Documentation
¶
Index ¶
- Constants
- Variables
- func AllExcludedFunctions() []string
- func AllProbes(events EventTypeList) []*manager.Probe
- func AllProbesSelectors(events EventTypeList) []manager.ProbesSelector
- func AllTailCallRoutes(events EventTypeList) []manager.TailCallRoute
- func ExpandSyscallProbes(probe *manager.Probe, flag int, compat ...bool) []*manager.Probe
- func ExpandSyscallProbesSelector(id manager.ProbeIdentificationPair, flag int, compat ...bool) []manager.ProbesSelector
- func GetCheckHelperCallInputType() uint64
- func GetHostByteOrder() binary.ByteOrder
- func HasOneMillionInstructionsAvailable() bool
- func IsBPFLSMAvailable() bool
- func IsBPFOverrideReturnAvailable() uint64
- func IsBPFSendSignalHelperAvailable() uint64
- func IsCgroupSysctlProgramAvailable() bool
- func ShouldUseSyscallExitTracepoints() uint64
- func UnmarshalString(data []byte, size int) (string, error)
- type Action
- type AddressFamily
- type BPFAttachType
- type BPFCmd
- type BPFEvent
- type BPFEventSerializer
- type BPFFilterCmd
- type BPFFilterEvent
- type BPFFilterEventSerializer
- type BPFHelperFunc
- type BPFHelperFuncList
- type BPFMap
- type BPFMapType
- type BPFProgram
- type BPFProgramType
- type CgroupContext
- type CgroupSubsystemID
- type Cgroups
- type CredentialsContext
- type DeleteModuleEvent
- type DeleteModuleEventSerializer
- type Event
- type EventCheckEvent
- type EventCheckEventSerializer
- type EventSerializer
- type EventType
- type EventTypeList
- type HookPoint
- type HookedSyscallEvent
- type HookedSyscallEventSerializer
- type IA32Syscall
- type InitModuleEvent
- type InitModuleEventSerializer
- type KProbeCommand
- type KProbeEvent
- type KProbeEventSerializer
- type KProbeType
- type KernelEvent
- type KernelEventSerializer
- type KernelParameterEvent
- type KernelParameterEventSerializer
- type KernelParameterOptions
- type KernelSymbol
- type L3Protocol
- type MemoryPointer
- type NamespaceContext
- type Options
- type PTraceEvent
- type PTraceRequest
- type ParameterOption
- type ProcessContext
- type ProcessContextSerializer
- type PtraceEventSerializer
- type RegisterCheckEvent
- type RegisterCheckEventSerializer
- type SocketType
- type SysCtlAction
- type SysCtlEvent
- type SysCtlEventEventSerializer
- type SysCtlOptions
- type SysCtlParameter
- type Syscall
- type SyscallTable
- type TimeResolver
Constants ¶
View Source
const ( // BPFObjectNameLen is the maximum length of a map or program name BPFObjectNameLen = 16 // BPFTagLen is the length of a bpf program tag BPFTagLen = 8 )
View Source
const ( CgroupNameLength = 128 TaskCommLength = 16 )
View Source
const ( // Entry indicates that the entry kprobe should be expanded Entry = 1 << 0 // Exit indicates that the exit kretprobe should be expanded Exit = 1 << 1 // ExpandTime32 indicates that the _time32 suffix should be added to the provided probe if needed ExpandTime32 = 1 << 2 // EntryAndExit indicates that both the entry kprobe and exit kretprobe should be expanded EntryAndExit = Entry | Exit )
View Source
const (
// KRIEUID is the UID used to uniquely identify kernel space programs
KRIEUID = "krie"
)
View Source
const MaxKernelParameterCount = 25
MaxKernelParameterCount is the hardcoded maximum count of kernel parameters that KRIE can check
View Source
const ModuleNameLen = 56
ModuleNameLen is the length of the name of a kernel module
View Source
const SymbolNameLength = 64
SymbolNameLength is the length of the name of a kernel symbol
Variables ¶
View Source
var ( // BPFCmdConstants is the list of BPF commands BPFCmdConstants = map[string]BPFCmd{ "BPF_MAP_CREATE": BpfMapCreateCmd, "BPF_MAP_LOOKUP_ELEM": BpfMapLookupElemCmd, "BPF_MAP_UPDATE_ELEM": BpfMapUpdateElemCmd, "BPF_MAP_DELETE_ELEM": BpfMapDeleteElemCmd, "BPF_MAP_GET_NEXT_KEY": BpfMapGetNextKeyCmd, "BPF_PROG_LOAD": BpfProgLoadCmd, "BPF_OBJ_PIN": BpfObjPinCmd, "BPF_OBJ_GET": BpfObjGetCmd, "BPF_PROG_ATTACH": BpfProgAttachCmd, "BPF_PROG_DETACH": BpfProgDetachCmd, "BPF_PROG_TEST_RUN": BpfProgTestRunCmd, "BPF_PROG_RUN": BpfProgTestRunCmd, "BPF_PROG_GET_NEXT_ID": BpfProgGetNextIDCmd, "BPF_MAP_GET_NEXT_ID": BpfMapGetNextIDCmd, "BPF_PROG_GET_FD_BY_ID": BpfProgGetFdByIDCmd, "BPF_MAP_GET_FD_BY_ID": BpfMapGetFdByIDCmd, "BPF_OBJ_GET_INFO_BY_FD": BpfObjGetInfoByFdCmd, "BPF_PROG_QUERY": BpfProgQueryCmd, "BPF_RAW_TRACEPOINT_OPEN": BpfRawTracepointOpenCmd, "BPF_BTF_LOAD": BpfBtfLoadCmd, "BPF_BTF_GET_FD_BY_ID": BpfBtfGetFdByIDCmd, "BPF_TASK_FD_QUERY": BpfTaskFdQueryCmd, "BPF_MAP_LOOKUP_AND_DELETE_ELEM": BpfMapLookupAndDeleteElemCmd, "BPF_MAP_FREEZE": BpfMapFreezeCmd, "BPF_BTF_GET_NEXT_ID": BpfBtfGetNextIDCmd, "BPF_MAP_LOOKUP_BATCH": BpfMapLookupBatchCmd, "BPF_MAP_LOOKUP_AND_DELETE_BATCH": BpfMapLookupAndDeleteBatchCmd, "BPF_MAP_UPDATE_BATCH": BpfMapUpdateBatchCmd, "BPF_MAP_DELETE_BATCH": BpfMapDeleteBatchCmd, "BPF_LINK_CREATE": BpfLinkCreateCmd, "BPF_LINK_UPDATE": BpfLinkUpdateCmd, "BPF_LINK_GET_FD_BY_ID": BpfLinkGetFdByIDCmd, "BPF_LINK_GET_NEXT_ID": BpfLinkGetNextIDCmd, "BPF_ENABLE_STATS": BpfEnableStatsCmd, "BPF_ITER_CREATE": BpfIterCreateCmd, "BPF_LINK_DETACH": BpfLinkDetachCmd, "BPF_PROG_BIND_MAP": BpfProgBindMapCmd, } // BPFFilterCmdConstants is the list of BPF Filter commands BPFFilterCmdConstants = map[string]BPFFilterCmd{ "SO_ATTACH_FILTER": SoAttachFilter, "SO_DETACH_FILTER": SoDetachFilter, "SO_LOCK_FILTER": SoLockFilter, } // BPFHelperFuncConstants is the list of BPF helper func constants BPFHelperFuncConstants = map[string]BPFHelperFunc{}/* 166 elements not displayed */ // BPFMapTypeConstants is the list of BPF map type constants BPFMapTypeConstants = map[string]BPFMapType{ "BPF_MAP_TYPE_UNSPEC": BpfMapTypeUnspec, "BPF_MAP_TYPE_HASH": BpfMapTypeHash, "BPF_MAP_TYPE_ARRAY": BpfMapTypeArray, "BPF_MAP_TYPE_PROG_ARRAY": BpfMapTypeProgArray, "BPF_MAP_TYPE_PERF_EVENT_ARRAY": BpfMapTypePerfEventArray, "BPF_MAP_TYPE_PERCPU_HASH": BpfMapTypePercpuHash, "BPF_MAP_TYPE_PERCPU_ARRAY": BpfMapTypePercpuArray, "BPF_MAP_TYPE_STACK_TRACE": BpfMapTypeStackTrace, "BPF_MAP_TYPE_CGROUP_ARRAY": BpfMapTypeCgroupArray, "BPF_MAP_TYPE_LRU_HASH": BpfMapTypeLruHash, "BPF_MAP_TYPE_LRU_PERCPU_HASH": BpfMapTypeLruPercpuHash, "BPF_MAP_TYPE_LPM_TRIE": BpfMapTypeLpmTrie, "BPF_MAP_TYPE_ARRAY_OF_MAPS": BpfMapTypeArrayOfMaps, "BPF_MAP_TYPE_HASH_OF_MAPS": BpfMapTypeHashOfMaps, "BPF_MAP_TYPE_DEVMAP": BpfMapTypeDevmap, "BPF_MAP_TYPE_SOCKMAP": BpfMapTypeSockmap, "BPF_MAP_TYPE_CPUMAP": BpfMapTypeCPUmap, "BPF_MAP_TYPE_XSKMAP": BpfMapTypeXskmap, "BPF_MAP_TYPE_SOCKHASH": BpfMapTypeSockhash, "BPF_MAP_TYPE_CGROUP_STORAGE": BpfMapTypeCgroupStorage, "BPF_MAP_TYPE_REUSEPORT_SOCKARRAY": BpfMapTypeReuseportSockarray, "BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE": BpfMapTypePercpuCgroupStorage, "BPF_MAP_TYPE_QUEUE": BpfMapTypeQueue, "BPF_MAP_TYPE_STACK": BpfMapTypeStack, "BPF_MAP_TYPE_SK_STORAGE": BpfMapTypeSkStorage, "BPF_MAP_TYPE_DEVMAP_HASH": BpfMapTypeDevmapHash, "BPF_MAP_TYPE_STRUCT_OPS": BpfMapTypeStructOps, "BPF_MAP_TYPE_RINGBUF": BpfMapTypeRingbuf, "BPF_MAP_TYPE_INODE_STORAGE": BpfMapTypeInodeStorage, "BPF_MAP_TYPE_TASK_STORAGE": BpfMapTypeTaskStorage, } // BPFProgramTypeConstants is the list of BPF program type constants BPFProgramTypeConstants = map[string]BPFProgramType{ "BPF_PROG_TYPE_UNSPEC": BpfProgTypeUnspec, "BPF_PROG_TYPE_SOCKET_FILTER": BpfProgTypeSocketFilter, "BPF_PROG_TYPE_KPROBE": BpfProgTypeKprobe, "BPF_PROG_TYPE_SCHED_CLS": BpfProgTypeSchedCls, "BPF_PROG_TYPE_SCHED_ACT": BpfProgTypeSchedAct, "BPF_PROG_TYPE_TRACEPOINT": BpfProgTypeTracepoint, "BPF_PROG_TYPE_XDP": BpfProgTypeXdp, "BPF_PROG_TYPE_PERF_EVENT": BpfProgTypePerfEvent, "BPF_PROG_TYPE_CGROUP_SKB": BpfProgTypeCgroupSkb, "BPF_PROG_TYPE_CGROUP_SOCK": BpfProgTypeCgroupSock, "BPF_PROG_TYPE_LWT_IN": BpfProgTypeLwtIn, "BPF_PROG_TYPE_LWT_OUT": BpfProgTypeLwtOut, "BPF_PROG_TYPE_LWT_XMIT": BpfProgTypeLwtXmit, "BPF_PROG_TYPE_SOCK_OPS": BpfProgTypeSockOps, "BPF_PROG_TYPE_SK_SKB": BpfProgTypeSkSkb, "BPF_PROG_TYPE_CGROUP_DEVICE": BpfProgTypeCgroupDevice, "BPF_PROG_TYPE_SK_MSG": BpfProgTypeSkMsg, "BPF_PROG_TYPE_RAW_TRACEPOINT": BpfProgTypeRawTracepoint, "BPF_PROG_TYPE_CGROUP_SOCK_ADDR": BpfProgTypeCgroupSockAddr, "BPF_PROG_TYPE_LWT_SEG6LOCAL": BpfProgTypeLwtSeg6local, "BPF_PROG_TYPE_LIRC_MODE2": BpfProgTypeLircMode2, "BPF_PROG_TYPE_SK_REUSEPORT": BpfProgTypeSkReuseport, "BPF_PROG_TYPE_FLOW_DISSECTOR": BpfProgTypeFlowDissector, "BPF_PROG_TYPE_CGROUP_SYSCTL": BpfProgTypeCgroupSysctl, "BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE": BpfProgTypeRawTracepointWritable, "BPF_PROG_TYPE_CGROUP_SOCKOPT": BpfProgTypeCgroupSockopt, "BPF_PROG_TYPE_TRACING": BpfProgTypeTracing, "BPF_PROG_TYPE_STRUCT_OPS": BpfProgTypeStructOps, "BPF_PROG_TYPE_EXT": BpfProgTypeExt, "BPF_PROG_TYPE_LSM": BpfProgTypeLsm, "BPF_PROG_TYPE_SK_LOOKUP": BpfProgTypeSkLookup, } // BPFAttachTypeConstants is the list of BPF attach type constants BPFAttachTypeConstants = map[string]BPFAttachType{ "BPF_CGROUP_INET_INGRESS": BpfCgroupInetIngress, "BPF_CGROUP_INET_EGRESS": BpfCgroupInetEgress, "BPF_CGROUP_INET_SOCK_CREATE": BpfCgroupInetSockCreate, "BPF_CGROUP_SOCK_OPS": BpfCgroupSockOps, "BPF_SK_SKB_STREAM_PARSER": BpfSkSkbStreamParser, "BPF_SK_SKB_STREAM_VERDICT": BpfSkSkbStreamVerdict, "BPF_CGROUP_DEVICE": BpfCgroupDevice, "BPF_SK_MSG_VERDICT": BpfSkMsgVerdict, "BPF_CGROUP_INET4_BIND": BpfCgroupInet4Bind, "BPF_CGROUP_INET6_BIND": BpfCgroupInet6Bind, "BPF_CGROUP_INET4_CONNECT": BpfCgroupInet4Connect, "BPF_CGROUP_INET6_CONNECT": BpfCgroupInet6Connect, "BPF_CGROUP_INET4_POST_BIND": BpfCgroupInet4PostBind, "BPF_CGROUP_INET6_POST_BIND": BpfCgroupInet6PostBind, "BPF_CGROUP_UDP4_SENDMSG": BpfCgroupUDP4Sendmsg, "BPF_CGROUP_UDP6_SENDMSG": BpfCgroupUDP6Sendmsg, "BPF_LIRC_MODE2": BpfLircMode2, "BPF_FLOW_DISSECTOR": BpfFlowDissector, "BPF_CGROUP_SYSCTL": BpfCgroupSysctl, "BPF_CGROUP_UDP4_RECVMSG": BpfCgroupUDP4Recvmsg, "BPF_CGROUP_UDP6_RECVMSG": BpfCgroupUDP6Recvmsg, "BPF_CGROUP_GETSOCKOPT": BpfCgroupGetsockopt, "BPF_CGROUP_SETSOCKOPT": BpfCgroupSetsockopt, "BPF_TRACE_RAW_TP": BpfTraceRawTp, "BPF_TRACE_FENTRY": BpfTraceFentry, "BPF_TRACE_FEXIT": BpfTraceFexit, "BPF_MODIFY_RETURN": BpfModifyReturn, "BPF_LSM_MAC": BpfLsmMac, "BPF_TRACE_ITER": BpfTraceIter, "BPF_CGROUP_INET4_GETPEERNAME": BpfCgroupInet4Getpeername, "BPF_CGROUP_INET6_GETPEERNAME": BpfCgroupInet6Getpeername, "BPF_CGROUP_INET4_GETSOCKNAME": BpfCgroupInet4Getsockname, "BPF_CGROUP_INET6_GETSOCKNAME": BpfCgroupInet6Getsockname, "BPF_XDP_DEVMAP": BpfXdpDevmap, "BPF_CGROUP_INET_SOCK_RELEASE": BpfCgroupInetSockRelease, "BPF_XDP_CPUMAP": BpfXdpCPUmap, "BPF_SK_LOOKUP": BpfSkLookup, "BPF_XDP": BpfXdp, "BPF_SK_SKB_VERDICT": BpfSkSkbVerdict, } // L3ProtocolConstants is the list of supported L3 protocols L3ProtocolConstants = map[string]L3Protocol{ "ETH_P_LOOP": EthPLOOP, "ETH_P_PUP": EthPPUP, "ETH_P_PUPAT": EthPPUPAT, "ETH_P_TSN": EthPTSN, "ETH_P_IP": EthPIP, "ETH_P_X25": EthPX25, "ETH_P_ARP": EthPARP, "ETH_P_BPQ": EthPBPQ, "ETH_P_IEEEPUP": EthPIEEEPUP, "ETH_P_IEEEPUPAT": EthPIEEEPUPAT, "ETH_P_BATMAN": EthPBATMAN, "ETH_P_DEC": EthPDEC, "ETH_P_DNADL": EthPDNADL, "ETH_P_DNARC": EthPDNARC, "ETH_P_DNART": EthPDNART, "ETH_P_LAT": EthPLAT, "ETH_P_DIAG": EthPDIAG, "ETH_P_CUST": EthPCUST, "ETH_P_SCA": EthPSCA, "ETH_P_TEB": EthPTEB, "ETH_P_RARP": EthPRARP, "ETH_P_ATALK": EthPATALK, "ETH_P_AARP": EthPAARP, "ETH_P_8021_Q": EthP8021Q, "ETH_P_ERSPAN": EthPERSPAN, "ETH_P_IPX": EthPIPX, "ETH_P_IPV6": EthPIPV6, "ETH_P_PAUSE": EthPPAUSE, "ETH_P_SLOW": EthPSLOW, "ETH_P_WCCP": EthPWCCP, "ETH_P_MPLSUC": EthPMPLSUC, "ETH_P_MPLSMC": EthPMPLSMC, "ETH_P_ATMMPOA": EthPATMMPOA, "ETH_P_PPPDISC": EthPPPPDISC, "ETH_P_PPPSES": EthPPPPSES, "ETH_P__LINK_CTL": EthPLinkCTL, "ETH_P_ATMFATE": EthPATMFATE, "ETH_P_PAE": EthPPAE, "ETH_P_AOE": EthPAOE, "ETH_P_8021_AD": EthP8021AD, "ETH_P_802_EX1": EthP802EX1, "ETH_P_TIPC": EthPTIPC, "ETH_P_MACSEC": EthPMACSEC, "ETH_P_8021_AH": EthP8021AH, "ETH_P_MVRP": EthPMVRP, "ETH_P_1588": EthP1588, "ETH_P_NCSI": EthPNCSI, "ETH_P_PRP": EthPPRP, "ETH_P_FCOE": EthPFCOE, "ETH_P_IBOE": EthPIBOE, "ETH_P_TDLS": EthPTDLS, "ETH_P_FIP": EthPFIP, "ETH_P_80221": EthP80221, "ETH_P_HSR": EthPHSR, "ETH_P_NSH": EthPNSH, "ETH_P_LOOPBACK": EthPLOOPBACK, "ETH_P_QINQ1": EthPQINQ1, "ETH_P_QINQ2": EthPQINQ2, "ETH_P_QINQ3": EthPQINQ3, "ETH_P_EDSA": EthPEDSA, "ETH_P_IFE": EthPIFE, "ETH_P_AFIUCV": EthPAFIUCV, "ETH_P_8023_MIN": EthP8023MIN, "ETH_P_IPV6_HOP_BY_HOP": EthPIPV6HopByHop, "ETH_P_8023": EthP8023, "ETH_P_AX25": EthPAX25, "ETH_P_ALL": EthPALL, "ETH_P_8022": EthP8022, "ETH_P_SNAP": EthPSNAP, "ETH_P_DDCMP": EthPDDCMP, "ETH_P_WANPPP": EthPWANPPP, "ETH_P_PPPMP": EthPPPPMP, "ETH_P_LOCALTALK": EthPLOCALTALK, "ETH_P_CAN": EthPCAN, "ETH_P_CANFD": EthPCANFD, "ETH_P_PPPTALK": EthPPPPTALK, "ETH_P_TR8022": EthPTR8022, "ETH_P_MOBITEX": EthPMOBITEX, "ETH_P_CONTROL": EthPCONTROL, "ETH_P_IRDA": EthPIRDA, "ETH_P_ECONET": EthPECONET, "ETH_P_HDLC": EthPHDLC, "ETH_P_ARCNET": EthPARCNET, "ETH_P_DSA": EthPDSA, "ETH_P_TRAILER": EthPTRAILER, "ETH_P_PHONET": EthPPHONET, "ETH_P_IEEE802154": EthPIEEE802154, "ETH_P_CAIF": EthPCAIF, "ETH_P_XDSA": EthPXDSA, "ETH_P_MAP": EthPMAP, } KProbeCommandConstants = map[string]KProbeCommand{ "REGISTER_KPROBE": 1, "UNREGISTER_KPROBE": 2, "REGISTER_KRETPROBE": 3, "UNREGISTER_KRETPROBE": 4, "ENABLE_KPROBE": 5, "DISABLE_KPROBE": 6, "DISARM_ALL_KPROBES": 7, "ARM_ALL_KPROBES": 8, } KProbeTypeConstants = map[string]KProbeType{ "KPROBE_TYPE": 1, "KRETPROBE_TYPE": 2, } SysCtlActionConstants = map[string]SysCtlAction{ "SYSCTL_SHOT": 0, "SYSCTL_OK": 1, "SYSCTL_OVERRIDE": 2, "SYSCTL_EINVAL": 3, "SYSCTL_ERANGE": 4, } ActionConstants = map[string]Action{ "nop": NopAction, "log": LogAction, "block": BlockAction, "kill": KillAction, "paranoid": ParanoidAction, } HookPointConstants = map[string]HookPoint{ "prepare_kernel_cred": 0, "commit_creds": 1, } )
View Source
var ByteOrder binary.ByteOrder
ByteOrder holds the hosts byte order
View Source
var ( // ErrNotEnoughData is the error returned when the provided buffer is too small ErrNotEnoughData = fmt.Errorf("not enough data") )
View Source
var RuntimeArch string
RuntimeArch holds the CPU architecture of the running machine
Functions ¶
func AllExcludedFunctions ¶
func AllExcludedFunctions() []string
AllExcludedFunctions returns the list of excluded functions
func AllProbes ¶
func AllProbes(events EventTypeList) []*manager.Probe
AllProbes returns all the probes
func AllProbesSelectors ¶
func AllProbesSelectors(events EventTypeList) []manager.ProbesSelector
AllProbesSelectors returns all the probes selectors
func AllTailCallRoutes ¶
func AllTailCallRoutes(events EventTypeList) []manager.TailCallRoute
AllTailCallRoutes returns all the tail call routes
func ExpandSyscallProbes ¶
ExpandSyscallProbes returns the list of available hook probes for the syscall func name of the provided probe
func ExpandSyscallProbesSelector ¶
func ExpandSyscallProbesSelector(id manager.ProbeIdentificationPair, flag int, compat ...bool) []manager.ProbesSelector
ExpandSyscallProbesSelector returns the list of a ProbesSelector required to query all the probes available for a syscall
func GetCheckHelperCallInputType ¶
func GetCheckHelperCallInputType() uint64
GetCheckHelperCallInputType returns 1 or 2 defending on the prototype of the check_helper_call function in the current kernel
func GetHostByteOrder ¶
GetHostByteOrder guesses the hosts byte order
func HasOneMillionInstructionsAvailable ¶
func HasOneMillionInstructionsAvailable() bool
HasOneMillionInstructionsAvailable returns true if the current kernel accepts programs with 1 million instructions
func IsBPFLSMAvailable ¶
func IsBPFLSMAvailable() bool
func IsBPFOverrideReturnAvailable ¶
func IsBPFOverrideReturnAvailable() uint64
IsBPFOverrideReturnAvailable returns true if the bpf_override_return helper is available in the current kernel
func IsBPFSendSignalHelperAvailable ¶
func IsBPFSendSignalHelperAvailable() uint64
IsBPFSendSignalHelperAvailable returns true if the bpf_send_signal helper is available in the current kernel
func IsCgroupSysctlProgramAvailable ¶
func IsCgroupSysctlProgramAvailable() bool
IsCgroupSysctlProgramAvailable returns true if the cgroup sysctl program type is available in the current kernel
func ShouldUseSyscallExitTracepoints ¶
func ShouldUseSyscallExitTracepoints() uint64
ShouldUseSyscallExitTracepoints returns true if the kernel version is old and we need to use tracepoints to handle syscall exits instead of kretprobes
Types ¶
type Action ¶
type Action uint32
Action is an action taken by KRIE
func (Action) MarshalJSON ¶
func (*Action) UnmarshalYAML ¶
type AddressFamily ¶
type AddressFamily uint16
AddressFamily represents an address family
func (AddressFamily) MarshalJSON ¶
func (af AddressFamily) MarshalJSON() ([]byte, error)
func (AddressFamily) String ¶
func (af AddressFamily) String() string
type BPFAttachType ¶
type BPFAttachType uint32
BPFAttachType is used to define attach type constants
const ( // BpfCgroupInetIngress attach type BpfCgroupInetIngress BPFAttachType = iota + 1 // BpfCgroupInetEgress attach type BpfCgroupInetEgress // BpfCgroupInetSockCreate attach type BpfCgroupInetSockCreate // BpfCgroupSockOps attach type BpfCgroupSockOps // BpfSkSkbStreamParser attach type BpfSkSkbStreamParser // BpfSkSkbStreamVerdict attach type BpfSkSkbStreamVerdict // BpfCgroupDevice attach type BpfCgroupDevice // BpfSkMsgVerdict attach type BpfSkMsgVerdict // BpfCgroupInet4Bind attach type BpfCgroupInet4Bind // BpfCgroupInet6Bind attach type BpfCgroupInet6Bind // BpfCgroupInet4Connect attach type BpfCgroupInet4Connect // BpfCgroupInet6Connect attach type BpfCgroupInet6Connect // BpfCgroupInet4PostBind attach type BpfCgroupInet4PostBind // BpfCgroupInet6PostBind attach type BpfCgroupInet6PostBind // BpfCgroupUDP4Sendmsg attach type BpfCgroupUDP4Sendmsg // BpfCgroupUDP6Sendmsg attach type BpfCgroupUDP6Sendmsg // BpfLircMode2 attach type BpfLircMode2 // BpfFlowDissector attach type BpfFlowDissector // BpfCgroupSysctl attach type BpfCgroupSysctl // BpfCgroupUDP4Recvmsg attach type BpfCgroupUDP4Recvmsg // BpfCgroupUDP6Recvmsg attach type BpfCgroupUDP6Recvmsg // BpfCgroupGetsockopt attach type BpfCgroupGetsockopt // BpfCgroupSetsockopt attach type BpfCgroupSetsockopt // BpfTraceRawTp attach type BpfTraceRawTp // BpfTraceFentry attach type BpfTraceFentry // BpfTraceFexit attach type BpfTraceFexit // BpfModifyReturn attach type BpfModifyReturn // BpfLsmMac attach type BpfLsmMac // BpfTraceIter attach type BpfTraceIter // BpfCgroupInet4Getpeername attach type BpfCgroupInet4Getpeername // BpfCgroupInet6Getpeername attach type BpfCgroupInet6Getpeername // BpfCgroupInet4Getsockname attach type BpfCgroupInet4Getsockname // BpfCgroupInet6Getsockname attach type BpfCgroupInet6Getsockname // BpfXdpDevmap attach type BpfXdpDevmap // BpfCgroupInetSockRelease attach type BpfCgroupInetSockRelease // BpfXdpCPUmap attach type BpfXdpCPUmap // BpfSkLookup attach type BpfSkLookup // BpfXdp attach type BpfXdp // BpfSkSkbVerdict attach type BpfSkSkbVerdict )
func (BPFAttachType) MarshalJSON ¶
func (t BPFAttachType) MarshalJSON() ([]byte, error)
func (BPFAttachType) String ¶
func (t BPFAttachType) String() string
type BPFCmd ¶
type BPFCmd uint64
BPFCmd represents a BPF command
const ( // BpfMapCreateCmd command BpfMapCreateCmd BPFCmd = iota // BpfMapLookupElemCmd command BpfMapLookupElemCmd // BpfMapUpdateElemCmd command BpfMapUpdateElemCmd // BpfMapDeleteElemCmd command BpfMapDeleteElemCmd // BpfMapGetNextKeyCmd command BpfMapGetNextKeyCmd // BpfProgLoadCmd command BpfProgLoadCmd // BpfObjPinCmd command BpfObjPinCmd // BpfObjGetCmd command BpfObjGetCmd // BpfProgAttachCmd command BpfProgAttachCmd // BpfProgDetachCmd command BpfProgDetachCmd // BpfProgTestRunCmd command BpfProgTestRunCmd // BpfProgGetNextIDCmd command BpfProgGetNextIDCmd // BpfMapGetNextIDCmd command BpfMapGetNextIDCmd // BpfProgGetFdByIDCmd command BpfProgGetFdByIDCmd // BpfMapGetFdByIDCmd command BpfMapGetFdByIDCmd // BpfObjGetInfoByFdCmd command BpfObjGetInfoByFdCmd // BpfProgQueryCmd command BpfProgQueryCmd // BpfRawTracepointOpenCmd command BpfRawTracepointOpenCmd // BpfBtfLoadCmd command BpfBtfLoadCmd // BpfBtfGetFdByIDCmd command BpfBtfGetFdByIDCmd // BpfTaskFdQueryCmd command BpfTaskFdQueryCmd // BpfMapLookupAndDeleteElemCmd command BpfMapLookupAndDeleteElemCmd // BpfMapFreezeCmd command BpfMapFreezeCmd // BpfBtfGetNextIDCmd command BpfBtfGetNextIDCmd // BpfMapLookupBatchCmd command BpfMapLookupBatchCmd // BpfMapLookupAndDeleteBatchCmd command BpfMapLookupAndDeleteBatchCmd // BpfMapUpdateBatchCmd command BpfMapUpdateBatchCmd // BpfMapDeleteBatchCmd command BpfMapDeleteBatchCmd // BpfLinkCreateCmd command BpfLinkCreateCmd // BpfLinkUpdateCmd command BpfLinkUpdateCmd // BpfLinkGetFdByIDCmd command BpfLinkGetFdByIDCmd // BpfLinkGetNextIDCmd command BpfLinkGetNextIDCmd // BpfEnableStatsCmd command BpfEnableStatsCmd // BpfIterCreateCmd command BpfIterCreateCmd // BpfLinkDetachCmd command BpfLinkDetachCmd // BpfProgBindMapCmd command BpfProgBindMapCmd )
func (BPFCmd) MarshalJSON ¶
type BPFEvent ¶
type BPFEvent struct {
Map BPFMap
Program BPFProgram
Cmd BPFCmd
}
BPFEvent represents a BPF event
type BPFEventSerializer ¶
type BPFEventSerializer struct {
Map *BPFMap `json:"map,omitempty"`
Program *BPFProgram `json:"program,omitempty"`
Cmd BPFCmd `json:"cmd"`
}
BPFEventSerializer is used to serialize BPFEvent easyjson:json
func NewBPFEventSerializer ¶
func NewBPFEventSerializer(e *BPFEvent) *BPFEventSerializer
NewBPFEventSerializer returns a new instance of BPFEventSerializer
func (BPFEventSerializer) MarshalEasyJSON ¶
func (v BPFEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*BPFEventSerializer) UnmarshalEasyJSON ¶
func (v *BPFEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type BPFFilterCmd ¶
type BPFFilterCmd uint32
BPFFilterCmd represents a BPF filter command
const ( // SoAttachFilter command SoAttachFilter BPFFilterCmd = 26 // SoDetachFilter command SoDetachFilter BPFFilterCmd = 27 // SoLockFilter command SoLockFilter BPFFilterCmd = 44 )
func (BPFFilterCmd) MarshalJSON ¶
func (cmd BPFFilterCmd) MarshalJSON() ([]byte, error)
func (BPFFilterCmd) String ¶
func (cmd BPFFilterCmd) String() string
type BPFFilterEvent ¶
type BPFFilterEvent struct {
Cmd BPFFilterCmd `json:"cmd,omitempty"`
Family AddressFamily `json:"family,omitempty"`
Type SocketType `json:"type,omitempty"`
Protocol L3Protocol `json:"protocol,omitempty"`
ProgLen uint16 `json:"prog_len,omitempty"`
}
BPFFilterEvent represents a BPF event
func (*BPFFilterEvent) UnmarshallBinary ¶
func (e *BPFFilterEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type BPFFilterEventSerializer ¶
type BPFFilterEventSerializer struct {
*BPFFilterEvent
}
BPFFilterEventSerializer is used to serialize BPFFilterEvent easyjson:json
func NewBPFFilterEventSerializer ¶
func NewBPFFilterEventSerializer(e *BPFFilterEvent) *BPFFilterEventSerializer
NewBPFFilterEventSerializer returns a new instance of BPFFilterEventSerializer
func (BPFFilterEventSerializer) MarshalEasyJSON ¶
func (v BPFFilterEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*BPFFilterEventSerializer) UnmarshalEasyJSON ¶
func (v *BPFFilterEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type BPFHelperFunc ¶
type BPFHelperFunc uint32
BPFHelperFunc represents a BPF helper function
