AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel

func (*EBPFProbe) ApplyFilterPolicy ¶ 

func (p *EBPFProbe) ApplyFilterPolicy(eventType eval.EventType, mode kfilters.PolicyMode, flags kfilters.PolicyFlag) error

ApplyFilterPolicy is called when a passing policy for an event type is applied

func (*EBPFProbe) ApplyRuleSet ¶ 

func (p *EBPFProbe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)

ApplyRuleSet apply the required update to handle the new ruleset

func (*EBPFProbe) Close ¶ 

func (p *EBPFProbe) Close() error

Close the probe

func (*EBPFProbe) DispatchEvent ¶ 

func (p *EBPFProbe) DispatchEvent(event *model.Event)

DispatchEvent sends an event to the probe event handler

func (*EBPFProbe) DumpDiscarders ¶ 

func (p *EBPFProbe) DumpDiscarders() (string, error)

DumpDiscarders dump the discarders

func (*EBPFProbe) DumpProcessCache ¶ 

func (p *EBPFProbe) DumpProcessCache(withArgs bool) (string, error)

DumpProcessCache dumps the process cache

func (*EBPFProbe) EventMarshallerCtor ¶ 

func (p *EBPFProbe) EventMarshallerCtor(event *model.Event) func() events.EventMarshaler

EventMarshallerCtor returns the event marshaller ctor

func (*EBPFProbe) FlushDiscarders ¶ 

func (p *EBPFProbe) FlushDiscarders() error

FlushDiscarders flush the discarders

func (*EBPFProbe) FlushNetworkNamespace ¶ 

func (p *EBPFProbe) FlushNetworkNamespace(namespace *netns.NetworkNamespace)

FlushNetworkNamespace removes all references and stops all TC programs in the provided network namespace. This method flushes the network namespace in the network namespace resolver as well.

func (*EBPFProbe) GetConstantFetcherStatus ¶ 

func (p *EBPFProbe) GetConstantFetcherStatus() (*constantfetch.ConstantFetcherStatus, error)

GetConstantFetcherStatus returns the status of the constant fetcher associated with this probe

func (*EBPFProbe) GetDiscarders ¶ 

func (p *EBPFProbe) GetDiscarders() (*DiscardersDump, error)

GetDiscarders retrieve the discarders

func (*EBPFProbe) GetEventTags ¶ 

func (p *EBPFProbe) GetEventTags(containerID string) []string

GetEventTags returns the event tags

func (*EBPFProbe) GetFieldHandlers ¶ 

func (p *EBPFProbe) GetFieldHandlers() model.FieldHandlers

GetFieldHandlers returns the field handlers

func (*EBPFProbe) GetKernelVersion ¶ 

func (p *EBPFProbe) GetKernelVersion() *kernel.Version

GetKernelVersion computes and returns the running kernel version

func (*EBPFProbe) GetMonitors ¶ 

func (p *EBPFProbe) GetMonitors() *EBPFMonitors

GetMonitors returns the monitor of the probe

func (*EBPFProbe) GetOffsetConstants ¶ 

func (p *EBPFProbe) GetOffsetConstants() (map[string]uint64, error)

GetOffsetConstants returns the offsets and struct sizes constants

func (*EBPFProbe) GetProfileManagers ¶ 

func (p *EBPFProbe) GetProfileManagers() *SecurityProfileManagers

GetProfileManagers returns the security profile managers

func (*EBPFProbe) HandleActions ¶ 

func (p *EBPFProbe) HandleActions(ctx *eval.Context, rule *rules.Rule)

HandleActions handles the rule actions

func (*EBPFProbe) Init ¶ 

func (p *EBPFProbe) Init() error

Init initializes the probe

func (*EBPFProbe) IsRuntimeCompiled ¶ 

func (p *EBPFProbe) IsRuntimeCompiled() bool

IsRuntimeCompiled returns true if the eBPF programs where successfully runtime compiled

func (*EBPFProbe) NewEvent ¶ 

func (p *EBPFProbe) NewEvent() *model.Event

NewEvent returns a new event

func (*EBPFProbe) NewModel ¶ 

func (p *EBPFProbe) NewModel() *model.Model

NewModel returns a new Model

func (*EBPFProbe) OnNewDiscarder ¶ 

func (p *EBPFProbe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)

