Documentation ¶
Overview ¶
Invoked tracee-ebpf events from user mode This utility can prove itself useful to generate information needed by signatures that is not provided by normal events in the kernel. Because the events in the kernel are invoked by other programs behavior, we cannot anticipate which events will be invoked and as a result what information will be extracted. This is critical because tracee-rules is independent, and doesn't have to run on the same machine as tracee-ebpf. This means that tracee-rules might lack basic information of the operating machine needed for some signatures. By creating user mode events this information could be intentionally collected and passed to tracee-ebpf afterwards.
Index ¶
- Constants
- Variables
- func CopyFileByPath(src, dst string) error
- func CreateInitNamespacesEvent() (external.Event, error)
- func ParseKernelReadFileId(id int32) (string, error)
- func Print16BytesSliceIP(in []byte) string
- func PrintAlert(alert alert) string
- func PrintUint32IP(in uint32) string
- type ArgFilter
- type ArgFilterVal
- type BoolFilter
- type CaptureConfig
- type Config
- type Containers
- type EventConfig
- type Filter
- type IntFilter
- type OutputConfig
- type ProcessTreeFilter
- type RetFilter
- type StringFilter
- type Tracee
- type UintFilter
Constants ¶
const ( LessNotSetUint uint64 = 0 GreaterNotSetUint uint64 = math.MaxUint64 LessNotSetInt int64 = math.MinInt64 GreaterNotSetInt int64 = math.MaxInt64 )
Set default inequality values val<0 and val>math.MaxUint64 should never be used by the user as they give an empty set
const ( SysEnterEventID int32 = iota + 1000 SysExitEventID SchedProcessForkEventID SchedProcessExecEventID SchedProcessExitEventID SchedSwitchEventID DoExitEventID CapCapableEventID VfsWriteEventID VfsWritevEventID MemProtAlertEventID CommitCredsEventID SwitchTaskNSEventID MagicWriteEventID CgroupAttachTaskEventID SecurityBprmCheckEventID SecurityFileOpenEventID SecurityInodeUnlinkEventID SecuritySocketCreateEventID SecuritySocketListenEventID SecuritySocketConnectEventID SecuritySocketAcceptEventID SecuritySocketBindEventID SecuritySbMountEventID SecurityBPFEventID SecurityBPFMapEventID SecurityKernelReadFileEventID SecurityInodeMknodEventID MaxEventID )
Non syscalls events (used by all architectures) events should match defined values in ebpf code
const ( NetPacket uint32 = iota DebugNetSecurityBind DebugNetUdpSendmsg DebugNetUdpDisconnect DebugNetUdpDestroySock DebugNetUdpV6DestroySock DebugNetInetSockSetState DebugNetTcpConnect )
const ( ReadEventID int32 = 0 WriteEventID int32 = 1 OpenEventID int32 = 2 CloseEventID int32 = 3 StatEventID int32 = 4 FstatEventID int32 = 5 LstatEventID int32 = 6 PollEventID int32 = 7 LseekEventID int32 = 8 MmapEventID int32 = 9 MprotectEventID int32 = 10 MunmapEventID int32 = 11 BrkEventID int32 = 12 RtSigactionEventID int32 = 13 RtSigprocmaskEventID int32 = 14 RtSigreturnEventID int32 = 15 IoctlEventID int32 = 16 Pread64EventID int32 = 17 Pwrite64EventID int32 = 18 ReadvEventID int32 = 19 WritevEventID int32 = 20 AccessEventID int32 = 21 PipeEventID int32 = 22 SelectEventID int32 = 23 SchedYieldEventID int32 = 24 MremapEventID int32 = 25 MsyncEventID int32 = 26 MincoreEventID int32 = 27 MadviseEventID int32 = 28 ShmgetEventID int32 = 29 ShmatEventID int32 = 30 ShmctlEventID int32 = 31 DupEventID int32 = 32 Dup2EventID