const ( // BpfUnspec helper function BpfUnspec BPFHelperFunc = iota // BpfMapLookupElem helper function BpfMapLookupElem // BpfMapUpdateElem helper function BpfMapUpdateElem // BpfMapDeleteElem helper function BpfMapDeleteElem // BpfProbeRead helper function BpfProbeRead // BpfKtimeGetNs helper function BpfKtimeGetNs // BpfTracePrintk helper function BpfTracePrintk // BpfGetPrandomU32 helper function BpfGetPrandomU32 // BpfGetSmpProcessorID helper function BpfGetSmpProcessorID // BpfSkbStoreBytes helper function BpfSkbStoreBytes // BpfL3CsumReplace helper function BpfL3CsumReplace // BpfL4CsumReplace helper function BpfL4CsumReplace // BpfTailCall helper function BpfTailCall // BpfCloneRedirect helper function BpfCloneRedirect // BpfGetCurrentPidTgid helper function BpfGetCurrentPidTgid // BpfGetCurrentUIDGid helper function BpfGetCurrentUIDGid // BpfGetCurrentComm helper function BpfGetCurrentComm // BpfGetCgroupClassid helper function BpfGetCgroupClassid // BpfSkbVlanPush helper function BpfSkbVlanPush // BpfSkbVlanPop helper function BpfSkbVlanPop // BpfSkbGetTunnelKey helper function BpfSkbGetTunnelKey // BpfSkbSetTunnelKey helper function BpfSkbSetTunnelKey // BpfPerfEventRead helper function BpfPerfEventRead // BpfRedirect helper function BpfRedirect // BpfGetRouteRealm helper function BpfGetRouteRealm // BpfPerfEventOutput helper function BpfPerfEventOutput // BpfSkbLoadBytes helper function BpfSkbLoadBytes // BpfGetStackid helper function BpfGetStackid // BpfCsumDiff helper function BpfCsumDiff // BpfSkbGetTunnelOpt helper function BpfSkbGetTunnelOpt // BpfSkbSetTunnelOpt helper function BpfSkbSetTunnelOpt // BpfSkbChangeProto helper function BpfSkbChangeProto // BpfSkbChangeType helper function BpfSkbChangeType // BpfSkbUnderCgroup helper function BpfSkbUnderCgroup // BpfGetHashRecalc helper function BpfGetHashRecalc // BpfGetCurrentTask helper function BpfGetCurrentTask // BpfProbeWriteUser helper function BpfProbeWriteUser // BpfCurrentTaskUnderCgroup helper function BpfCurrentTaskUnderCgroup // BpfSkbChangeTail helper function BpfSkbChangeTail // BpfSkbPullData helper function BpfSkbPullData // BpfCsumUpdate helper function BpfCsumUpdate // BpfSetHashInvalid helper function BpfSetHashInvalid // BpfGetNumaNodeID helper function BpfGetNumaNodeID // BpfSkbChangeHead helper function BpfSkbChangeHead // BpfXdpAdjustHead helper function BpfXdpAdjustHead // BpfProbeReadStr helper function BpfProbeReadStr // BpfGetSocketCookie helper function BpfGetSocketCookie // BpfGetSocketUID helper function BpfGetSocketUID // BpfSetHash helper function BpfSetHash // BpfSetsockopt helper function BpfSetsockopt // BpfSkbAdjustRoom helper function BpfSkbAdjustRoom // BpfRedirectMap helper function BpfRedirectMap // BpfSkRedirectMap helper function BpfSkRedirectMap // BpfSockMapUpdate helper function BpfSockMapUpdate // BpfXdpAdjustMeta helper function BpfXdpAdjustMeta // BpfPerfEventReadValue helper function BpfPerfEventReadValue // BpfPerfProgReadValue helper function BpfPerfProgReadValue // BpfGetsockopt helper function BpfGetsockopt // BpfOverrideReturn helper function BpfOverrideReturn // BpfSockOpsCbFlagsSet helper function BpfSockOpsCbFlagsSet // BpfMsgRedirectMap helper function BpfMsgRedirectMap // BpfMsgApplyBytes helper function BpfMsgApplyBytes // BpfMsgCorkBytes helper function BpfMsgCorkBytes // BpfMsgPullData helper function BpfMsgPullData // BpfBind helper function BpfBind // BpfXdpAdjustTail helper function BpfXdpAdjustTail // BpfSkbGetXfrmState helper function BpfSkbGetXfrmState // BpfGetStack helper function BpfGetStack // BpfSkbLoadBytesRelative helper function BpfSkbLoadBytesRelative // BpfFibLookup helper function BpfFibLookup // BpfSockHashUpdate helper function BpfSockHashUpdate // BpfMsgRedirectHash helper function BpfMsgRedirectHash // BpfSkRedirectHash helper function BpfSkRedirectHash // BpfLwtPushEncap helper function BpfLwtPushEncap // BpfLwtSeg6StoreBytes helper function BpfLwtSeg6StoreBytes // BpfLwtSeg6AdjustSrh helper function BpfLwtSeg6AdjustSrh // BpfLwtSeg6Action helper function BpfLwtSeg6Action // BpfRcRepeat helper function BpfRcRepeat // BpfRcKeydown helper function BpfRcKeydown // BpfSkbCgroupID helper function BpfSkbCgroupID // BpfGetCurrentCgroupID helper function BpfGetCurrentCgroupID // BpfGetLocalStorage helper function BpfGetLocalStorage // BpfSkSelectReuseport helper function BpfSkSelectReuseport // BpfSkbAncestorCgroupID helper function BpfSkbAncestorCgroupID // BpfSkLookupTCP helper function BpfSkLookupTCP // BpfSkLookupUDP helper function BpfSkLookupUDP // BpfSkRelease helper function BpfSkRelease // BpfMapPushElem helper function BpfMapPushElem // BpfMapPopElem helper function BpfMapPopElem // BpfMapPeekElem helper function BpfMapPeekElem // BpfMsgPushData helper function BpfMsgPushData // BpfMsgPopData helper function BpfMsgPopData // BpfRcPointerRel helper function BpfRcPointerRel // BpfSpinLock helper function BpfSpinLock // BpfSpinUnlock helper function BpfSpinUnlock // BpfSkFullsock helper function BpfSkFullsock // BpfTCPSock helper function BpfTCPSock // BpfSkbEcnSetCe helper function BpfSkbEcnSetCe // BpfGetListenerSock helper function BpfGetListenerSock // BpfSkcLookupTCP helper function BpfSkcLookupTCP BpfTCPCheckSyncookie // BpfSysctlGetName helper function BpfSysctlGetName // BpfSysctlGetCurrentValue helper function BpfSysctlGetCurrentValue // BpfSysctlGetNewValue helper function BpfSysctlGetNewValue // BpfSysctlSetNewValue helper function BpfSysctlSetNewValue // BpfStrtol helper function BpfStrtol // BpfStrtoul helper function BpfStrtoul // BpfSkStorageGet helper function BpfSkStorageGet // BpfSkStorageDelete helper function BpfSkStorageDelete // BpfSendSignal helper function BpfSendSignal BpfTCPGenSyncookie // BpfSkbOutput helper function BpfSkbOutput // BpfProbeReadUser helper function BpfProbeReadUser // BpfProbeReadKernel helper function BpfProbeReadKernel // BpfProbeReadUserStr helper function BpfProbeReadUserStr // BpfProbeReadKernelStr helper function BpfProbeReadKernelStr // BpfTCPSendAck helper function BpfTCPSendAck // BpfSendSignalThread helper function BpfSendSignalThread // BpfJiffies64 helper function BpfJiffies64 // BpfReadBranchRecords helper function BpfReadBranchRecords // BpfGetNsCurrentPidTgid helper function BpfGetNsCurrentPidTgid // BpfXdpOutput helper function BpfXdpOutput // BpfGetNetnsCookie helper function BpfGetNetnsCookie // BpfGetCurrentAncestorCgroupID helper function BpfGetCurrentAncestorCgroupID // BpfSkAssign helper function BpfSkAssign // BpfKtimeGetBootNs helper function BpfKtimeGetBootNs // BpfSeqPrintf helper function BpfSeqPrintf // BpfSeqWrite helper function BpfSeqWrite // BpfSkCgroupID helper function BpfSkCgroupID // BpfSkAncestorCgroupID helper function BpfSkAncestorCgroupID // BpfRingbufOutput helper function BpfRingbufOutput // BpfRingbufReserve helper function BpfRingbufReserve // BpfRingbufSubmit helper function BpfRingbufSubmit // BpfRingbufDiscard helper function BpfRingbufDiscard // BpfRingbufQuery helper function BpfRingbufQuery // BpfCsumLevel helper function BpfCsumLevel // BpfSkcToTCP6Sock helper function BpfSkcToTCP6Sock // BpfSkcToTCPSock helper function BpfSkcToTCPSock // BpfSkcToTCPTimewaitSock helper function BpfSkcToTCPTimewaitSock // BpfSkcToTCPRequestSock helper function BpfSkcToTCPRequestSock // BpfSkcToUDP6Sock helper function BpfSkcToUDP6Sock // BpfGetTaskStack helper function BpfGetTaskStack // BpfLoadHdrOpt helper function BpfLoadHdrOpt // BpfStoreHdrOpt helper function BpfStoreHdrOpt // BpfReserveHdrOpt helper function BpfReserveHdrOpt // BpfInodeStorageGet helper function BpfInodeStorageGet // BpfInodeStorageDelete helper function BpfInodeStorageDelete // BpfDPath helper function BpfDPath // BpfCopyFromUser helper function BpfCopyFromUser // BpfSnprintfBtf helper function BpfSnprintfBtf // BpfSeqPrintfBtf helper function BpfSeqPrintfBtf // BpfSkbCgroupClassid helper function BpfSkbCgroupClassid // BpfRedirectNeigh helper function BpfRedirectNeigh // BpfPerCPUPtr helper function BpfPerCPUPtr // BpfThisCPUPtr helper function BpfThisCPUPtr // BpfRedirectPeer helper function BpfRedirectPeer // BpfTaskStorageGet helper function BpfTaskStorageGet // BpfTaskStorageDelete helper function BpfTaskStorageDelete // BpfGetCurrentTaskBtf helper function BpfGetCurrentTaskBtf // BpfBprmOptsSet helper function BpfBprmOptsSet // BpfKtimeGetCoarseNs helper function BpfKtimeGetCoarseNs // BpfImaInodeHash helper function BpfImaInodeHash // BpfSockFromFile helper function BpfSockFromFile // BpfCheckMtu helper function BpfCheckMtu // BpfForEachMapElem helper function BpfForEachMapElem // BpfSnprintf helper function BpfSnprintf )
func (BPFHelperFunc) String ¶
func (f BPFHelperFunc) String() string
type BPFHelperFuncList ¶
type BPFHelperFuncList []BPFHelperFunc
BPFHelperFuncList represents a list of eBPF helpers
func (BPFHelperFuncList) MarshalJSON ¶
func (l BPFHelperFuncList) MarshalJSON() ([]byte, error)
func (BPFHelperFuncList) String ¶
func (l BPFHelperFuncList) String() string
type BPFMap ¶
type BPFMap struct {
ID uint32 `json:"id"`
Type BPFMapType `json:"type,omitempty"`
Name string `json:"name,omitempty"`
}
BPFMap represents a BPF map
type BPFMapType ¶
type BPFMapType uint32
BPFMapType is used to define map type constants
const ( // BpfMapTypeUnspec map type BpfMapTypeUnspec BPFMapType = iota // BpfMapTypeHash map type BpfMapTypeHash // BpfMapTypeArray map type BpfMapTypeArray // BpfMapTypeProgArray map type BpfMapTypeProgArray // BpfMapTypePerfEventArray map type BpfMapTypePerfEventArray // BpfMapTypePercpuHash map type BpfMapTypePercpuHash // BpfMapTypePercpuArray map type BpfMapTypePercpuArray // BpfMapTypeStackTrace map type BpfMapTypeStackTrace // BpfMapTypeCgroupArray map type BpfMapTypeCgroupArray // BpfMapTypeLruHash map type BpfMapTypeLruHash // BpfMapTypeLruPercpuHash map type BpfMapTypeLruPercpuHash // BpfMapTypeLpmTrie map type BpfMapTypeLpmTrie // BpfMapTypeArrayOfMaps map type BpfMapTypeArrayOfMaps // BpfMapTypeHashOfMaps map type BpfMapTypeHashOfMaps // BpfMapTypeDevmap map type BpfMapTypeDevmap // BpfMapTypeSockmap map type BpfMapTypeSockmap // BpfMapTypeCPUmap map type BpfMapTypeCPUmap // BpfMapTypeXskmap map type BpfMapTypeXskmap // BpfMapTypeSockhash map type BpfMapTypeSockhash // BpfMapTypeCgroupStorage map type BpfMapTypeCgroupStorage // BpfMapTypeReuseportSockarray map type BpfMapTypeReuseportSockarray // BpfMapTypePercpuCgroupStorage map type BpfMapTypePercpuCgroupStorage // BpfMapTypeQueue map type BpfMapTypeQueue // BpfMapTypeStack map type BpfMapTypeStack // BpfMapTypeSkStorage map type BpfMapTypeSkStorage // BpfMapTypeDevmapHash map type BpfMapTypeDevmapHash // BpfMapTypeStructOps map type BpfMapTypeStructOps // BpfMapTypeRingbuf map type BpfMapTypeRingbuf // BpfMapTypeInodeStorage map type BpfMapTypeInodeStorage // BpfMapTypeTaskStorage map type BpfMapTypeTaskStorage )
func (BPFMapType) MarshalJSON ¶
func (t BPFMapType) MarshalJSON() ([]byte, error)
func (BPFMapType) String ¶
func (t BPFMapType) String() string
type BPFProgram ¶
type BPFProgram struct {
ID uint32 `json:"id"`
Type BPFProgramType `json:"type,omitempty"`
AttachType BPFAttachType `json:"attach_type,omitempty"`
Helpers BPFHelperFuncList `json:"helpers,omitempty"`
Name string `json:"name,omitempty"`
Tag string `json:"tag,omitempty"`
}
BPFProgram represents a BPF program
func (*BPFProgram) UnmarshalBinary ¶
func (p *BPFProgram) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type BPFProgramType ¶
type BPFProgramType uint32
BPFProgramType is used to define program type constants