OnNewDiscarder handles new discarders

func (*EBPFProbe) RefreshUserCache ¶ 

func (p *EBPFProbe) RefreshUserCache(containerID string) error

RefreshUserCache refreshes the user cache

func (*EBPFProbe) SendStats ¶ 

func (p *EBPFProbe) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*EBPFProbe) SetApprovers ¶ 

func (p *EBPFProbe) SetApprovers(eventType eval.EventType, approvers rules.Approvers) error

SetApprovers applies approvers and removes the unused ones

func (*EBPFProbe) Setup ¶ 

func (p *EBPFProbe) Setup() error

Setup the probe

func (*EBPFProbe) Snapshot ¶ 

func (p *EBPFProbe) Snapshot() error

Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system

func (*EBPFProbe) Start ¶ 

func (p *EBPFProbe) Start() error

Start the probe

func (*EBPFProbe) Stop ¶ 

func (p *EBPFProbe) Stop()

Stop the probe

func (*EBPFProbe) UseRingBuffers ¶ 

func (p *EBPFProbe) UseRingBuffers() bool

UseRingBuffers returns true if eBPF ring buffers are supported and used

func (*EBPFProbe) VerifyEnvironment ¶ 

func (p *EBPFProbe) VerifyEnvironment() *multierror.Error

VerifyEnvironment returns an error if the current environment seems to be misconfigured

func (*EBPFProbe) VerifyOSVersion ¶ 

func (p *EBPFProbe) VerifyOSVersion() error

VerifyOSVersion returns an error if the current kernel version is not supported

type ErrDiscarderNotSupported ¶ 

type ErrDiscarderNotSupported struct {
	Field string
}

ErrDiscarderNotSupported is returned when trying to discover a discarder on a field that doesn't support them

func (ErrDiscarderNotSupported) Error ¶ 

func (e ErrDiscarderNotSupported) Error() string

type EventHandler ¶ 

type EventHandler interface {
	HandleEvent(event any)
	Copy(_ *model.Event) any
}

EventHandler represents a handler for events sent by the probe. This handler makes a copy of the event upon receipt

type EventLostRead ¶ 

type EventLostRead struct {
	events.CustomEventCommonFields
	Name string  `json:"map"`
	Lost float64 `json:"lost"`
}

EventLostRead is the event used to report lost events detected from user space easyjson:json

func (EventLostRead) MarshalEasyJSON ¶ 

func (v EventLostRead) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EventLostRead) ToJSON ¶ 

func (e EventLostRead) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*EventLostRead) UnmarshalEasyJSON ¶ 

func (v *EventLostRead) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type EventLostWrite ¶ 

type EventLostWrite struct {
	events.CustomEventCommonFields
	Name string            `json:"map"`
	Lost map[string]uint64 `json:"per_event"`
}

EventLostWrite is the event used to report lost events detected from kernel space easyjson:json

func (EventLostWrite) MarshalEasyJSON ¶ 

func (v EventLostWrite) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (EventLostWrite) ToJSON ¶ 

func (e EventLostWrite) ToJSON() ([]byte, error)

ToJSON marshal using json format

func (*EventLostWrite) UnmarshalEasyJSON ¶ 

func (v *EventLostWrite) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type EventStream ¶ 

type EventStream interface {
	Init(*manager.Manager, *pconfig.Config) error
	SetMonitor(eventstream.LostEventCounter)
	Start(*sync.WaitGroup) error
	Pause() error
	Resume() error
}