int32 = 33 PauseEventID int32 = 34 NanosleepEventID int32 = 35 GetitimerEventID int32 = 36 AlarmEventID int32 = 37 SetitimerEventID int32 = 38 GetpidEventID int32 = 39 SendfileEventID int32 = 40 SocketEventID int32 = 41 ConnectEventID int32 = 42 AcceptEventID int32 = 43 SendtoEventID int32 = 44 RecvfromEventID int32 = 45 SendmsgEventID int32 = 46 RecvmsgEventID int32 = 47 ShutdownEventID int32 = 48 BindEventID int32 = 49 ListenEventID int32 = 50 GetsocknameEventID int32 = 51 GetpeernameEventID int32 = 52 SocketpairEventID int32 = 53 SetsockoptEventID int32 = 54 GetsockoptEventID int32 = 55 CloneEventID int32 = 56 ForkEventID int32 = 57 VforkEventID int32 = 58 ExecveEventID int32 = 59 ExitEventID int32 = 60 Wait4EventID int32 = 61 KillEventID int32 = 62 UnameEventID int32 = 63 SemgetEventID int32 = 64 SemopEventID int32 = 65 SemctlEventID int32 = 66 ShmdtEventID int32 = 67 MsggetEventID int32 = 68 MsgsndEventID int32 = 69 MsgrcvEventID int32 = 70 MsgctlEventID int32 = 71 FcntlEventID int32 = 72 FlockEventID int32 = 73 FsyncEventID int32 = 74 FdatasyncEventID int32 = 75 TruncateEventID int32 = 76 FtruncateEventID int32 = 77 GetdentsEventID int32 = 78 GetcwdEventID int32 = 79 ChdirEventID int32 = 80 FchdirEventID int32 = 81 RenameEventID int32 = 82 MkdirEventID int32 = 83 RmdirEventID int32 = 84 CreatEventID int32 = 85 LinkEventID int32 = 86 UnlinkEventID int32 = 87 SymlinkEventID int32 = 88 ReadlinkEventID int32 = 89 ChmodEventID int32 = 90 FchmodEventID int32 = 91 ChownEventID int32 = 92 FchownEventID int32 = 93 LchownEventID int32 = 94 UmaskEventID int32 = 95 GettimeofdayEventID int32 = 96 GetrlimitEventID int32 = 97 GetrusageEventID int32 = 98 SysinfoEventID int32 = 99 TimesEventID int32 = 100 PtraceEventID int32 = 101 GetuidEventID int32 = 102 SyslogEventID int32 = 103 GetgidEventID int32 = 104 SetuidEventID int32 = 105 SetgidEventID int32 = 106 GeteuidEventID int32 = 107 GetegidEventID int32 = 108 SetpgidEventID int32 = 109 GetppidEventID int32 = 110 GetpgrpEventID int32 = 111 SetsidEventID int32 = 112 SetreuidEventID int32 = 113 SetregidEventID int32 = 114 GetgroupsEventID int32 = 115 SetgroupsEventID int32 = 116 SetresuidEventID int32 = 117 GetresuidEventID int32 = 118 SetresgidEventID int32 = 119 GetresgidEventID int32 = 120 GetpgidEventID int32 = 121 SetfsuidEventID int32 = 122 SetfsgidEventID int32 = 123 GetsidEventID int32 = 124 CapgetEventID int32 = 125 CapsetEventID int32 = 126 RtSigpendingEventID int32 = 127 RtSigtimedwaitEventID int32 = 128 RtSigqueueinfoEventID int32 = 129 RtSigsuspendEventID int32 = 130 SigaltstackEventID int32 = 131 UtimeEventID int32 = 132 MknodEventID int32 = 133 UselibEventID int32 = 134 PersonalityEventID int32 = 135 UstatEventID int32 = 136 StatfsEventID int32 = 137 FstatfsEventID int32 = 138 SysfsEventID int32 = 139 GetpriorityEventID int32 = 140 SetpriorityEventID int32 = 141 SchedSetparamEventID int32 = 142 SchedGetparamEventID int32 = 143 SchedSetschedulerEventID int32 = 144 SchedGetschedulerEventID int32 = 145 SchedGetPriorityMaxEventID int32 = 146 SchedGetPriorityMinEventID int32 = 147 SchedRrGetIntervalEventID int32 = 148 MlockEventID int32 = 149 MunlockEventID int32 = 150 MlockallEventID int32 = 151 MunlockallEventID int32 = 152 VhangupEventID int32 = 153 ModifyLdtEventID int32 = 154 PivotRootEventID int32 = 155 SysctlEventID int32 = 156 PrctlEventID int32 = 