const ( // BpfProgTypeUnspec program type BpfProgTypeUnspec BPFProgramType = iota // BpfProgTypeSocketFilter program type BpfProgTypeSocketFilter // BpfProgTypeKprobe program type BpfProgTypeKprobe // BpfProgTypeSchedCls program type BpfProgTypeSchedCls // BpfProgTypeSchedAct program type BpfProgTypeSchedAct // BpfProgTypeTracepoint program type BpfProgTypeTracepoint // BpfProgTypeXdp program type BpfProgTypeXdp // BpfProgTypePerfEvent program type BpfProgTypePerfEvent // BpfProgTypeCgroupSkb program type BpfProgTypeCgroupSkb // BpfProgTypeCgroupSock program type BpfProgTypeCgroupSock // BpfProgTypeLwtIn program type BpfProgTypeLwtIn // BpfProgTypeLwtOut program type BpfProgTypeLwtOut // BpfProgTypeLwtXmit program type BpfProgTypeLwtXmit // BpfProgTypeSockOps program type BpfProgTypeSockOps // BpfProgTypeSkSkb program type BpfProgTypeSkSkb // BpfProgTypeCgroupDevice program type BpfProgTypeCgroupDevice // BpfProgTypeSkMsg program type BpfProgTypeSkMsg // BpfProgTypeRawTracepoint program type BpfProgTypeRawTracepoint // BpfProgTypeCgroupSockAddr program type BpfProgTypeCgroupSockAddr // BpfProgTypeLwtSeg6local program type BpfProgTypeLwtSeg6local // BpfProgTypeLircMode2 program type BpfProgTypeLircMode2 // BpfProgTypeSkReuseport program type BpfProgTypeSkReuseport // BpfProgTypeFlowDissector program type BpfProgTypeFlowDissector // BpfProgTypeCgroupSysctl program type BpfProgTypeCgroupSysctl // BpfProgTypeRawTracepointWritable program type BpfProgTypeRawTracepointWritable // BpfProgTypeCgroupSockopt program type BpfProgTypeCgroupSockopt // BpfProgTypeTracing program type BpfProgTypeTracing // BpfProgTypeStructOps program type BpfProgTypeStructOps // BpfProgTypeExt program type BpfProgTypeExt // BpfProgTypeLsm program type BpfProgTypeLsm // BpfProgTypeSkLookup program type BpfProgTypeSkLookup )
func (BPFProgramType) MarshalJSON ¶
func (t BPFProgramType) MarshalJSON() ([]byte, error)
func (BPFProgramType) String ¶
func (t BPFProgramType) String() string
type CgroupContext ¶
type CgroupContext struct {
SubsystemID CgroupSubsystemID `json:"-"`
ID uint32 `json:"id"`
Name string `json:"name,omitempty"`
}
CgroupContext is used to parse the cgroup context of an event
func (*CgroupContext) UnmarshalBinary ¶
func (cc *CgroupContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type CgroupSubsystemID ¶
type CgroupSubsystemID uint32
CgroupSubsystemID is used to parse a cgroup subsystem ID
const ( CgroupSubsystemCPUSet CgroupSubsystemID = iota CgroupSubsystemCPU CgroupSubsystemCPUAcct CgroupSubsystemIO CgroupSubsystemMemory CgroupSubsystemDevices CgroupSubsystemFreezer CgroupSubsystemNetCLS CgroupSubsystemPerfEvent CgroupSubsystemNetPrio CgroupSubsystemHugeTLB CgroupSubsystemPIDs CgroupSubsystemRDMA CgroupSubsystemMisc CgroupSubsystemMax )
func (CgroupSubsystemID) MarshalJSON ¶
func (id CgroupSubsystemID) MarshalJSON() ([]byte, error)
func (CgroupSubsystemID) String ¶
func (id CgroupSubsystemID) String() string
type Cgroups ¶
type Cgroups [CgroupSubsystemMax]CgroupContext
Cgroups is used to wrap the CgroupContext and ease serialization
func (Cgroups) MarshalJSON ¶
type CredentialsContext ¶
type CredentialsContext struct {
UID uint32 `json:"uid"`
GID uint32 `json:"gid"`
SUID uint32 `json:"suid"`
SGID uint32 `json:"sgid"`
EUID uint32 `json:"euid"`
EGID uint32 `json:"egid"`
FSUID uint32 `json:"fsuid"`
FSGID uint32 `json:"fsgid"`
SecureBits uint32 `json:"secure_bits"`
CapInheritable uint64 `json:"cap_inheritable"`
CapPermitted uint64 `json:"cap_permitted"`
CapEffective uint64 `json:"cap_effective"`
CapBSET uint64 `json:"cap_bset"`
CapAmbiant uint64 `json:"cap_ambiant"`
}
CredentialsContext is used to parse the credentials context of an event
func (*CredentialsContext) UnmarshalBinary ¶
func (cc *CredentialsContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type DeleteModuleEvent ¶
type DeleteModuleEvent struct {
Name string `json:"name"`
}
DeleteModuleEvent is used to parse an delete_module event
func (*DeleteModuleEvent) UnmarshallBinary ¶
func (dm *DeleteModuleEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type DeleteModuleEventSerializer ¶
type DeleteModuleEventSerializer struct {
*DeleteModuleEvent
}
DeleteModuleEventSerializer is used to serialize DeleteModuleEvent easyjson:json
func NewDeleteModuleSerializer ¶
func NewDeleteModuleSerializer(dm *DeleteModuleEvent) *DeleteModuleEventSerializer
NewDeleteModuleSerializer returns a new instance of DeleteModuleEventSerializer
func (DeleteModuleEventSerializer) MarshalEasyJSON ¶
func (v DeleteModuleEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*DeleteModuleEventSerializer) UnmarshalEasyJSON ¶
func (v *DeleteModuleEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type Event ¶
type Event struct {
Kernel KernelEvent
Process ProcessContext
// audit events
InitModule InitModuleEvent
DeleteModule DeleteModuleEvent
BPFEvent BPFEvent
BPFFilterEvent BPFFilterEvent
PTraceEvent PTraceEvent
KProbeEvent KProbeEvent
SysCtlEvent SysCtlEvent
// krie events
HookedSyscallEvent HookedSyscallEvent
EventCheckEvent EventCheckEvent
KernelParameterEvent KernelParameterEvent
RegisterCheckEvent RegisterCheckEvent
}
Event is used to parse the events sent from kernel space
func (*Event) MarshalJSON ¶
type EventCheckEvent ¶
type EventCheckEvent struct {
CheckedEventType EventType `json:"checked_event_type"`
}
EventCheckEvent represents a event_check event
func (*EventCheckEvent) UnmarshallBinary ¶
func (e *EventCheckEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type EventCheckEventSerializer ¶
type EventCheckEventSerializer struct {
*EventCheckEvent
}
EventCheckEventSerializer is used to serialize EventCheckEvent easyjson:json
func NewEventCheckEventSerializer ¶
func NewEventCheckEventSerializer(e *EventCheckEvent) *EventCheckEventSerializer
NewEventCheckEventSerializer returns a new instance of PtraceEventSerializer
func (EventCheckEventSerializer) MarshalEasyJSON ¶
func (v EventCheckEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*EventCheckEventSerializer) UnmarshalEasyJSON ¶
func (v *EventCheckEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type EventSerializer ¶
type EventSerializer struct {
*KernelEventSerializer `json:"event,omitempty"`
*ProcessContextSerializer `json:"process,omitempty"`
// audit events
*InitModuleEventSerializer `json:"init_module,omitempty"`
*DeleteModuleEventSerializer `json:"delete_module,omitempty"`
*BPFEventSerializer `json:"bpf,omitempty"`
*BPFFilterEventSerializer `json:"bpf_filter,omitempty"`
*PtraceEventSerializer `json:"ptrace,omitempty"`
*KProbeEventSerializer `json:"kprobe,omitempty"`
*SysCtlEventEventSerializer `json:"sysctl,omitempty"`
// krie events
*HookedSyscallEventSerializer `json:"hooked_syscall,omitempty"`
*EventCheckEventSerializer `json:"event_check,omitempty"`
*KernelParameterEventSerializer `json:"kernel_parameter,omitempty"`
*RegisterCheckEventSerializer `json:"register_check,omitempty"`
}
EventSerializer is used to serialize Event easyjson:json
func NewEventSerializer ¶
func NewEventSerializer(event *Event) *EventSerializer
NewEventSerializer returns a new EventSerializer instance for the provided Event
func (EventSerializer) MarshalEasyJSON ¶
func (v EventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*EventSerializer) UnmarshalEasyJSON ¶
func (v *EventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type EventType ¶
type EventType uint32
EventType describes the type of an event sent from the kernel
const ( // UnknownEventType unknow event UnknownEventType EventType = iota // InitModuleEventType is the event type of an init module event InitModuleEventType // DeleteModuleEventType is the event type of a delete module event DeleteModuleEventType // BPFEventType is the event type of a BPF event BPFEventType // BPFFilterEventType is the event type of a bpf_filter event BPFFilterEventType // PTraceEventType is the event type of a ptrace event PTraceEventType // KProbeEventType is the event type of a kprobe event KProbeEventType // SysCtlEventType is the event type of a sysctl event SysCtlEventType // HookedSyscallTableEventType is the event type of a hooked_syscall_table event HookedSyscallTableEventType // HookedSyscallEventType is the event type of a hooked_syscall event HookedSyscallEventType // EventCheckEventType is the event type of an event_check event EventCheckEventType // KernelParameterEventType is the event type of a kernel_parameter event KernelParameterEventType // PeriodicKernelParameterEventType is the event type of a periodic_kernel_parameter event PeriodicKernelParameterEventType // RegisterCheckEventType is the event type of a register_check event RegisterCheckEventType // MaxEventType is used internally to get the maximum number of events. MaxEventType )
func ParseEventType ¶
ParseEventType returns an event type from its string representation
func (EventType) MarshalJSON ¶
type EventTypeList ¶
type EventTypeList []EventType
EventTypeList is a list of EventType
func (*EventTypeList) Contains ¶
func (etl *EventTypeList) Contains(et EventType) bool
Contains return true if the list of event types is empty or if it contains the provided event type
func (*EventTypeList) Insert ¶
func (etl *EventTypeList) Insert(et EventType)
Insert inserts an event type in a list of event type
func (EventTypeList) String ¶
func (etl EventTypeList) String() string
func (*EventTypeList) UnmarshalYAML ¶
func (etl *EventTypeList) UnmarshalYAML(value *yaml.Node) error
UnmarshalYAML parses a string representation of a list of event types
type HookPoint ¶
type HookPoint uint32
HookPoint is used to recognize a hook point from kernel space
func (HookPoint) MarshalJSON ¶
type HookedSyscallEvent ¶
type HookedSyscallEvent struct {
Syscall *Syscall `json:"syscall,omitempty"`
IA32Syscall *IA32Syscall `json:"ia_32_syscall,omitempty"`
SyscallTable SyscallTable `json:"syscall_table"`
InitialHandler KernelSymbol `json:"initial_handler"`
NewHandler KernelSymbol `json:"new_handler"`
}
HookedSyscallEvent represents a hooked_syscall or hooked_syscall_table event
func (*HookedSyscallEvent) UnmarshallBinary ¶
func (e *HookedSyscallEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type HookedSyscallEventSerializer ¶
type HookedSyscallEventSerializer struct {
*HookedSyscallEvent
}
HookedSyscallEventSerializer is used to serialize HookedSyscallEvent easyjson:json
func NewHookedSyscallEventSerializer ¶
func NewHookedSyscallEventSerializer(e *HookedSyscallEvent) *HookedSyscallEventSerializer
NewHookedSyscallEventSerializer returns a new instance of HookedSyscallEventSerializer
func (HookedSyscallEventSerializer) MarshalEasyJSON ¶
func (v HookedSyscallEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*HookedSyscallEventSerializer) UnmarshalEasyJSON ¶
func (v *HookedSyscallEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type IA32Syscall ¶
type IA32Syscall int
IA32Syscall represents a IA32Syscall identifier
