Documentation
¶
Index ¶
- Constants
- func BytesToString32(bytes [32]byte) string
- func CloneFlagsByName(flags uint64) []string
- func DropCloneChildEq0(d *clone_data_t) bool
- func DropCloneFlagsEq0(d *clone_data_t) bool
- func DropSignalCodeEq0(d *signal_data_t) bool
- func DropSignalFlagsEq0(d *signal_data_t) bool
- func DropSocketProtocolEq0(d *inet_sock_data_t) bool
- func EventClone(event perf.Record) (*clone_data_t, error)
- func EventExecve(event perf.Record) (*execve_data_t, error)
- func EventSignal(event perf.Record) (*signal_data_t, error)
- func EventSock(event perf.Record) (*inet_sock_data_t, error)
- func IPV4(bytes [4]byte) string
- func IPV6(bytes [16]byte) string
- func IsPrivileged() bool
- func SetRLimitInfinity() error
- type ContainerEvent
- type ContainerObservationPoint
- type DropClone
- type DropCloneProcess
- type DropExecve
- type DropSignal
- type DropSocket
- type Event
- type ObservationPoint
- type ObservationPoints
- type ObservationReference
- type Observer
- type ProcessEvent
- type ProcessObservationPoint
- type SignalEvent
- type SignalObservationPoint
- type SocketEvent
- type SocketObservationPoint
- type TracepointData
Constants ¶
View Source
const ( BPFGroupSyscalls = "syscalls" BPFGroupSignal = "signal" BPFGroupSock = "sock" )
View Source
const ( CEMPTY uint64 = 0x00000000 /* empty flag used for masking */ CSIGNAL uint64 = C.CSIGNAL /* signal mask to be sent at exit */ CLONE_VM uint64 = C.CLONE_VM /* set if VM shared between processes */ CLONE_FS uint64 = C.CLONE_FS /* set if fs info shared between processes */ CLONE_FILES uint64 = C.CLONE_FILES /* set if open files shared between processes */ CLONE_SIGHAND uint64 = C.CLONE_SIGHAND /* set if signal handlers and blocked signals shared */ CLONE_PIDFD uint64 = C.CLONE_PIDFD /* set if a pidfd should be placed in parent */ CLONE_PTRACE uint64 = C.CLONE_PTRACE /* set if we want to let tracing continue on the child too */ CLONE_VFORK uint64 = C.CLONE_VFORK /* set if the parent wants the child to wake it up on mm_release */ CLONE_PARENT uint64 = C.CLONE_PARENT /* set if we want to have the same parent as the cloner */ CLONE_THREAD uint64 = C.CLONE_THREAD /* Same thread group? */ CLONE_NEWNS uint64 = C.CLONE_NEWNS /* New mount namespace group */ CLONE_SYSVSEM uint64 = C.CLONE_SYSVSEM /* share system V SEM_UNDO semantics */ CLONE_SETTLS uint64 = C.CLONE_SETTLS /* create a new TLS for the child */ CLONE_PARENT_SETTID uint64 = C.CLONE_PARENT_SETTID /* set the TID in the parent */ CLONE_CHILD_CLEARTID uint64 = C.CLONE_CHILD_CLEARTID /* clear the TID in the child */ CLONE_DETACHED uint64 = C.CLONE_DETACHED /* Unused, ignored */ CLONE_UNTRACED uint64 = C.CLONE_UNTRACED /* set if the tracing process can't force CLONE_PTRACE on this clone */ CLONE_CHILD_SETTID uint64 = C.CLONE_CHILD_SETTID /* set the TID in the child */ CLONE_NEWCGROUP uint64 = C.CLONE_NEWCGROUP /* New cgroup namespace */ CLONE_NEWUTS uint64 = C.CLONE_NEWUTS /* New utsname namespace */ CLONE_NEWIPC uint64 = C.CLONE_NEWIPC /* New ipc namespace */ CLONE_NEWUSER uint64 = C.CLONE_NEWUSER /* New user namespace */ CLONE_NEWPID uint64 = C.CLONE_NEWPID /* New pid namespace */ CLONE_NEWNET uint64 = C.CLONE_NEWNET /* New network namespace */ CLONE_IO uint64 = C.CLONE_IO /* Clone io context */ )
Variables ¶
This section is empty.