157 ArchPrctlEventID int32 = 158 AdjtimexEventID int32 = 159 SetrlimitEventID int32 = 160 ChrootEventID int32 = 161 SyncEventID int32 = 162 AcctEventID int32 = 163 SettimeofdayEventID int32 = 164 MountEventID int32 = 165 UmountEventID int32 = 166 SwaponEventID int32 = 167 SwapoffEventID int32 = 168 RebootEventID int32 = 169 SethostnameEventID int32 = 170 SetdomainnameEventID int32 = 171 IoplEventID int32 = 172 IopermEventID int32 = 173 CreateModuleEventID int32 = 174 InitModuleEventID int32 = 175 DeleteModuleEventID int32 = 176 GetKernelSymsEventID int32 = 177 QueryModuleEventID int32 = 178 QuotactlEventID int32 = 179 NfsservctlEventID int32 = 180 GetpmsgEventID int32 = 181 PutpmsgEventID int32 = 182 AfsEventID int32 = 183 TuxcallEventID int32 = 184 SecurityEventID int32 = 185 GettidEventID int32 = 186 ReadaheadEventID int32 = 187 SetxattrEventID int32 = 188 LsetxattrEventID int32 = 189 FsetxattrEventID int32 = 190 GetxattrEventID int32 = 191 LgetxattrEventID int32 = 192 FgetxattrEventID int32 = 193 ListxattrEventID int32 = 194 LlistxattrEventID int32 = 195 FlistxattrEventID int32 = 196 RemovexattrEventID int32 = 197 LremovexattrEventID int32 = 198 FremovexattrEventID int32 = 199 TkillEventID int32 = 200 TimeEventID int32 = 201 FutexEventID int32 = 202 SchedSetaffinityEventID int32 = 203 SchedGetaffinityEventID int32 = 204 SetThreadAreaEventID int32 = 205 IoSetupEventID int32 = 206 IoDestroyEventID int32 = 207 IoGeteventsEventID int32 = 208 IoSubmitEventID int32 = 209 IoCancelEventID int32 = 210 GetThreadAreaEventID int32 = 211 EpollCreateEventID int32 = 213 EpollCtlOldEventID int32 = 214 EpollWaitOldEventID int32 = 215 RemapFilePagesEventID int32 = 216 Getdents64EventID int32 = 217 SetTidAddressEventID int32 = 218 RestartSyscallEventID int32 = 219 SemtimedopEventID int32 = 220 Fadvise64EventID int32 = 221 TimerCreateEventID int32 = 222 TimerSettimeEventID int32 = 223 TimerGettimeEventID int32 = 224 TimerGetoverrunEventID int32 = 225 TimerDeleteEventID int32 = 226 ClockSettimeEventID int32 = 227 ClockGettimeEventID int32 = 228 ClockGetresEventID int32 = 229 ClockNanosleepEventID int32 = 230 ExitGroupEventID int32 = 231 EpollWaitEventID int32 = 232 EpollCtlEventID int32 = 233 TgkillEventID int32 = 234 UtimesEventID int32 = 235 VserverEventID int32 = 236 MbindEventID int32 = 237 SetMempolicyEventID int32 = 238 GetMempolicyEventID int32 = 239 MqOpenEventID int32 = 240 MqUnlinkEventID int32 = 241 MqTimedsendEventID int32 = 242 MqTimedreceiveEventID int32 = 243 MqNotifyEventID int32 = 244 MqGetsetattrEventID int32 = 245 KexecLoadEventID int32 = 246 WaitidEventID int32 = 247 AddKeyEventID int32 = 248 RequestKeyEventID int32 = 249 KeyctlEventID int32 = 250 IoprioSetEventID int32 = 251 IoprioGetEventID int32 = 252 InotifyInitEventID int32 = 253 InotifyAddWatchEventID int32 = 254 InotifyRmWatchEventID int32 = 255 MigratePagesEventID int32 = 256 OpenatEventID int32 = 257 MkdiratEventID int32 = 258 MknodatEventID int32 = 259 FchownatEventID int32 = 260 FutimesatEventID int32 = 261 NewfstatatEventID int32 = 262 UnlinkatEventID int32 = 263 RenameatEventID int32 = 264 LinkatEventID int32 = 265 SymlinkatEventID int32 = 266 ReadlinkatEventID int32 = 267 FchmodatEventID int32 = 268 FaccessatEventID int32 = 269 Pselect6EventID int32 = 270 PpollEventID int32 = 271 SetRobustListEventID int32 = 273 GetRobustListEventID int32 = 274 