const ( IA32SysRestartSyscall IA32Syscall = 0 IA32SysExit IA32Syscall = 1 IA32SysFork IA32Syscall = 2 IA32SysRead IA32Syscall = 3 IA32SysWrite IA32Syscall = 4 IA32CompatSysOpen IA32Syscall = 5 IA32SysClose IA32Syscall = 6 IA32SysWaitpid IA32Syscall = 7 IA32SysCreat IA32Syscall = 8 IA32SysLink IA32Syscall = 9 IA32SysUnlink IA32Syscall = 10 IA32CompatSysExecve IA32Syscall = 11 IA32SysChdir IA32Syscall = 12 IA32SysTime32 IA32Syscall = 13 IA32SysMknod IA32Syscall = 14 IA32SysChmod IA32Syscall = 15 IA32SysLchown16 IA32Syscall = 16 IA32Break IA32Syscall = 17 IA32SysStat IA32Syscall = 18 IA32CompatSysLseek IA32Syscall = 19 IA32SysGetpid IA32Syscall = 20 IA32SysMount IA32Syscall = 21 IA32SysOldumount IA32Syscall = 22 IA32SysSetuid16 IA32Syscall = 23 IA32SysGetuid16 IA32Syscall = 24 IA32SysStime32 IA32Syscall = 25 IA32CompatSysPtrace IA32Syscall = 26 IA32SysAlarm IA32Syscall = 27 IA32SysFstat IA32Syscall = 28 IA32SysPause IA32Syscall = 29 IA32SysUtime32 IA32Syscall = 30 IA32Stty IA32Syscall = 31 IA32Gtty IA32Syscall = 32 IA32SysAccess IA32Syscall = 33 IA32SysNice IA32Syscall = 34 IA32Ftime IA32Syscall = 35 IA32SysSync IA32Syscall = 36 IA32SysKill IA32Syscall = 37 IA32SysRename IA32Syscall = 38 IA32SysMkdir IA32Syscall = 39 IA32SysRmdir IA32Syscall = 40 IA32SysDup IA32Syscall = 41 IA32SysPipe IA32Syscall = 42 IA32CompatSysTimes IA32Syscall = 43 IA32Prof IA32Syscall = 44 IA32SysBrk IA32Syscall = 45 IA32SysSetgid16 IA32Syscall = 46 IA32SysGetgid16 IA32Syscall = 47 IA32SysSignal IA32Syscall = 48 IA32SysGeteuid16 IA32Syscall = 49 IA32SysGetegid16 IA32Syscall = 50 IA32SysAcct IA32Syscall = 51 IA32SysUmount IA32Syscall = 52 IA32Lock IA32Syscall = 53 IA32CompatSysIoctl IA32Syscall = 54 IA32CompatSysFcntl64 IA32Syscall = 55 IA32Mpx IA32Syscall = 56 IA32SysSetpgid IA32Syscall = 57 IA32Ulimit IA32Syscall = 58 IA32SysOlduname IA32Syscall = 59 IA32SysUmask IA32Syscall = 60 IA32SysChroot IA32Syscall = 61 IA32CompatSysUstat IA32Syscall = 62 IA32SysDup2 IA32Syscall = 63 IA32SysGetppid IA32Syscall = 64 IA32SysGetpgrp IA32Syscall = 65 IA32SysSetsid IA32Syscall = 66 IA32CompatSysSigaction IA32Syscall = 67 IA32SysSgetmask IA32Syscall = 68 IA32SysSsetmask IA32Syscall = 69 IA32SysSetreuid16 IA32Syscall = 70 IA32SysSetregid16 IA32Syscall = 71 IA32SysSigsuspend IA32Syscall = 72 IA32CompatSysSigpending IA32Syscall = 73 IA32SysSethostname IA32Syscall = 74 IA32CompatSysSetrlimit IA32Syscall = 75 IA32CompatSysOldGetrlimit IA32Syscall = 76 IA32CompatSysGetrusage IA32Syscall = 77 IA32CompatSysGettimeofday IA32Syscall = 78 IA32CompatSysSettimeofday IA32Syscall = 79 IA32SysGetgroups16 IA32Syscall = 80 IA32SysSetgroups16 IA32Syscall = 81 IA32CompatSysOldSelect IA32Syscall = 82 IA32SysSymlink IA32Syscall = 83 IA32SysLstat IA32Syscall = 84 IA32SysReadlink IA32Syscall = 85 IA32SysUselib IA32Syscall = 86 IA32SysSwapon IA32Syscall = 87 IA32SysReboot IA32Syscall = 88 IA32CompatSysOldReaddir IA32Syscall = 89 IA32CompatSysIa32Mmap IA32Syscall = 90 IA32SysMunmap IA32Syscall = 91 IA32CompatSysTruncate IA32Syscall = 92 IA32CompatSysFtruncate IA32Syscall = 93 IA32SysFchmod IA32Syscall = 94 IA32SysFchown16 IA32Syscall = 95 IA32SysGetpriority IA32Syscall = 96 IA32SysSetpriority IA32Syscall = 97 IA32Profil IA32Syscall = 98 IA32CompatSysStatfs IA32Syscall = 99 IA32CompatSysFstatfs IA32Syscall = 100 IA32SysIoperm IA32Syscall = 101 IA32CompatSysSocketcall IA32Syscall = 102 IA32SysSyslog IA32Syscall = 103 IA32CompatSysSetitimer IA32Syscall = 104 IA32CompatSysGetitimer IA32Syscall = 105 IA32CompatSysStat IA32Syscall = 106 IA32CompatSysLstat IA32Syscall = 107 IA32CompatSysFstat IA32Syscall = 108 IA32SysUname IA32Syscall = 109 IA32SysIopl IA32Syscall = 110 IA32SysVhangup IA32Syscall = 111 IA32Idle IA32Syscall = 112 IA32CompatSysWait4 IA32Syscall = 114 IA32SysSwapoff IA32Syscall = 115 IA32CompatSysSysinfo IA32Syscall = 116 IA32CompatSysIpc IA32Syscall = 117 IA32SysFsync IA32Syscall = 118 IA32CompatSysSigreturn IA32Syscall = 119 IA32CompatSysIa32Clone IA32Syscall = 120 IA32SysSetdomainname IA32Syscall = 121 IA32SysNewUname IA32Syscall = 122 IA32SysModifyLdt IA32Syscall = 123 IA32SysAdjtimexTime32 IA32Syscall = 124 IA32SysMprotect IA32Syscall = 125 IA32CompatSysSigprocmask IA32Syscall = 126 IA32CreateModule IA32Syscall = 127 IA32SysInitModule IA32Syscall = 128 IA32SysDeleteModule IA32Syscall = 129 IA32GetKernelSyms IA32Syscall = 130 IA32SysQuotactl IA32Syscall = 131 IA32SysGetpgid IA32Syscall = 132 IA32SysFchdir IA32Syscall = 133 IA32SysSysfs IA32Syscall = 135 IA32SysPersonality IA32Syscall = 136 IA32AfsSyscall IA32Syscall = 137 IA32SysSetfsuid16 IA32Syscall = 138 IA32SysSetfsgid16 IA32Syscall = 139 IA32SysLlseek IA32Syscall = 140 IA32CompatSysGetdents IA32Syscall = 141 IA32CompatSysSelect IA32Syscall = 142 IA32SysFlock IA32Syscall = 143 IA32SysMsync IA32Syscall = 144 IA32SysReadv IA32Syscall = 145 IA32SysWritev IA32Syscall = 146 IA32SysGetsid IA32Syscall = 147 IA32SysFdatasync IA32Syscall = 148 IA32SysMlock IA32Syscall = 150 IA32SysMunlock IA32Syscall = 151 IA32SysMlockall IA32Syscall = 152 IA32SysMunlockall IA32Syscall = 153 IA32SysSchedSetparam IA32Syscall = 154 IA32SysSchedGetparam IA32Syscall = 155 IA32SysSchedSetscheduler IA32Syscall = 156 IA32SysSchedGetscheduler IA32Syscall = 157 IA32SysSchedYield IA32Syscall = 158 IA32SysSchedGetPriorityMax IA32Syscall = 159 IA32SysSchedGetPriorityMin IA32Syscall = 160 IA32SysSchedRrGetIntervalTime32 IA32Syscall = 161 IA32SysNanosleepTime32 IA32Syscall = 162 IA32SysMremap IA32Syscall = 163 IA32SysSetresuid16 IA32Syscall = 164 IA32SysGetresuid16 IA32Syscall = 165 IA32QueryModule IA32Syscall = 167 IA32SysPoll IA32Syscall = 168 IA32Nfsservctl IA32Syscall = 169 IA32SysSetresgid16 IA32Syscall = 170 IA32SysGetresgid16 IA32Syscall = 171 IA32SysPrctl IA32Syscall = 172 IA32CompatSysRtSigreturn IA32Syscall = 173 IA32CompatSysRtSigaction IA32Syscall = 174 IA32CompatSysRtSigprocmask IA32Syscall = 175 IA32CompatSysRtSigpending IA32Syscall = 176 IA32CompatSysRtSigtimedwaitTime32 IA32Syscall = 177 IA32CompatSysRtSigqueueinfo IA32Syscall = 178 IA32CompatSysRtSigsuspend IA32Syscall = 179 IA32SysIa32Pread64 IA32Syscall = 180 IA32SysIa32Pwrite64 IA32Syscall = 181 IA32SysChown16 IA32Syscall = 182 IA32SysGetcwd IA32Syscall = 183 IA32SysCapget IA32Syscall = 184 IA32SysCapset IA32Syscall = 185 IA32CompatSysSigaltstack IA32Syscall = 186 IA32CompatSysSendfile IA32Syscall = 187 IA32Getpmsg IA32Syscall = 188 IA32Putpmsg IA32Syscall = 189 IA32SysVfork IA32Syscall = 190 IA32CompatSysGetrlimit IA32Syscall = 191 IA32SysMmapPgoff IA32Syscall = 192 IA32SysIa32Truncate64 IA32Syscall = 193 IA32SysIa32Ftruncate64 IA32Syscall = 194 IA32CompatSysIa32Stat64 IA32Syscall = 195 IA32CompatSysIa32Lstat64 IA32Syscall = 196 IA32CompatSysIa32Fstat64 IA32Syscall = 197 IA32SysLchown IA32Syscall = 198 IA32SysGetuid IA32Syscall = 199 IA32SysGetgid IA32Syscall = 200 IA32SysGeteuid IA32Syscall = 201 IA32SysGetegid IA32Syscall = 202 IA32SysSetreuid IA32Syscall = 203 IA32SysSetregid IA32Syscall = 204 IA32SysGetgroups IA32Syscall = 205 IA32SysSetgroups IA32Syscall = 206 IA32SysFchown IA32Syscall = 207 IA32SysSetresuid IA32Syscall = 208 IA32SysGetresuid IA32Syscall = 209 IA32SysSetresgid IA32Syscall = 210 IA32SysGetresgid IA32Syscall = 211 IA32SysChown IA32Syscall = 212 IA32SysSetuid IA32Syscall = 213 IA32SysSetgid IA32Syscall = 214 IA32SysSetfsuid IA32Syscall = 215 IA32SysSetfsgid IA32Syscall = 216 IA32SysPivotRoot IA32Syscall = 217 IA32SysMincore IA32Syscall = 218 IA32SysMadvise IA32Syscall = 219 IA32SysGetdents64 IA32Syscall = 220 IA32CompatSysFcntl642 IA32Syscall = 221 IA32SysGettid IA32Syscall = 224 IA32SysIa32Readahead IA32Syscall = 225 IA32SysSetxattr IA32Syscall = 226 IA32SysLsetxattr IA32Syscall = 227 IA32SysFsetxattr IA32Syscall = 228 IA32SysGetxattr IA32Syscall = 229 IA32SysLgetxattr IA32Syscall = 230 IA32SysFgetxattr IA32Syscall = 231 IA32SysListxattr IA32Syscall = 232 IA32SysLlistxattr IA32Syscall = 233 IA32SysFlistxattr IA32Syscall = 234 IA32SysRemovexattr IA32Syscall = 235 IA32SysLremovexattr IA32Syscall = 236 IA32SysFremovexattr IA32Syscall = 237 IA32SysTkill IA32Syscall = 238 IA32SysSendfile64 IA32Syscall = 239 IA32SysFutexTime32 IA32Syscall = 240 IA32CompatSysSchedSetaffinity IA32Syscall = 241 IA32CompatSysSchedGetaffinity IA32Syscall = 242 IA32SysSetThreadArea IA32Syscall = 243 IA32SysGetThreadArea IA32Syscall = 244 IA32CompatSysIoSetup IA32Syscall = 245 IA32SysIoDestroy IA32Syscall = 246 IA32SysIoGeteventsTime32 IA32Syscall = 247 IA32CompatSysIoSubmit IA32Syscall = 248 IA32SysIoCancel IA32Syscall = 249 IA32SysIa32Fadvise64 IA32Syscall = 250 IA32SysExitGroup IA32Syscall = 252 IA32SysEpollCreate IA32Syscall = 254 IA32SysEpollCtl IA32Syscall = 255 IA32SysEpollWait IA32Syscall = 256 IA32SysRemapFilePages IA32Syscall = 257 IA32SysSetTidAddress IA32Syscall = 258 IA32CompatSysTimerCreate IA32Syscall = 259 IA32SysTimerSettime32 IA32Syscall = 260 IA32SysTimerGettime32 IA32Syscall = 261 IA32SysTimerGetoverrun IA32Syscall = 262 IA32SysTimerDelete IA32Syscall = 263 IA32SysClockSettime32 IA32Syscall = 264 IA32SysClockGettime32 IA32Syscall = 265 IA32SysClockGetresTime32 IA32Syscall = 266 IA32SysClockNanosleepTime32 IA32Syscall = 267 IA32CompatSysStatfs64 IA32Syscall = 268 IA32CompatSysFstatfs64 IA32Syscall = 269 IA32SysTgkill IA32Syscall = 270 IA32SysUtimesTime32 IA32Syscall = 271 IA32SysIa32Fadvise6464 IA32Syscall = 272 IA32Vserver IA32Syscall = 273 IA32SysMbind IA32Syscall = 274 IA32SysGetMempolicy IA32Syscall = 275 IA32SysSetMempolicy IA32Syscall = 276 IA32CompatSysMqOpen IA32Syscall = 277 IA32SysMqUnlink IA32Syscall = 278 IA32SysMqTimedsendTime32 IA32Syscall = 279 IA32SysMqTimedreceiveTime32 IA32Syscall = 280 IA32CompatSysMqNotify IA32Syscall = 281 IA32CompatSysMqGetsetattr IA32Syscall = 282 IA32CompatSysKexecLoad IA32Syscall = 283 IA32CompatSysWaitid IA32Syscall = 284 IA32SysAddKey IA32Syscall = 286 IA32SysRequestKey IA32Syscall = 287 IA32CompatSysKeyctl IA32Syscall = 288 IA32SysIoprioSet IA32Syscall = 289 IA32SysIoprioGet IA32Syscall = 290 IA32SysInotifyInit IA32Syscall = 291 IA32SysInotifyAddWatch IA32Syscall = 292 IA32SysInotifyRmWatch IA32Syscall = 293 IA32SysMigratePages IA32Syscall = 294 IA32CompatSysOpenat IA32Syscall = 295 IA32SysMkdirat IA32Syscall = 296 IA32SysMknodat IA32Syscall = 297 IA32SysFchownat IA32Syscall = 298 IA32SysFutimesatTime32 IA32Syscall = 299 IA32CompatSysIa32Fstatat64 IA32Syscall = 300 IA32SysUnlinkat IA32Syscall = 301 IA32SysRenameat IA32Syscall = 302 IA32SysLinkat IA32Syscall = 303 IA32SysSymlinkat IA32Syscall = 304 IA32SysReadlinkat IA32Syscall = 305 IA32SysFchmodat IA32Syscall = 306 IA32SysFaccessat IA32Syscall = 307 IA32CompatSysPselect6Time32 IA32Syscall = 308 IA32CompatSysPpollTime32 IA32Syscall = 309 IA32CompatSysSetRobustList IA32Syscall = 311 IA32CompatSysGetRobustList IA32Syscall = 312 IA32SysSplice IA32Syscall = 313 IA32SysIa32SyncFileRange IA32Syscall = 314 IA32SysTee IA32Syscall = 315 IA32SysVmsplice IA32Syscall = 316 IA32SysMovePages IA32Syscall = 317 IA32SysGetcpu IA32Syscall = 318 IA32SysEpollPwait IA32Syscall = 319 IA32SysUtimensatTime32 IA32Syscall = 320 IA32CompatSysSignalfd IA32Syscall = 321 IA32SysTimerfdCreate IA32Syscall = 322 IA32SysEventfd IA32Syscall = 323 IA32SysIa32Fallocate IA32Syscall = 324 IA32SysTimerfdSettime32 IA32Syscall = 325 IA32SysTimerfdGettime32 IA32Syscall = 326 IA32CompatSysSignalfd4 IA32Syscall = 327 IA32SysEventfd2 IA32Syscall = 328 IA32SysEpollCreate1 IA32Syscall = 329 IA32SysDup3 IA32Syscall = 330 IA32SysPipe2 IA32Syscall = 331 IA32SysInotifyInit1 IA32Syscall = 332 IA32CompatSysPreadv IA32Syscall = 333 IA32CompatSysPwritev IA32Syscall = 334 IA32CompatSysRtTgsigqueueinfo IA32Syscall = 335 IA32SysPerfEventOpen IA32Syscall = 336 IA32CompatSysRecvmmsgTime32 IA32Syscall = 337 IA32SysFanotifyInit IA32Syscall = 338 IA32CompatSysFanotifyMark IA32Syscall = 339 IA32SysPrlimit64 IA32Syscall = 340 IA32SysNameToHandleAt IA32Syscall = 341 IA32CompatSysOpenByHandleAt IA32Syscall = 342 IA32SysClockAdjtime32 IA32Syscall = 343 IA32SysSyncfs IA32Syscall = 344 IA32CompatSysSendmmsg IA32Syscall = 345 IA32SysSetns IA32Syscall = 346 IA32SysProcessVmReadv IA32Syscall = 347 IA32SysProcessVmWritev IA32Syscall = 348 IA32SysKcmp IA32Syscall = 349 IA32SysFinitModule IA32Syscall = 350 IA32SysSchedSetattr IA32Syscall = 351 IA32SysSchedGetattr IA32Syscall = 352 IA32SysRenameat2 IA32Syscall = 353 IA32SysSeccomp IA32Syscall = 354 IA32SysGetrandom IA32Syscall = 355 IA32SysMemfdCreate IA32Syscall = 356 IA32SysBpf IA32Syscall = 357 IA32CompatSysExecveat IA32Syscall = 358 IA32SysSocket IA32Syscall = 359 IA32SysSocketpair IA32Syscall = 360 IA32SysBind IA32Syscall = 361 IA32SysConnect IA32Syscall = 362 IA32SysListen IA32Syscall = 363 IA32SysAccept4 IA32Syscall = 364 IA32SysGetsockopt IA32Syscall = 365 IA32SysSetsockopt IA32Syscall = 366 IA32SysGetsockname IA32Syscall = 367 IA32SysGetpeername IA32Syscall = 368 IA32SysSendto IA32Syscall = 369 IA32CompatSysSendmsg IA32Syscall = 370 IA32CompatSysRecvfrom IA32Syscall = 371 IA32CompatSysRecvmsg IA32Syscall = 372 IA32SysShutdown IA32Syscall = 373 IA32SysUserfaultfd IA32Syscall = 374 IA32SysMembarrier IA32Syscall = 375 IA32SysMlock2 IA32Syscall = 376 IA32SysCopyFileRange IA32Syscall = 377 IA32CompatSysPreadv2 IA32Syscall = 378 IA32CompatSysPwritev2 IA32Syscall = 379 IA32SysPkeyMprotect IA32Syscall = 380 IA32SysPkeyAlloc IA32Syscall = 381 IA32SysPkeyFree IA32Syscall = 382 IA32SysStatx IA32Syscall = 383 IA32CompatSysArchPrctl IA32Syscall = 384 IA32CompatSysIoPgetevents IA32Syscall = 385 IA32SysRseq IA32Syscall = 386 IA32SysSemget IA32Syscall = 393 IA32CompatSysSemctl IA32Syscall = 394 IA32SysShmget IA32Syscall = 395 IA32CompatSysShmctl IA32Syscall = 396 IA32CompatSysShmat IA32Syscall = 397 IA32SysShmdt IA32Syscall = 398 IA32SysMsgget IA32Syscall = 399 IA32CompatSysMsgsnd IA32Syscall = 400 IA32CompatSysMsgrcv IA32Syscall = 401 IA32CompatSysMsgctl IA32Syscall = 402 IA32SysClockGettime IA32Syscall = 403 IA32SysClockSettime IA32Syscall = 404 IA32SysClockAdjtime IA32Syscall = 405 IA32SysClockGetres IA32Syscall = 406 IA32SysClockNanosleep IA32Syscall = 407 IA32SysTimerGettime IA32Syscall = 408 IA32SysTimerSettime IA32Syscall = 409 IA32SysTimerfdGettime IA32Syscall = 410 IA32SysTimerfdSettime IA32Syscall = 411 IA32SysUtimensat IA32Syscall = 412 IA32CompatSysPselect6Time64 IA32Syscall = 413 IA32CompatSysPpollTime64 IA32Syscall = 414 IA32SysIoPgetevents IA32Syscall = 416 IA32CompatSysRecvmmsgTime64 IA32Syscall = 417 IA32SysMqTimedsend IA32Syscall = 418 IA32SysMqTimedreceive IA32Syscall = 419 IA32SysSemtimedop IA32Syscall = 420 IA32CompatSysRtSigtimedwaitTime64 IA32Syscall = 421 IA32SysFutex IA32Syscall = 422 IA32SysSchedRrGetInterval IA32Syscall = 423 IA32SysPidfdSendSignal IA32Syscall = 424 IA32SysIoUringSetup IA32Syscall = 425 IA32SysIoUringEnter IA32Syscall = 426 IA32SysIoUringRegister IA32Syscall = 427 IA32SysOpenTree IA32Syscall = 428 IA32SysMoveMount IA32Syscall = 429 IA32SysFsopen IA32Syscall = 430 IA32SysFsconfig IA32Syscall = 431 IA32SysFsmount IA32Syscall = 432 IA32SysFspick IA32Syscall = 433 IA32SysPidfdOpen IA32Syscall = 434 IA32SysClone3 IA32Syscall = 435 IA32SysCloseRange IA32Syscall = 436 IA32SysOpenat2 IA32Syscall = 437 IA32SysPidfdGetfd IA32Syscall = 438 IA32SysFaccessat2 IA32Syscall = 439 IA32SysProcessMadvise IA32Syscall = 440 IA32CompatSysEpollPwait2 IA32Syscall = 441 IA32SysMountSetattr IA32Syscall = 442 IA32SysQuotactlFd IA32Syscall = 443 IA32SysLandlockCreateRuleset IA32Syscall = 444 IA32SysLandlockAddRule IA32Syscall = 445 IA32SysLandlockRestrictSelf IA32Syscall = 446 IA32SysMemfdSecret IA32Syscall = 447 IA32SysProcessMrelease IA32Syscall = 448 IA32SysFutexWaitv IA32Syscall = 449 IA32SysSetMempolicyHomeNode IA32Syscall = 450 )
Linux IA32Syscall identifiers
func ParseIA32SyscallName ¶
func ParseIA32SyscallName(name string) IA32Syscall
ParseIA32SyscallName returns the IA32Syscall number of the provided IA32Syscall name
func (IA32Syscall) MarshalBinary ¶
func (i IA32Syscall) MarshalBinary() ([]byte, error)
func (IA32Syscall) MarshalText ¶
func (i IA32Syscall) MarshalText() ([]byte, error)
MarshalText maps the IA32Syscall identifier to UTF-8-encoded text and returns the result
func (IA32Syscall) String ¶
func (i IA32Syscall) String() string
func (*IA32Syscall) UnmarshalBinary ¶
func (i *IA32Syscall) UnmarshalBinary(data []byte) error
func (*IA32Syscall) UnmarshalIA32Syscall ¶
func (i *IA32Syscall) UnmarshalIA32Syscall(data []byte) (int, error)
type InitModuleEvent ¶
type InitModuleEvent struct {
LoadedFromMemory bool `json:"loaded_from_memory"`
Name string `json:"name"`
}
InitModuleEvent is used to parse an init_module event
func (*InitModuleEvent) UnmarshallBinary ¶
func (e *InitModuleEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type InitModuleEventSerializer ¶
type InitModuleEventSerializer struct {
*InitModuleEvent
}
InitModuleEventSerializer is used to serialize InitModuleEvent easyjson:json
func NewInitModuleSerializer ¶
func NewInitModuleSerializer(im *InitModuleEvent) *InitModuleEventSerializer
NewInitModuleSerializer returns a new instance of InitModuleEventSerializer
func (InitModuleEventSerializer) MarshalEasyJSON ¶
func (v InitModuleEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*InitModuleEventSerializer) UnmarshalEasyJSON ¶
func (v *InitModuleEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type KProbeCommand ¶
type KProbeCommand uint32
KProbeCommand kprobe command
func (KProbeCommand) MarshalJSON ¶
func (kc KProbeCommand) MarshalJSON() ([]byte, error)
func (KProbeCommand) String ¶
func (kc KProbeCommand) String() string
type KProbeEvent ¶
type KProbeEvent struct {
Address MemoryPointer `json:"address,omitempty"`
Symbol string `json:"string,omitempty"`
Command KProbeCommand `json:"command"`
Type KProbeType `json:"type"`
}
KProbeEvent represents a ptrace event
func (*KProbeEvent) UnmarshallBinary ¶
func (e *KProbeEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type KProbeEventSerializer ¶
type KProbeEventSerializer struct {
*KProbeEvent
}
KProbeEventSerializer is used to serialize KProbeEvent easyjson:json
func NewKProbeEventSerializer ¶
func NewKProbeEventSerializer(e *KProbeEvent) *KProbeEventSerializer
NewKProbeEventSerializer returns a new instance of KProbeEventSerializer
func (KProbeEventSerializer) MarshalEasyJSON ¶
func (v KProbeEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*KProbeEventSerializer) UnmarshalEasyJSON ¶
func (v *KProbeEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type KProbeType ¶
type KProbeType uint32
KProbeType kprobe type
func (KProbeType) MarshalJSON ¶
func (kt KProbeType) MarshalJSON() ([]byte, error)
func (KProbeType) String ¶
func (kt KProbeType) String() string
type KernelEvent ¶
type KernelEvent struct {
Time time.Time `json:"time"`
Retval int64 `json:"retval"`
CPU uint32 `json:"cpu"`
Type EventType `json:"type"`
Action Action `json:"action"`
}
KernelEvent represents the default kernel event context
func (*KernelEvent) UnmarshalBinary ¶
func (ke *KernelEvent) UnmarshalBinary(data []byte, resolver *TimeResolver) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type KernelEventSerializer ¶
type KernelEventSerializer struct {
*KernelEvent
}
KernelEventSerializer is used to serialize KernelEvent easyjson:json
func NewKernelEventSerializer ¶
func NewKernelEventSerializer(ke *KernelEvent) *KernelEventSerializer
NewKernelEventSerializer returns a new instance of KernelEventSerializer
func (KernelEventSerializer) MarshalEasyJSON ¶
func (v KernelEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*KernelEventSerializer) UnmarshalEasyJSON ¶
func (v *KernelEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type KernelParameterEvent ¶
type KernelParameterEvent struct {
Parameter KernelSymbol `json:"parameter,omitempty"`
ExpectedValue uint64 `json:"expected_value"`
ActualValue uint64 `json:"actual_value"`
}
KernelParameterEvent represents a kernel_parameter event
func (*KernelParameterEvent) UnmarshallBinary ¶
func (e *KernelParameterEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type KernelParameterEventSerializer ¶
type KernelParameterEventSerializer struct {
*KernelParameterEvent
}
KernelParameterEventSerializer is used to serialize KernelParameterEvent easyjson:json
func NewKernelParameterEventSerializer ¶
func NewKernelParameterEventSerializer(e *KernelParameterEvent) *KernelParameterEventSerializer
NewKernelParameterEventSerializer returns a new instance of KernelParameterEventSerializer
func (KernelParameterEventSerializer) MarshalEasyJSON ¶
func (v KernelParameterEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*KernelParameterEventSerializer) UnmarshalEasyJSON ¶
func (v *KernelParameterEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type KernelParameterOptions ¶
type KernelParameterOptions struct {
Action Action `yaml:"action"`
PeriodicAction Action `yaml:"periodic_action"`
Ticker int64 `yaml:"ticker"`
List []ParameterOption `yaml:"list"`
}
KernelParameterOptions is used to configure the kernel_parameter events
func NewKernelParameterOptions ¶
func NewKernelParameterOptions() *KernelParameterOptions
NewKernelParameterOptions returns a new instance of KernelParameterOptions
func (KernelParameterOptions) IsValid ¶
func (o KernelParameterOptions) IsValid() error
type KernelSymbol ¶
type KernelSymbol struct {
Address MemoryPointer `json:"address,omitempty"`
Symbol string `json:"symbol,omitempty"`
Module string `json:"module,omitempty"`
}
KernelSymbol is used to identify a kernel syscall handler
type L3Protocol ¶
type L3Protocol uint16
L3Protocol Network protocols
const ( // EthPLOOP Ethernet Loopback packet EthPLOOP L3Protocol = 0x0060 // EthPPUP Xerox PUP packet EthPPUP L3Protocol = 0x0200 // EthPPUPAT Xerox PUP Addr Trans packet EthPPUPAT L3Protocol = 0x0201 // EthPTSN TSN (IEEE 1722) packet EthPTSN L3Protocol = 0x22F0 // EthPIP Internet Protocol packet EthPIP L3Protocol = 0x0800 // EthPX25 CCITT X.25 EthPX25 L3Protocol = 0x0805 // EthPARP Address Resolution packet EthPARP L3Protocol = 0x0806 // EthPBPQ G8BPQ AX.25 Ethernet Packet [ NOT AN OFFICIALLY REGISTERED ID ] EthPBPQ L3Protocol = 0x08FF // EthPIEEEPUP Xerox IEEE802.3 PUP packet EthPIEEEPUP L3Protocol = 0x0a00 // EthPIEEEPUPAT Xerox IEEE802.3 PUP Addr Trans packet EthPIEEEPUPAT L3Protocol = 0x0a01 // EthPBATMAN B.A.T.M.A.N.-Advanced packet [ NOT AN OFFICIALLY REGISTERED ID ] EthPBATMAN L3Protocol = 0x4305 // EthPDEC DEC Assigned proto EthPDEC L3Protocol = 0x6000 // EthPDNADL DEC DNA Dump/Load EthPDNADL L3Protocol = 0x6001 // EthPDNARC DEC DNA Remote Console EthPDNARC L3Protocol = 0x6002 // EthPDNART DEC DNA Routing EthPDNART L3Protocol = 0x6003 // EthPLAT DEC LAT EthPLAT L3Protocol = 0x6004 // EthPDIAG DEC Diagnostics EthPDIAG L3Protocol = 0x6005 // EthPCUST DEC Customer use EthPCUST L3Protocol = 0x6006 // EthPSCA DEC Systems Comms Arch EthPSCA L3Protocol = 0x6007 // EthPTEB Trans Ether Bridging EthPTEB L3Protocol = 0x6558 // EthPRARP Reverse Addr Res packet EthPRARP L3Protocol = 0x8035 // EthPATALK Appletalk DDP EthPATALK L3Protocol = 0x809B // EthPAARP Appletalk AARP EthPAARP L3Protocol = 0x80F3 // EthP8021Q 802.1Q VLAN Extended Header EthP8021Q L3Protocol = 0x8100 // EthPERSPAN ERSPAN type II EthPERSPAN L3Protocol = 0x88BE // EthPIPX IPX over DIX EthPIPX L3Protocol = 0x8137 // EthPIPV6 IPv6 over bluebook EthPIPV6 L3Protocol = 0x86DD // EthPPAUSE IEEE Pause frames. See 802.3 31B EthPPAUSE L3Protocol = 0x8808 // EthPSLOW Slow Protocol. See 802.3ad 43B EthPSLOW L3Protocol = 0x8809 // EthPWCCP Web-cache coordination protocol defined in draft-wilson-wrec-wccp-v2-00.txt EthPWCCP L3Protocol = 0x883E // EthPMPLSUC MPLS Unicast traffic EthPMPLSUC L3Protocol = 0x8847 // EthPMPLSMC MPLS Multicast traffic EthPMPLSMC L3Protocol = 0x8848 // EthPATMMPOA MultiProtocol Over ATM EthPATMMPOA L3Protocol = 0x884c // EthPPPPDISC PPPoE discovery messages EthPPPPDISC L3Protocol = 0x8863 // EthPPPPSES PPPoE session messages EthPPPPSES L3Protocol = 0x8864 // EthPLinkCTL HPNA, wlan link local tunnel EthPLinkCTL L3Protocol = 0x886c // EthPATMFATE Frame-based ATM Transport over Ethernet EthPATMFATE L3Protocol = 0x8884 // EthPPAE Port Access