EventStream describes the interface implemented by reordered perf maps or ring buffers

type FullAccessEventHandler ¶ 

type FullAccessEventHandler interface {
	HandleEvent(event *model.Event)
}

FullAccessEventHandler represents a handler for events sent by the probe that needs access to all the fields in the SECL model

type InodeDiscarderDump ¶ 

type InodeDiscarderDump struct {
	Index                int `yaml:"index"`
	InodeDiscarderParams `yaml:"value"`
	FilePath             string `yaml:"path"`
	Inode                uint64
	MountID              uint32 `yaml:"mount_id"`
}

InodeDiscarderDump describes a dump of an inode discarder

type InodeDiscarderEntry ¶ 

type InodeDiscarderEntry struct {
	Inode     uint64
	MountID   uint32
	Timestamp uint64
}

InodeDiscarderEntry describes a map entry

type InodeDiscarderMapEntry ¶ 

type InodeDiscarderMapEntry struct {
	PathKey model.PathKey
	IsLeaf  uint32
	Padding uint32
}

InodeDiscarderMapEntry describes a map entry

type InodeDiscarderParams ¶ 

type InodeDiscarderParams struct {
	DiscarderParams `yaml:"params"`
	Revision        uint32
}

InodeDiscarderParams describes a map value

type JKillActionReport ¶ 

type JKillActionReport struct {
	Type       string              `json:"type"`
	Signal     string              `json:"signal"`
	Scope      string              `json:"scope"`
	CreatedAt  utils.EasyjsonTime  `json:"created_at"`
	DetectedAt utils.EasyjsonTime  `json:"detected_at"`
	KilledAt   utils.EasyjsonTime  `json:"killed_at"`
	ExitedAt   *utils.EasyjsonTime `json:"exited_at,omitempty"`
	TTR        string              `json:"ttr,omitempty"`
}

JKillActionReport used to serialize date easyjson:json

func (JKillActionReport) MarshalEasyJSON ¶ 

func (v JKillActionReport) MarshalEasyJSON(w *jwriter.Writer)

MarshalEasyJSON supports easyjson.Marshaler interface

func (*JKillActionReport) UnmarshalEasyJSON ¶ 

func (v *JKillActionReport) UnmarshalEasyJSON(l *jlexer.Lexer)

UnmarshalEasyJSON supports easyjson.Unmarshaler interface

type KillActionReport ¶ 

type KillActionReport struct {
	sync.RWMutex

	Signal     string
	Scope      string
	Pid        uint32
	CreatedAt  time.Time
	DetectedAt time.Time
	KilledAt   time.Time
	ExitedAt   time.Time
	// contains filtered or unexported fields
}

KillActionReport defines a kill action reports

func (*KillActionReport) ToJSON ¶ 

func (k *KillActionReport) ToJSON() ([]byte, bool, error)

ToJSON marshal the action

type Opts ¶ 

type Opts struct {
	// DontDiscardRuntime do not discard the runtime. Mostly used by functional tests
	DontDiscardRuntime bool
	// StatsdClient to be used for probe stats
	StatsdClient statsd.ClientInterface
	// PathResolutionEnabled defines if the path resolution is enabled
	PathResolutionEnabled bool
	// TagsResolver will override the default one. Mainly here for tests.
	TagsResolver tags.Resolver
	// SyscallsMonitorEnabled enable syscalls map monitor
	SyscallsMonitorEnabled bool
	// TTYFallbackEnabled enable the tty procfs fallback
	TTYFallbackEnabled bool
	// EBPFLessEnabled use ebpfless source
	EBPFLessEnabled bool
}

Opts defines some probe options

type PidDiscarderDump ¶ 

type PidDiscarderDump struct {
	Index              int `yaml:"index"`
	PidDiscarderParams `yaml:"value"`
}