Functions ¶
func BytesToString32 ¶
BytesToString32 converts a [32]byte to a string
func CloneFlagsByName ¶
func DropCloneChildEq0 ¶
func DropCloneChildEq0(d *clone_data_t) bool
func DropCloneFlagsEq0 ¶
func DropCloneFlagsEq0(d *clone_data_t) bool
func DropSignalCodeEq0 ¶
func DropSignalCodeEq0(d *signal_data_t) bool
func DropSignalFlagsEq0 ¶
func DropSignalFlagsEq0(d *signal_data_t) bool
func DropSocketProtocolEq0 ¶
func DropSocketProtocolEq0(d *inet_sock_data_t) bool
func EventClone ¶
func EventExecve ¶
func EventSignal ¶
func SetRLimitInfinity ¶
func SetRLimitInfinity() error
SetRLimitInfinity will set the resource limit in the kernel to RLIM_INFINITY More:
https://linux.die.net/man/2/setrlimit
Types ¶
type ContainerEvent ¶
type ContainerEvent struct {
CPU int `json:"CPU"`
EventName string `json:"Name"`
ParentPid int `json:"ParentPid"`
ParentProc *system.Process `json:"ParentProc"`
ChildPid int `json:"ChildPid"`
ChildProc *system.Process `json:"ChildProc"`
CloneFlags uint `json:"CloneFlags"`
CloneFlagsByName []string `json:"CloneFlagsByName"`
TLS uint `json:"TLS"`
// contains filtered or unexported fields
}
func NewContainerEvent ¶
func NewContainerEvent(name string, cpu int, cloneData *clone_data_t, parentProc, childProc *system.Process) *ContainerEvent
func (*ContainerEvent) JSON ¶
func (e *ContainerEvent) JSON() ([]byte, error)
func (*ContainerEvent) Name ¶
func (e *ContainerEvent) Name() string
func (*ContainerEvent) String ¶
func (e *ContainerEvent) String() string
type ContainerObservationPoint ¶
type ContainerObservationPoint struct {
// contains filtered or unexported fields
}
func NewContainerObservationPoint ¶
func NewContainerObservationPoint(dropFunctions []DropClone, dropProcessFunctions []DropCloneProcess) *ContainerObservationPoint
func (*ContainerObservationPoint) Event ¶
func (c *ContainerObservationPoint) Event(record perf.Record) error
func (*ContainerObservationPoint) SetReference ¶
func (c *ContainerObservationPoint) SetReference(reference ObservationReference)
func (*ContainerObservationPoint) Tracepoints ¶
func (c *ContainerObservationPoint) Tracepoints() map[string]TracepointData
type DropClone ¶
type DropClone func(d *clone_data_t) bool
func DropCloneFlagMask ¶
func SelectCloneFlagMask ¶
type DropCloneProcess ¶
func DropCloneExecutable ¶
func DropCloneExecutable(name string) DropCloneProcess
type DropExecve ¶
type DropExecve func(d *execve_data_t) bool
func DropExecveFilename ¶
func DropExecveFilename(filename string) DropExecve
type DropSignal ¶
type DropSignal func(d *signal_data_t) bool
type DropSocket ¶
type DropSocket func(d *inet_sock_data_t) bool
type ObservationPoint ¶
type ObservationPoint interface {
Tracepoints() map[string]TracepointData
Event(record perf.Record) error
SetReference(reference ObservationReference)
}
ObservationPoint is the basic abstraction for all meaningful eBPF abstractions. Examples:
- ContainerStarted
- ProcessExecuted
type ObservationPoints ¶
type ObservationPoints map[string]ObservationPoint
func ProfileDefault ¶
func ProfileDefault() ObservationPoints
func ProfileSignalsOnly ¶
func ProfileSignalsOnly() ObservationPoints
type ObservationReference ¶
type ObservationReference struct {
// contains filtered or unexported fields
}
ObservationReference will set the reference for various ObservationPoints with the BPF libraries.
type Observer ¶
type Observer struct {
// contains filtered or unexported fields
}
Observer is the main data structure that can be used to observe the system based on configured ObservationPoints.
func NewObserver ¶
func NewObserver(points ObservationPoints) *Observer
NewObserver is used to initialize and start a new observer. After calling this function, the observer will be listening to the kernel!
func (*Observer) EventStream ¶
EventStream will return the channel of events. This is the same channel used in the other Observer methods.
func (*Observer) LogEvents ¶
func (o *Observer) LogEvents()
LogEvents is used to log the event.String() using the configured logger.