Entity (IEEE 802.1X) EthPPAE L3Protocol = 0x888E // EthPAOE ATA over Ethernet EthPAOE L3Protocol = 0x88A2 // EthP8021AD 802.1ad Service VLAN EthP8021AD L3Protocol = 0x88A8 // EthP802EX1 802.1 Local Experimental 1. EthP802EX1 L3Protocol = 0x88B5 // EthPTIPC TIPC EthPTIPC L3Protocol = 0x88CA // EthPMACSEC 802.1ae MACsec EthPMACSEC L3Protocol = 0x88E5 // EthP8021AH 802.1ah Backbone Service Tag EthP8021AH L3Protocol = 0x88E7 // EthPMVRP 802.1Q MVRP EthPMVRP L3Protocol = 0x88F5 // EthP1588 IEEE 1588 Timesync EthP1588 L3Protocol = 0x88F7 // EthPNCSI NCSI protocol EthPNCSI L3Protocol = 0x88F8 // EthPPRP IEC 62439-3 PRP/HSRv0 EthPPRP L3Protocol = 0x88FB // EthPFCOE Fibre Channel over Ethernet EthPFCOE L3Protocol = 0x8906 // EthPIBOE Infiniband over Ethernet EthPIBOE L3Protocol = 0x8915 // EthPTDLS TDLS EthPTDLS L3Protocol = 0x890D // EthPFIP FCoE Initialization Protocol EthPFIP L3Protocol = 0x8914 // EthP80221 IEEE 802.21 Media Independent Handover Protocol EthP80221 L3Protocol = 0x8917 // EthPHSR IEC 62439-3 HSRv1 EthPHSR L3Protocol = 0x892F // EthPNSH Network Service Header EthPNSH L3Protocol = 0x894F // EthPLOOPBACK Ethernet loopback packet, per IEEE 802.3 EthPLOOPBACK L3Protocol = 0x9000 // EthPQINQ1 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] EthPQINQ1 L3Protocol = 0x9100 // EthPQINQ2 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] EthPQINQ2 L3Protocol = 0x9200 // EthPQINQ3 deprecated QinQ VLAN [ NOT AN OFFICIALLY REGISTERED ID ] EthPQINQ3 L3Protocol = 0x9300 // EthPEDSA Ethertype DSA [ NOT AN OFFICIALLY REGISTERED ID ] EthPEDSA L3Protocol = 0xDADA // EthPIFE ForCES inter-FE LFB type EthPIFE L3Protocol = 0xED3E // EthPAFIUCV IBM afiucv [ NOT AN OFFICIALLY REGISTERED ID ] EthPAFIUCV L3Protocol = 0xFBFB // EthP8023MIN If the value in the ethernet type is less than this value then the frame is Ethernet II. Else it is 802.3 EthP8023MIN L3Protocol = 0x0600 // EthPIPV6HopByHop IPv6 Hop by hop option EthPIPV6HopByHop L3Protocol = 0x000 // EthP8023 Dummy type for 802.3 frames EthP8023 L3Protocol = 0x0001 // EthPAX25 Dummy protocol id for AX.25 EthPAX25 L3Protocol = 0x0002 // EthPALL Every packet (be careful!!!) EthPALL L3Protocol = 0x0003 // EthP8022 802.2 frames EthP8022 L3Protocol = 0x0004 // EthPSNAP Internal only EthPSNAP L3Protocol = 0x0005 // EthPDDCMP DEC DDCMP: Internal only EthPDDCMP L3Protocol = 0x0006 // EthPWANPPP Dummy type for WAN PPP frames*/ EthPWANPPP L3Protocol = 0x0007 // EthPPPPMP Dummy type for PPP MP frames EthPPPPMP L3Protocol = 0x0008 // EthPLOCALTALK Localtalk pseudo type EthPLOCALTALK L3Protocol = 0x0009 // EthPCAN CAN: Controller Area Network EthPCAN L3Protocol = 0x000C // EthPCANFD CANFD: CAN flexible data rate*/ EthPCANFD L3Protocol = 0x000D // EthPPPPTALK Dummy type for Atalk over PPP*/ EthPPPPTALK L3Protocol = 0x0010 // EthPTR8022 802.2 frames EthPTR8022 L3Protocol = 0x0011 // EthPMOBITEX Mobitex (kaz@cafe.net) EthPMOBITEX L3Protocol = 0x0015 // EthPCONTROL Card specific control frames EthPCONTROL L3Protocol = 0x0016 // EthPIRDA Linux-IrDA EthPIRDA L3Protocol = 0x0017 // EthPECONET Acorn Econet EthPECONET L3Protocol = 0x0018 // EthPHDLC HDLC frames EthPHDLC L3Protocol = 0x0019 // EthPARCNET 1A for ArcNet :-) EthPARCNET L3Protocol = 0x001A // EthPDSA Distributed Switch Arch. EthPDSA L3Protocol = 0x001B // EthPTRAILER Trailer switch tagging EthPTRAILER L3Protocol = 0x001C // EthPPHONET Nokia Phonet frames EthPPHONET L3Protocol = 0x00F5 // EthPIEEE802154 IEEE802.15.4 frame EthPIEEE802154 L3Protocol = 0x00F6 // EthPCAIF ST-Ericsson CAIF protocol EthPCAIF L3Protocol = 0x00F7 // EthPXDSA Multiplexed DSA protocol EthPXDSA L3Protocol = 0x00F8 // EthPMAP Qualcomm multiplexing and aggregation protocol EthPMAP L3Protocol = 0x00F9 )
func (L3Protocol) MarshalJSON ¶
func (proto L3Protocol) MarshalJSON() ([]byte, error)
func (L3Protocol) String ¶
func (proto L3Protocol) String() string
type MemoryPointer ¶
type MemoryPointer uint64
MemoryPointer is used to serialize memory addresses
func (MemoryPointer) MarshalJSON ¶
func (mp MemoryPointer) MarshalJSON() ([]byte, error)
type NamespaceContext ¶
type NamespaceContext struct {
CgroupNamespace uint32 `json:"cgroup_namespace"`
IPCNamespace uint32 `json:"ipc_namespace"`
NetNamespace uint32 `json:"net_namespace"`
MntNamespace uint32 `json:"mnt_namespace"`
PIDNamespace uint32 `json:"pid_namespace"`
TimeNamespace uint32 `json:"time_namespace"`
UserNamespace uint32 `json:"user_namespace"`
UTSNamespace uint32 `json:"uts_namespace"`
}
NamespaceContext is used to parse the namespace context of an event
func (*NamespaceContext) UnmarshalBinary ¶
func (nc *NamespaceContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type Options ¶
type Options struct {
InitModuleEvent Action `yaml:"init_module"`
DeleteModuleEvent Action `yaml:"delete_module"`
BPFEvent Action `yaml:"bpf"`
BPFFilterEvent Action `yaml:"bpf_filter"`
PTraceEvent Action `yaml:"ptrace"`
KProbeEvent Action `yaml:"kprobe"`
SysCtlEvent *SysCtlOptions `yaml:"sysctl"`
HookedSyscallTableEvent Action `yaml:"hooked_syscall_table"`
HookedSyscallEvent Action `yaml:"hooked_syscall"`
KernelParameterEvent *KernelParameterOptions `yaml:"kernel_parameter"`
RegisterCheckEvent Action `yaml:"register_check"`
// contains filtered or unexported fields
}
Options stores the options for each event type
func NewEventsOptions ¶
func NewEventsOptions() *Options
NewEventsOptions returns a new initialized instance of EventsOptions
func (*Options) ActivatedEventTypes ¶
func (o *Options) ActivatedEventTypes() EventTypeList
func (*Options) ParseEventsActions ¶
type PTraceEvent ¶
type PTraceEvent struct {
Address MemoryPointer `json:"address,omitempty"`
Request PTraceRequest `json:"request"`
PID uint32 `json:"pid,omitempty"`
}
PTraceEvent represents a ptrace event
func (*PTraceEvent) UnmarshallBinary ¶
func (e *PTraceEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type PTraceRequest ¶
type PTraceRequest uint32
PTraceRequest represents a ptrace request value
func (PTraceRequest) MarshalJSON ¶
func (f PTraceRequest) MarshalJSON() ([]byte, error)
func (PTraceRequest) String ¶
func (f PTraceRequest) String() string
type ParameterOption ¶
type ParameterOption struct {
Symbol string `yaml:"symbol"`
Address uint64 `yaml:"address"`
ExpectedValue uint64 `yaml:"expected_value"`
Size uint64 `yaml:"size"`
}
ParameterOption is used to configure a kernel parameter that KRIE should check
type ProcessContext ¶
type ProcessContext struct {
Cgroups Cgroups `json:"cgroups"`
NamespaceContext NamespaceContext `json:"namespace_context"`
Credentials CredentialsContext `json:"credentials"`
Comm string `json:"comm"`
PID uint32 `json:"pid"`
TID uint32 `json:"tid"`
}
ProcessContext is used to parse the process context of an event
func (*ProcessContext) UnmarshalBinary ¶
func (pc *ProcessContext) UnmarshalBinary(data []byte) (int, error)
UnmarshalBinary unmarshalls a binary representation of itself
type ProcessContextSerializer ¶
type ProcessContextSerializer struct {
*ProcessContext
}
ProcessContextSerializer is used to serialize ProcessContext easyjson:json
func NewProcessContextSerializer ¶
func NewProcessContextSerializer(pc *ProcessContext) *ProcessContextSerializer
NewProcessContextSerializer returns a new instance of ProcessContextSerializer
func (ProcessContextSerializer) MarshalEasyJSON ¶
func (v ProcessContextSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*ProcessContextSerializer) UnmarshalEasyJSON ¶
func (v *ProcessContextSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type PtraceEventSerializer ¶
type PtraceEventSerializer struct {
*PTraceEvent
}
PtraceEventSerializer is used to serialize PTraceEvent easyjson:json
func NewPtraceEventSerializer ¶
func NewPtraceEventSerializer(e *PTraceEvent) *PtraceEventSerializer
NewPtraceEventSerializer returns a new instance of PtraceEventSerializer
func (PtraceEventSerializer) MarshalEasyJSON ¶
func (v PtraceEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*PtraceEventSerializer) UnmarshalEasyJSON ¶
func (v *PtraceEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type RegisterCheckEvent ¶
type RegisterCheckEvent struct {
StackPointer MemoryPointer `json:"stack_pointer"`
InstructionPointer MemoryPointer `json:"instruction_pointer"`
FramePointer MemoryPointer `json:"frame_pointer"`
HookPoint HookPoint `json:"hook_point"`
}
RegisterCheckEvent represents a register_check event
func (*RegisterCheckEvent) UnmarshallBinary ¶
func (e *RegisterCheckEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type RegisterCheckEventSerializer ¶
type RegisterCheckEventSerializer struct {
*RegisterCheckEvent
}
RegisterCheckEventSerializer is used to serialize RegisterCheckEvent easyjson:json
func NewRegisterCheckEventSerializer ¶
func NewRegisterCheckEventSerializer(e *RegisterCheckEvent) *RegisterCheckEventSerializer
NewRegisterCheckEventSerializer returns a new instance of PtraceEventSerializer
func (RegisterCheckEventSerializer) MarshalEasyJSON ¶
func (v RegisterCheckEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*RegisterCheckEventSerializer) UnmarshalEasyJSON ¶
func (v *RegisterCheckEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type SocketType ¶
type SocketType uint32
SocketType socket type
func (SocketType) MarshalJSON ¶
func (st SocketType) MarshalJSON() ([]byte, error)
func (SocketType) String ¶
func (st SocketType) String() string
type SysCtlAction ¶
type SysCtlAction uint64
SysCtlAction command
func (SysCtlAction) MarshalJSON ¶
func (sca SysCtlAction) MarshalJSON() ([]byte, error)
func (SysCtlAction) String ¶
func (sca SysCtlAction) String() string
type SysCtlEvent ¶
type SysCtlEvent struct {
WriteAccess bool `json:"write_access"`
FilePosition uint32 `json:"file_position"`
Action SysCtlAction `json:"action"`
Name string `json:"name"`
CurrentValue string `json:"current_value"`
NewValue string `json:"new_value,omitempty"`
NewValueOverriddenWith string `json:"new_value_overridden_with,omitempty"`
}
SysCtlEvent represents a ptrace event
func (*SysCtlEvent) UnmarshallBinary ¶
func (e *SysCtlEvent) UnmarshallBinary(data []byte) (int, error)
UnmarshallBinary unmarshalls a binary representation of itself
type SysCtlEventEventSerializer ¶
type SysCtlEventEventSerializer struct {
*SysCtlEvent
}
SysCtlEventEventSerializer is used to serialize SysCtlEvent easyjson:json
func NewSysCtlEventSerializer ¶
func NewSysCtlEventSerializer(e *SysCtlEvent) *SysCtlEventEventSerializer
NewSysCtlEventSerializer returns a new instance of PtraceEventSerializer
func (SysCtlEventEventSerializer) MarshalEasyJSON ¶
func (v SysCtlEventEventSerializer) MarshalEasyJSON(w *jwriter.Writer)
MarshalEasyJSON supports easyjson.Marshaler interface
func (*SysCtlEventEventSerializer) UnmarshalEasyJSON ¶
func (v *SysCtlEventEventSerializer) UnmarshalEasyJSON(l *jlexer.Lexer)
UnmarshalEasyJSON supports easyjson.Unmarshaler interface
type SysCtlOptions ¶
type SysCtlOptions struct {
Action Action `yaml:"action"`
Default SysCtlParameter `yaml:"default"`
List map[string]SysCtlParameter `yaml:"list"`
}
func NewSysCtlOptions ¶
func NewSysCtlOptions() *SysCtlOptions
NewSysCtlOptions returns a new instance of SysCtlOptions
type SysCtlParameter ¶
type SysCtlParameter struct {
BlockWriteAccess bool `yaml:"block_write_access"`
BlockReadAccess bool `yaml:"block_read_access"`
OverrideInputValueWith string `yaml:"override_input_value_with"`
}
func (SysCtlParameter) MarshalBinary ¶
func (scp SysCtlParameter) MarshalBinary() ([]byte, error)
MarshalBinary returns a binary representation of itself
type Syscall ¶
type Syscall int
Syscall represents a syscall identifier