PidDiscarderDump describes a dump of a pid discarder

type PidDiscarderParams ¶ 

type PidDiscarderParams struct {
	DiscarderParams `yaml:"params"`
}

PidDiscarderParams describes a map value

type PlatformProbe ¶ 

type PlatformProbe interface {
	Setup() error
	Init() error
	Start() error
	Stop()
	SendStats() error
	Snapshot() error
	Close() error
	NewModel() *model.Model
	DumpDiscarders() (string, error)
	FlushDiscarders() error
	ApplyRuleSet(_ *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)
	OnNewDiscarder(_ *rules.RuleSet, _ *model.Event, _ eval.Field, _ eval.EventType)
	HandleActions(_ *eval.Context, _ *rules.Rule)
	NewEvent() *model.Event
	GetFieldHandlers() model.FieldHandlers
	DumpProcessCache(_ bool) (string, error)
	AddDiscarderPushedCallback(_ DiscarderPushedCallback)
	GetEventTags(_ string) []string
}

PlatformProbe defines a platform dependant probe

type Probe ¶ 

type Probe struct {
	PlatformProbe PlatformProbe

	// Constants and configuration
	Opts         Opts
	Config       *config.Config
	StatsdClient statsd.ClientInterface
	// contains filtered or unexported fields
}

Probe represents the runtime security eBPF probe in charge of setting up the required kProbes and decoding events sent from the kernel

func NewProbe ¶ 

func NewProbe(config *config.Config, opts Opts, wmeta optional.Option[workloadmeta.Component]) (*Probe, error)

NewProbe instantiates a new runtime security agent probe

func (*Probe) AddCustomEventHandler ¶ 

func (p *Probe) AddCustomEventHandler(eventType model.EventType, handler CustomEventHandler) error

AddCustomEventHandler set the probe event handler

func (*Probe) AddDiscarderPushedCallback ¶ 

func (p *Probe) AddDiscarderPushedCallback(cb DiscarderPushedCallback)

AddDiscarderPushedCallback add a callback to the list of func that have to be called when a discarder is pushed to kernel

func (*Probe) AddEventHandler ¶ 

func (p *Probe) AddEventHandler(eventType model.EventType, handler EventHandler) error

AddEventHandler sets a probe event handler

func (*Probe) AddFullAccessEventHandler ¶ 

func (p *Probe) AddFullAccessEventHandler(handler FullAccessEventHandler) error

AddFullAccessEventHandler sets a probe event handler for the UnknownEventType which requires access to all the struct fields

func (*Probe) ApplyRuleSet ¶ 

func (p *Probe) ApplyRuleSet(rs *rules.RuleSet) (*kfilters.ApplyRuleSetReport, error)

ApplyRuleSet setup the probes for the provided set of rules and returns the policy report.

func (*Probe) Close ¶ 

func (p *Probe) Close() error

Close the probe

func (*Probe) DispatchCustomEvent ¶ 

func (p *Probe) DispatchCustomEvent(rule *rules.Rule, event *events.CustomEvent)

DispatchCustomEvent sends a custom event to the probe event handler

func (*Probe) DumpDiscarders ¶ 

func (p *Probe) DumpDiscarders() (string, error)

DumpDiscarders removes all the discarders

func (*Probe) DumpProcessCache ¶ 

func (p *Probe) DumpProcessCache(withArgs bool) (string, error)

DumpProcessCache dump the process cache

func (*Probe) FlushDiscarders ¶ 

func (p *Probe) FlushDiscarders() error

FlushDiscarders invalidates all the discarders

func (*Probe) GetDebugStats ¶ 

func (p *Probe) GetDebugStats() map[string]interface{}

GetDebugStats returns the debug stats

func (*Probe) GetEventTags ¶ 

func (p *Probe) GetEventTags(containerID string) []string

GetEventTags returns the event tags

func (*Probe) GetService ¶ 

func (p *Probe) GetService(ev *model.Event) string

GetService returns the service name from the process tree

func (*Probe) HandleActions ¶ 

func (p *Probe) HandleActions(rule *rules.Rule, event eval.Event)