func (*Observer) PrintJSONEvents ¶
func (o *Observer) PrintJSONEvents()
PrintJSONEvents will simply Print() the events in raw JSON
type ProcessEvent ¶
type ProcessEvent struct {
CPU int `json:"CPU"`
EventName string `json:"Name"`
Filename string `json:"Filename"`
Comm string `json:"Comm"`
PID uint `json:"PID"`
// contains filtered or unexported fields
}
func NewProcessEvent ¶
func NewProcessEvent(name string, cpu int, execData *execve_data_t) *ProcessEvent
func (*ProcessEvent) JSON ¶
func (p *ProcessEvent) JSON() ([]byte, error)
func (*ProcessEvent) Name ¶
func (p *ProcessEvent) Name() string
func (*ProcessEvent) String ¶
func (p *ProcessEvent) String() string
type ProcessObservationPoint ¶
type ProcessObservationPoint struct {
// contains filtered or unexported fields
}
func NewProcessObservationPoint ¶
func NewProcessObservationPoint(dropFilters []DropExecve) *ProcessObservationPoint
func (*ProcessObservationPoint) Event ¶
func (p *ProcessObservationPoint) Event(record perf.Record) error
func (*ProcessObservationPoint) SetReference ¶
func (p *ProcessObservationPoint) SetReference(reference ObservationReference)
func (*ProcessObservationPoint) Tracepoints ¶
func (p *ProcessObservationPoint) Tracepoints() map[string]TracepointData
type SignalEvent ¶
type SignalEvent struct {
CPU int `json:"CPU"`
EventName string `json:"Name"`
Signal int `json:"Signal"`
Errno int `json:"Errno"`
Code int `json:"Code"`
Handler uint64 `json:"Handler"`
Flags uint64 `json:"Flags"`
// contains filtered or unexported fields
}
func NewSignalEvent ¶
func NewSignalEvent(name string, cpu int, signalData *signal_data_t) *SignalEvent
func (*SignalEvent) JSON ¶
func (p *SignalEvent) JSON() ([]byte, error)
func (*SignalEvent) Name ¶
func (p *SignalEvent) Name() string
func (*SignalEvent) String ¶
func (p *SignalEvent) String() string
type SignalObservationPoint ¶
type SignalObservationPoint struct {
// contains filtered or unexported fields
}
func NewSignalObservationPoint ¶
func NewSignalObservationPoint(dropFunctions []DropSignal) *SignalObservationPoint
func (*SignalObservationPoint) Event ¶
func (p *SignalObservationPoint) Event(record perf.Record) error
func (*SignalObservationPoint) SetReference ¶
func (p *SignalObservationPoint) SetReference(reference ObservationReference)
func (*SignalObservationPoint) Tracepoints ¶
func (p *SignalObservationPoint) Tracepoints() map[string]TracepointData
type SocketEvent ¶
type SocketEvent struct {
CPU int `json:"CPU"`
EventName string `json:"Name"`
OldState int `json:"OldState"`
NewState int `json:"NewState"`
SourcePort uint `json:"SourcePort"`
DestPort uint `json:"DestPort"`
Family uint `json:"Family"`
Protocol uint `json:"Protocol"`
SourceAddr string `json:"SourceAddr"`
DestAddr string `json:"DestAddr"`
SourceAddrV6 string `json:"SourceAddrV6"`
DestAddrV6 string `json:"DestAddrV6"`
// contains filtered or unexported fields
}
func NewSocketEvent ¶
func NewSocketEvent(name string, cpu int, data *inet_sock_data_t) *SocketEvent
func (*SocketEvent) JSON ¶
func (p *SocketEvent) JSON() ([]byte, error)
func (*SocketEvent) Name ¶
func (p *SocketEvent) Name() string
func (*SocketEvent) String ¶
func (p *SocketEvent) String() string
type SocketObservationPoint ¶
type SocketObservationPoint struct {
// contains filtered or unexported fields
}
func NewSocketObservationPoint ¶
func NewSocketObservationPoint(dropFunctions []DropSocket) *SocketObservationPoint
func (*SocketObservationPoint) Event ¶
func (p *SocketObservationPoint) Event(record perf.Record) error
func (*SocketObservationPoint) SetReference ¶
func (p *SocketObservationPoint) SetReference(reference ObservationReference)
func (*SocketObservationPoint) Tracepoints ¶
func (p *SocketObservationPoint) Tracepoints() map[string]TracepointData
Source Files
Click to show internal directories.
Click to hide internal directories.