const ( SysRead Syscall = 0 SysWrite Syscall = 1 SysOpen Syscall = 2 SysClose Syscall = 3 SysStat Syscall = 4 SysFstat Syscall = 5 SysLstat Syscall = 6 SysPoll Syscall = 7 SysLseek Syscall = 8 SysMmap Syscall = 9 SysMprotect Syscall = 10 SysMunmap Syscall = 11 SysBrk Syscall = 12 SysRtSigaction Syscall = 13 SysRtSigprocmask Syscall = 14 SysRtSigreturn Syscall = 15 SysIoctl Syscall = 16 SysPread64 Syscall = 17 SysPwrite64 Syscall = 18 SysReadv Syscall = 19 SysWritev Syscall = 20 SysAccess Syscall = 21 SysPipe Syscall = 22 SysSelect Syscall = 23 SysSchedYield Syscall = 24 SysMremap Syscall = 25 SysMsync Syscall = 26 SysMincore Syscall = 27 SysMadvise Syscall = 28 SysShmget Syscall = 29 SysShmat Syscall = 30 SysShmctl Syscall = 31 SysDup Syscall = 32 SysDup2 Syscall = 33 SysPause Syscall = 34 SysNanosleep Syscall = 35 SysGetitimer Syscall = 36 SysAlarm Syscall = 37 SysSetitimer Syscall = 38 SysGetpid Syscall = 39 SysSendfile Syscall = 40 SysSocket Syscall = 41 SysConnect Syscall = 42 SysAccept Syscall = 43 SysSendto Syscall = 44 SysRecvfrom Syscall = 45 SysSendmsg Syscall = 46 SysRecvmsg Syscall = 47 SysShutdown Syscall = 48 SysBind Syscall = 49 SysListen Syscall = 50 SysGetsockname Syscall = 51 SysGetpeername Syscall = 52 SysSocketpair Syscall = 53 SysSetsockopt Syscall = 54 SysGetsockopt Syscall = 55 SysClone Syscall = 56 SysFork Syscall = 57 SysVfork Syscall = 58 SysExecve Syscall = 59 SysExit Syscall = 60 SysWait4 Syscall = 61 SysKill Syscall = 62 SysUname Syscall = 63 SysSemget Syscall = 64 SysSemop Syscall = 65 SysSemctl Syscall = 66 SysShmdt Syscall = 67 SysMsgget Syscall = 68 SysMsgsnd Syscall = 69 SysMsgrcv Syscall = 70 SysMsgctl Syscall = 71 SysFcntl Syscall = 72 SysFlock Syscall = 73 SysFsync Syscall = 74 SysFdatasync Syscall = 75 SysTruncate Syscall = 76 SysFtruncate Syscall = 77 SysGetdents Syscall = 78 SysGetcwd Syscall = 79 SysChdir Syscall = 80 SysFchdir Syscall = 81 SysRename Syscall = 82 SysMkdir Syscall = 83 SysRmdir Syscall = 84 SysCreat Syscall = 85 SysLink Syscall = 86 SysUnlink Syscall = 87 SysSymlink Syscall = 88 SysReadlink Syscall = 89 SysChmod Syscall = 90 SysFchmod Syscall = 91 SysChown Syscall = 92 SysFchown Syscall = 93 SysLchown Syscall = 94 SysUmask Syscall = 95 SysGettimeofday Syscall = 96 SysGetrlimit Syscall = 97 SysGetrusage Syscall = 98 SysSysinfo Syscall = 99 SysTimes Syscall = 100 SysPtrace Syscall = 101 SysGetuid Syscall = 102 SysSyslog Syscall = 103 SysGetgid Syscall = 104 SysSetuid Syscall = 105 SysSetgid Syscall = 106 SysGeteuid Syscall = 107 SysGetegid Syscall = 108 SysSetpgid Syscall = 109 SysGetppid Syscall = 110 SysGetpgrp Syscall = 111 SysSetsid Syscall = 112 SysSetreuid Syscall = 113 SysSetregid Syscall = 114 SysGetgroups Syscall = 115 SysSetgroups Syscall = 116 SysSetresuid Syscall = 117 SysGetresuid Syscall = 118 SysSetresgid Syscall = 119 SysGetresgid Syscall = 120 SysGetpgid Syscall = 121 SysSetfsuid Syscall = 122 SysSetfsgid Syscall = 123 SysGetsid Syscall = 124 SysCapget Syscall = 125 SysCapset Syscall = 126 SysRtSigpending Syscall = 127 SysRtSigtimedwait Syscall = 128 SysRtSigqueueinfo Syscall = 129 SysRtSigsuspend Syscall = 130 SysSigaltstack Syscall = 131 SysUtime Syscall = 132 SysMknod Syscall = 133 SysUselib Syscall = 134 SysPersonality Syscall = 135 SysUstat Syscall = 136 SysStatfs Syscall = 137 SysFstatfs Syscall = 138 SysSysfs Syscall = 139 SysGetpriority Syscall = 140 SysSetpriority Syscall = 141 SysSchedSetparam Syscall = 142 SysSchedGetparam Syscall = 143 SysSchedSetscheduler Syscall = 144 SysSchedGetscheduler Syscall = 145 SysSchedGetPriorityMax Syscall = 146 SysSchedGetPriorityMin Syscall = 147 SysSchedRrGetInterval Syscall = 148 SysMlock Syscall = 149 SysMunlock Syscall = 150 SysMlockall Syscall = 151 SysMunlockall Syscall = 152 SysVhangup Syscall = 153 SysModifyLdt Syscall = 154 SysPivotRoot Syscall = 155 SysSysctl Syscall = 156 SysPrctl Syscall = 157 SysArchPrctl Syscall = 158 SysAdjtimex Syscall = 159 SysSetrlimit Syscall = 160 SysChroot Syscall = 161 SysSync Syscall = 162 SysAcct Syscall = 163 SysSettimeofday Syscall = 164 SysMount Syscall = 165 SysUmount2 Syscall = 166 SysSwapon Syscall = 167 SysSwapoff Syscall = 168 SysReboot Syscall = 169 SysSethostname Syscall = 170 SysSetdomainname Syscall = 171 SysIopl Syscall = 172 SysIoperm Syscall = 173 SysCreateModule Syscall = 174 SysInitModule Syscall = 175 SysDeleteModule Syscall = 176 SysGetKernelSyms Syscall = 177 SysQueryModule Syscall = 178 SysQuotactl Syscall = 179 SysNfsservctl Syscall = 180 SysGetpmsg Syscall = 181 SysPutpmsg Syscall = 182 SysAfsSyscall Syscall = 183 SysTuxcall Syscall = 184 SysSecurity Syscall = 185 SysGettid Syscall = 186 SysReadahead Syscall = 187 SysSetxattr Syscall = 188 SysLsetxattr Syscall = 189 SysFsetxattr Syscall = 190 SysGetxattr Syscall = 191 SysLgetxattr Syscall = 192 SysFgetxattr Syscall = 193 SysListxattr Syscall = 194 SysLlistxattr Syscall = 195 SysFlistxattr Syscall = 196 SysRemovexattr Syscall = 197 SysLremovexattr Syscall = 198 SysFremovexattr Syscall = 199 SysTkill Syscall = 200 SysTime Syscall = 201 SysFutex Syscall = 202 SysSchedSetaffinity Syscall = 203 SysSchedGetaffinity Syscall = 204 SysSetThreadArea Syscall = 205 SysIoSetup Syscall = 206 SysIoDestroy Syscall = 207 SysIoGetevents Syscall = 208 SysIoSubmit Syscall = 209 SysIoCancel Syscall = 210 SysGetThreadArea Syscall = 211 SysEpollCreate Syscall = 213 SysEpollCtlOld Syscall = 214 SysEpollWaitOld Syscall = 215 SysRemapFilePages Syscall = 216 SysGetdents64 Syscall = 217 SysSetTidAddress Syscall = 218 SysRestartSyscall Syscall = 219 SysSemtimedop Syscall = 220 SysFadvise64 Syscall = 221 SysTimerCreate Syscall = 222 SysTimerSettime Syscall = 223 SysTimerGettime Syscall = 224 SysTimerGetoverrun Syscall = 225 SysTimerDelete Syscall = 226 SysClockSettime Syscall = 227 SysClockGettime Syscall = 228 SysClockGetres Syscall = 229 SysClockNanosleep Syscall = 230 SysExitGroup Syscall = 231 SysEpollWait Syscall = 232 SysEpollCtl Syscall = 233 SysTgkill Syscall = 234 SysUtimes Syscall = 235 SysVserver Syscall = 236 SysMbind Syscall = 237 SysSetMempolicy Syscall = 238 SysGetMempolicy Syscall = 239 SysMqOpen Syscall = 240 SysMqUnlink Syscall = 241 SysMqTimedsend Syscall = 242 SysMqTimedreceive Syscall = 243 SysMqNotify Syscall = 244 SysMqGetsetattr Syscall = 245 SysKexecLoad Syscall = 246 SysWaitid Syscall = 247 SysAddKey Syscall = 248 SysRequestKey Syscall = 249 SysKeyctl Syscall = 250 SysIoprioSet Syscall = 251 SysIoprioGet Syscall = 252 SysInotifyInit Syscall = 253 SysInotifyAddWatch Syscall = 254 SysInotifyRmWatch Syscall = 255 SysMigratePages Syscall = 256 SysOpenat Syscall = 257 SysMkdirat Syscall = 258 SysMknodat Syscall = 259 SysFchownat Syscall = 260 SysFutimesat Syscall = 261 SysNewfstatat Syscall = 262 SysUnlinkat Syscall = 263 SysRenameat Syscall = 264 SysLinkat Syscall = 265 SysSymlinkat Syscall = 266 SysReadlinkat Syscall = 267 SysFchmodat Syscall = 268 SysFaccessat Syscall = 269 SysPselect6 Syscall = 270 SysPpoll Syscall = 271 SysSetRobustList Syscall = 273 SysGetRobustList Syscall = 274 SysSplice Syscall = 275 SysTee Syscall = 276 SysSyncFileRange Syscall = 277 SysVmsplice Syscall = 278 SysMovePages Syscall = 279 SysUtimensat Syscall = 280 SysEpollPwait Syscall = 281 SysSignalfd Syscall = 282 SysTimerfdCreate Syscall = 283 SysEventfd Syscall = 284 SysFallocate Syscall = 285 SysTimerfdSettime Syscall = 286 SysTimerfdGettime Syscall = 287 SysAccept4 Syscall = 288 SysSignalfd4 Syscall = 289 SysEventfd2 Syscall = 290 SysEpollCreate1 Syscall = 291 SysDup3 Syscall = 292 SysPipe2 Syscall = 293 SysInotifyInit1 Syscall = 294 SysPreadv Syscall = 295 SysPwritev Syscall = 296 SysRtTgsigqueueinfo Syscall = 297 SysPerfEventOpen Syscall = 298 SysRecvmmsg Syscall = 299 SysFanotifyInit Syscall = 300 SysFanotifyMark Syscall = 301 SysPrlimit64 Syscall = 302 SysNameToHandleAt Syscall = 303 SysOpenByHandleAt Syscall = 304 SysClockAdjtime Syscall = 305 SysSyncfs Syscall = 306 SysSendmmsg Syscall = 307 SysSetns Syscall = 308 SysGetcpu Syscall = 309 SysProcessVmReadv Syscall = 310 SysProcessVmWritev Syscall = 311 SysKcmp Syscall = 312 SysFinitModule Syscall = 313 SysSchedSetattr Syscall = 314 SysSchedGetattr Syscall = 315 SysRenameat2 Syscall = 316 SysSeccomp Syscall = 317 SysGetrandom Syscall = 318 SysMemfdCreate Syscall = 319 SysKexecFileLoad Syscall = 320 SysBpf Syscall = 321 SysExecveat Syscall = 322 SysUserfaultfd Syscall = 323 SysMembarrier Syscall = 324 SysMlock2 Syscall = 325 SysCopyFileRange Syscall = 326 SysPreadv2 Syscall = 327 SysPwritev2 Syscall = 328 SysPkeyMprotect Syscall = 329 SysPkeyAlloc Syscall = 330 SysPkeyFree Syscall = 331 SysStatx Syscall = 332 SysIoPgetevents Syscall = 333 SysRseq Syscall = 334 SysPidfdSendSignal Syscall = 424 SysIoUringSetup Syscall = 425 SysIoUringEnter Syscall = 426 SysIoUringRegister Syscall = 427 SysOpenTree Syscall = 428 SysMoveMount Syscall = 429 SysFsopen Syscall = 430 SysFsconfig Syscall = 431 SysFsmount Syscall = 432 SysFspick Syscall = 433 SysPidfdOpen Syscall = 434 SysClone3 Syscall = 435 SysCloseRange Syscall = 436 SysOpenat2 Syscall = 437 SysPidfdGetfd Syscall = 438 SysFaccessat2 Syscall = 439 SysProcessMadvise Syscall = 440 SysEpollPwait2 Syscall = 441 SysMountSetattr Syscall = 442 SysQuotactlFd Syscall = 443 SysLandlockCreateRuleset Syscall = 444 SysLandlockAddRule Syscall = 445 SysLandlockRestrictSelf Syscall = 446 SysMemfdSecret Syscall = 447 SysLastSyscall Syscall = 448 )
Linux syscall identifiers
func ParseSyscallName ¶
ParseSyscallName returns the Syscall number of the provided syscall name
func (Syscall) MarshalBinary ¶
func (Syscall) MarshalText ¶
MarshalText maps the syscall identifier to UTF-8-encoded text and returns the result
func (*Syscall) UnmarshalBinary ¶
type SyscallTable ¶
type SyscallTable uint32
SyscallTable is used to represent a syscall table
const ( SysCallTable SyscallTable = iota X32SysCallTable IA32SysCallTable )
func (SyscallTable) MarshalJSON ¶
func (st SyscallTable) MarshalJSON() ([]byte, error)
func (SyscallTable) String ¶
func (st SyscallTable) String() string
type TimeResolver ¶
type TimeResolver struct {
// contains filtered or unexported fields
}
TimeResolver converts kernel monotonic timestamps to absolute times
func NewTimeResolver ¶
func NewTimeResolver() (*TimeResolver, error)
NewTimeResolver returns a new time resolver
func (*TimeResolver) ApplyBootTime ¶
func (tr *TimeResolver) ApplyBootTime(timestamp time.Time) time.Time
ApplyBootTime return the time re-aligned from the boot time
func (*TimeResolver) ComputeMonotonicTimestamp ¶
func (tr *TimeResolver) ComputeMonotonicTimestamp(timestamp time.Time) int64
ComputeMonotonicTimestamp converts an absolute time to a kernel monotonic timestamp
func (*TimeResolver) ResolveMonotonicTimestamp ¶
func (tr *TimeResolver) ResolveMonotonicTimestamp(timestamp uint64) time.Time
ResolveMonotonicTimestamp converts a kernel monotonic timestamp to an absolute time
Source Files
¶
- bpf.go
- bpf_easyjson.go
- byteorder.go
- constants.go
- errors.go
- event_check.go
- event_check_easyjson.go
- events.go
- events_easyjson.go
- hooked_syscall.go
- hooked_syscall_easyjson.go
- ia32_syscalls.go
- ia32_syscalls_string_linux.go
- kernel_event.go
- kernel_event_easyjson.go
- kernel_module.go
- kernel_module_easyjson.go
- kernel_parameter.go
- kernel_parameter_easyjson.go
- kprobe.go
- kprobe_easyjson.go
- lsm.go
- process.go
- process_easyjson.go
- ptrace.go
- ptrace_easyjson.go
- register_check.go
- register_check_easyjson.go
- setsockopt.go
- setsockopt_easyjson.go
- syscall_helpers.go
- syscalls.go
- syscalls_string_linux.go
- sysctl.go
- sysctl_easyjson.go
- time_resolver.go
- utils.go
Click to show internal directories.
Click to hide internal directories.