HandleActions executes the actions of a triggered rule

func (*Probe) Init ¶ 

func (p *Probe) Init() error

Init initializes the probe

func (*Probe) IsActivityDumpEnabled ¶ 

func (p *Probe) IsActivityDumpEnabled() bool

IsActivityDumpEnabled returns whether activity dump is enabled

func (*Probe) IsActivityDumpTagRulesEnabled ¶ 

func (p *Probe) IsActivityDumpTagRulesEnabled() bool

IsActivityDumpTagRulesEnabled returns whether rule tags is enabled for activity dumps

func (*Probe) IsNetworkEnabled ¶ 

func (p *Probe) IsNetworkEnabled() bool

IsNetworkEnabled returns whether network is enabled

func (*Probe) IsSecurityProfileEnabled ¶ 

func (p *Probe) IsSecurityProfileEnabled() bool

IsSecurityProfileEnabled returns whether security profile is enabled

func (*Probe) NewEvaluationSet ¶ 

func (p *Probe) NewEvaluationSet(eventTypeEnabled map[eval.EventType]bool, ruleSetTagValues []string) (*rules.EvaluationSet, error)

NewEvaluationSet returns a new evaluation set with rule sets tagged by the passed-in tag values for the "ruleset" tag key

func (*Probe) OnNewDiscarder ¶ 

func (p *Probe) OnNewDiscarder(rs *rules.RuleSet, ev *model.Event, field eval.Field, eventType eval.EventType)

OnNewDiscarder is called when a new discarder is found

func (*Probe) Origin ¶ 

func (p *Probe) Origin() string

Origin returns origin

func (*Probe) SendStats ¶ 

func (p *Probe) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*Probe) Setup ¶ 

func (p *Probe) Setup() error

Setup the runtime security probe

func (*Probe) Snapshot ¶ 

func (p *Probe) Snapshot() error

Snapshot runs the different snapshot functions of the resolvers that require to sync with the current state of the system

func (*Probe) Start ¶ 

func (p *Probe) Start() error

Start plays the snapshot data and then start the event stream

func (*Probe) StatsPollingInterval ¶ 

func (p *Probe) StatsPollingInterval() time.Duration

StatsPollingInterval returns the stats polling interval

func (*Probe) Stop ¶ 

func (p *Probe) Stop()

Stop the probe

type ProcessKiller ¶ 

type ProcessKiller struct {
	sync.Mutex
	// contains filtered or unexported fields
}

ProcessKiller defines a process killer structure

func NewProcessKiller ¶ 

func NewProcessKiller() *ProcessKiller

NewProcessKiller returns a new ProcessKiller

func (*ProcessKiller) AddPendingReports ¶ 

func (p *ProcessKiller) AddPendingReports(report *KillActionReport)

AddPendingReports add a pending reports

func (*ProcessKiller) FlushPendingReports ¶ 

func (p *ProcessKiller) FlushPendingReports()

FlushPendingReports flush pending reports

func (*ProcessKiller) HandleProcessExited ¶ 

func (p *ProcessKiller) HandleProcessExited(event *model.Event)

HandleProcessExited handles process exited events

func (*ProcessKiller) KillAndReport ¶ 

func (p *ProcessKiller) KillAndReport(scope string, signal string, ev *model.Event, killFnc func(pid uint32, sig uint32) error)

KillAndReport kill and report

func (*ProcessKiller) KillFromUserspace ¶ 

func (p *ProcessKiller) KillFromUserspace(pid uint32, sig uint32, ev *model.Event) error

KillFromUserspace tries to kill from userspace

type QueuedNetworkDeviceError ¶ 

type QueuedNetworkDeviceError struct {
	// contains filtered or unexported fields
}

QueuedNetworkDeviceError is used to indicate that the new network device was queued until its namespace handle is resolved.

func (QueuedNetworkDeviceError) Error ¶ 

func (err QueuedNetworkDeviceError) Error() string

type SecurityProfileManagers ¶ 

type SecurityProfileManagers struct {
	// contains filtered or unexported fields
}

SecurityProfileManagers holds the security profile managers

func NewSecurityProfileManagers ¶ 

func NewSecurityProfileManagers(p *EBPFProbe) (*SecurityProfileManagers, error)

NewSecurityProfileManagers returns a new manager object

func (*SecurityProfileManagers) AddActivityDumpHandler ¶ 

func (spm *SecurityProfileManagers) AddActivityDumpHandler(handler dump.ActivityDumpHandler)