SpliceEventID int32 = 275 TeeEventID int32 = 276 SyncFileRangeEventID int32 = 277 VmspliceEventID int32 = 278 MovePagesEventID int32 = 279 UtimensatEventID int32 = 280 EpollPwaitEventID int32 = 281 SignalfdEventID int32 = 282 TimerfdCreateEventID int32 = 283 EventfdEventID int32 = 284 FallocateEventID int32 = 285 TimerfdSettimeEventID int32 = 286 TimerfdGettimeEventID int32 = 287 Accept4EventID int32 = 288 Signalfd4EventID int32 = 289 Eventfd2EventID int32 = 290 EpollCreate1EventID int32 = 291 Dup3EventID int32 = 292 Pipe2EventID int32 = 293 InotifyInit1EventID int32 = 294 PreadvEventID int32 = 295 PwritevEventID int32 = 296 RtTgsigqueueinfoEventID int32 = 297 PerfEventOpenEventID int32 = 298 RecvmmsgEventID int32 = 299 FanotifyInitEventID int32 = 300 FanotifyMarkEventID int32 = 301 Prlimit64EventID int32 = 302 NameToHandleAtEventID int32 = 303 OpenByHandleAtEventID int32 = 304 ClockAdjtimeEventID int32 = 305 SyncfsEventID int32 = 306 SendmmsgEventID int32 = 307 SetnsEventID int32 = 308 GetcpuEventID int32 = 309 ProcessVmReadvEventID int32 = 310 ProcessVmWritevEventID int32 = 311 KcmpEventID int32 = 312 FinitModuleEventID int32 = 313 SchedSetattrEventID int32 = 314 SchedGetattrEventID int32 = 315 Renameat2EventID int32 = 316 SeccompEventID int32 = 317 GetrandomEventID int32 = 318 MemfdCreateEventID int32 = 319 KexecFileLoadEventID int32 = 320 BpfEventID int32 = 321 ExecveatEventID int32 = 322 UserfaultfdEventID int32 = 323 MembarrierEventID int32 = 324 Mlock2EventID int32 = 325 CopyFileRangeEventID int32 = 326 Preadv2EventID int32 = 327 Pwritev2EventID int32 = 328 PkeyMprotectEventID int32 = 329 PkeyAllocEventID int32 = 330 PkeyFreeEventID int32 = 331 StatxEventID int32 = 332 IoPgeteventsEventID int32 = 333 RseqEventID int32 = 334 // 335 through 423 are unassigned to sync up with generic numbers PidfdSendSignalEventID int32 = 424 IoUringSetupEventID int32 = 425 IoUringEnterEventID int32 = 426 IoUringRegisterEventID int32 = 427 OpenTreeEventID int32 = 428 MoveMountEventID int32 = 429 FsopenEventID int32 = 430 FsconfigEventID int32 = 431 FsmountEventID int32 = 432 FspickEventID int32 = 433 PidfdOpenEventID int32 = 434 Clone3EventID int32 = 435 CloseRangeEventID int32 = 436 Openat2EventID int32 = 437 PidfdGetfdEventID int32 = 438 Faccessat2EventID int32 = 439 ProcessMadviseEventID int32 = 440 EpollPwait2EventID int32 = 441 )
x86 64bit syscall numbers Also used as event IDs https://github.com/torvalds/linux/blob/master/arch/x86/entry/syscalls/syscall_64.tbl
const (
CONFIG_ARCH_HAS_SYSCALL_WRAPPER helpers.KernelConfigOption = iota + helpers.CUSTOM_OPTION_START
)
Custom KernelConfigOption's to extend kernel_config helper support Add here all kconfig variables used within tracee.bpf.c
const (
InitNamespacesEventID int32 = iota + 2000
)
Events originated from user-space
const InitProcNsDir = "/proc/1/ns"
Variables ¶
var EventsIDToEvent = map[int32]EventConfig{}/* 382 elements not displayed */
EventsIDToEvent is list of supported events, indexed by their ID
var EventsIDToParams = map[int32][]external.ArgMeta{}/* 370 elements not displayed */
EventsIDToParams is list of the parameters (name and type) used by the events
Functions ¶
func CopyFileByPath ¶
CopyFileByPath copies a file from src to dst
func CreateInitNamespacesEvent ¶
CreateInitNamespacesEvent collect the init process namespaces and create event from them.