AddActivityDumpHandler add a handler

func (*SecurityProfileManagers) DumpActivity ¶ 

func (spm *SecurityProfileManagers) DumpActivity(params *api.ActivityDumpParams) (*api.ActivityDumpMessage, error)

DumpActivity handles an activity dump request

func (*SecurityProfileManagers) GenerateTranscoding ¶ 

func (spm *SecurityProfileManagers) GenerateTranscoding(params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error)

GenerateTranscoding encodes an activity dump following the input parameters

func (*SecurityProfileManagers) GetActivityDumpManager ¶ 

func (spm *SecurityProfileManagers) GetActivityDumpManager() *dump.ActivityDumpManager

GetActivityDumpManager returns the activity dump manager

func (*SecurityProfileManagers) GetActivityDumpTracedEventTypes ¶ 

func (spm *SecurityProfileManagers) GetActivityDumpTracedEventTypes() []model.EventType

GetActivityDumpTracedEventTypes returns traced event types

func (*SecurityProfileManagers) GetSecurityProfileManager ¶ 

func (spm *SecurityProfileManagers) GetSecurityProfileManager() *profile.SecurityProfileManager

GetSecurityProfileManager returns the security profile manager

func (*SecurityProfileManagers) ListActivityDumps ¶ 

func (spm *SecurityProfileManagers) ListActivityDumps(params *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error)

ListActivityDumps returns the list of active dumps

func (*SecurityProfileManagers) ListSecurityProfiles ¶ 

func (spm *SecurityProfileManagers) ListSecurityProfiles(params *api.SecurityProfileListParams) (*api.SecurityProfileListMessage, error)

ListSecurityProfiles list the profiles

func (*SecurityProfileManagers) SaveSecurityProfile ¶ 

func (spm *SecurityProfileManagers) SaveSecurityProfile(params *api.SecurityProfileSaveParams) (*api.SecurityProfileSaveMessage, error)

SaveSecurityProfile save a security profile

func (*SecurityProfileManagers) SendStats ¶ 

func (spm *SecurityProfileManagers) SendStats() error

SendStats sends statistics about the probe to Datadog

func (*SecurityProfileManagers) SnapshotTracedCgroups ¶ 

func (spm *SecurityProfileManagers) SnapshotTracedCgroups()

SnapshotTracedCgroups snapshots traced cgroups

func (*SecurityProfileManagers) Start ¶ 

func (spm *SecurityProfileManagers) Start(ctx context.Context, wg *sync.WaitGroup)

Start triggers the goroutine of all the underlying controllers and monitors of the Monitor

func (*SecurityProfileManagers) StopActivityDump ¶ 

func (spm *SecurityProfileManagers) StopActivityDump(params *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error)

StopActivityDump stops an active activity dump

Source Files ¶

View all Source files

Directories ¶

Path Synopsis
Package config holds config related files
 Package config holds config related files
Package constantfetch holds constantfetch related files
 Package constantfetch holds constantfetch related files
Package erpc holds erpc related files
 Package erpc holds erpc related files
Package eventstream holds eventstream related files
 Package eventstream holds eventstream related files
reorderer
Package reorderer holds reorderer related files
 Package reorderer holds reorderer related files
ringbuffer
Package ringbuffer holds ringbuffer related files
 Package ringbuffer holds ringbuffer related files
Package kfilters holds kfilters related files
 Package kfilters holds kfilters related files
Package managerhelper holds managerhelper related files
 Package managerhelper holds managerhelper related files
monitors
approver
Package approver holds approver related files
 Package approver holds approver related files
cgroups
Package cgroups holds cgroups related files
 Package cgroups holds cgroups related files
discarder
Package discarder holds discarder related files
 Package discarder holds discarder related files
runtime
Package runtime holds runtime related files
 Package runtime holds runtime related files
syscalls
Package syscalls holds syscalls related files
 Package syscalls holds syscalls related files
Package selftests holds selftests related files
 Package selftests holds selftests related files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.