func ParseKernelReadFileId ¶
func Print16BytesSliceIP ¶
Print16BytesSliceIP prints the IP address encoded as 16 bytes long PrintBytesSliceIP It would be more correct to accept a [16]byte instead of variable lenth slice, but that would cause unnecessary memory copying and type conversions
func PrintAlert ¶
func PrintAlert(alert alert) string
PrintAlert prints the encoded alert message and output file path if required
func PrintUint32IP ¶
PrintUint32IP prints the IP address encoded as a uint32
Types ¶
type ArgFilter ¶
type ArgFilter struct { Filters map[int32]map[string]ArgFilterVal // key to the first map is event id, and to the second map the argument name Enabled bool }
type ArgFilterVal ¶
type BoolFilter ¶
func (*BoolFilter) Parse ¶
func (boolFilter *BoolFilter) Parse(value string) error
type CaptureConfig ¶
type Config ¶
type Config struct { Filter *Filter Capture *CaptureConfig Output *OutputConfig PerfBufferSize int BlobPerfBufferSize int SecurityAlerts bool Debug bool BTFObjPath string BPFObjPath string BPFObjBytes []byte KernelConfig *helpers.KernelConfig ChanEvents chan external.Event ChanErrors chan error ChanDone chan struct{} // contains filtered or unexported fields }
Config is a struct containing user defined configuration of tracee
type Containers ¶
type Containers struct {
// contains filtered or unexported fields
}
Containers contain information about host running containers in the host.
func InitContainers ¶
func InitContainers() *Containers
InitContainers initializes a Containers object and returns a pointer to it. User should further call "Populate" and iterate with Containers data.
func (*Containers) GetContainers ¶
func (c *Containers) GetContainers() []string
GetContainers provides a list of all added containers by their uuid.
func (*Containers) GetPids ¶
func (c *Containers) GetPids(contId string) []int32
func (*Containers) Populate ¶
func (c *Containers) Populate() error
Populate will populate all Containers information by reading mounted proc and cgroups filesystems.
type EventConfig ¶
type EventConfig struct { ID int32 ID32Bit int32 Name string Probes []probe EssentialEvent bool Sets []string }
EventConfig is a struct describing an event configuration
type Filter ¶
type Filter struct { EventsToTrace []int32 UIDFilter *UintFilter PIDFilter *UintFilter NewPidFilter *BoolFilter MntNSFilter *UintFilter PidNSFilter *UintFilter UTSFilter *StringFilter CommFilter *StringFilter ContFilter *BoolFilter NewContFilter *BoolFilter RetFilter *RetFilter ArgFilter *ArgFilter ProcessTreeFilter *ProcessTreeFilter Follow bool }
type IntFilter ¶
type OutputConfig ¶
type ProcessTreeFilter ¶
type ProcessTreeFilter struct { PIDs map[uint32]bool // PIDs is a map where k=pid and v represents whether it and its descendents should be traced or not Enabled bool }
func (*ProcessTreeFilter) Parse ¶
func (procTreeFilter *ProcessTreeFilter) Parse(operatorAndValues string) error
type StringFilter ¶
func (*StringFilter) Parse ¶
func (stringFilter *StringFilter) Parse(operatorAndValues string) error
type Tracee ¶
Tracee traces system calls and system events using eBPF