process

package
v0.0.0-...-baa5399 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 15, 2026 License: Apache-2.0 Imports: 37 Imported by: 0

Documentation

Overview

Package process holds process related files

Package process holds process related files

Index

Constants

View Source 
const (
	Snapshotting = iota // Snapshotting describes the state where resolvers are being populated
	Snapshotted         // Snapshotted describes the state where resolvers are fully populated
)

Variables

This section is empty.

Functions

func GetProcessArgv 

func GetProcessArgv(pr *model.Process) ([]string, bool)

GetProcessArgv returns the unscrubbed args of the event as an array. Use with caution.

func GetProcessArgv0 

func GetProcessArgv0(pr *model.Process) (string, bool)

GetProcessArgv0 returns the first arg of the event and whether the process arguments are truncated

func IsBusybox 

func IsBusybox(pathname string) bool

IsBusybox returns true if the pathname matches busybox

func IsKworker 

func IsKworker(ppid, pid uint32) bool

IsKworker returns whether given pids are from kworker/kthreads 

func IsThroughSymLink(entry *model.ProcessCacheEntry) bool

IsThroughSymLink returns true if the process is accessing a file through a symlink

Types

type CacheResolverKey 

type CacheResolverKey struct {
	Pid  uint32 // Pid of the related process (namespaced)
	NSID uint64 // NSID represents the pids namespace ID of the related container
}

CacheResolverKey is used to store and retrieve processes from the cache

type EBPFLessResolver 

type EBPFLessResolver struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

EBPFLessResolver defines a resolver

func NewEBPFLessResolver 

func NewEBPFLessResolver(_ *config.Config, statsdClient statsd.ClientInterface, scrubber *utils.Scrubber, opts *ResolverOpts) (*EBPFLessResolver, error)

NewEBPFLessResolver returns a new process resolver

func (*EBPFLessResolver) AddExecEntry 

func (p *EBPFLessResolver) AddExecEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
	envs []string, envsTruncated bool, ctrID containerutils.ContainerID, ts uint64, tty string) *model.ProcessCacheEntry

AddExecEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFLessResolver) AddForkEntry 

func (p *EBPFLessResolver) AddForkEntry(key CacheResolverKey, ppid uint32, ts uint64) *model.ProcessCacheEntry

AddForkEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFLessResolver) AddProcFSEntry 

func (p *EBPFLessResolver) AddProcFSEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
	envs []string, envsTruncated bool, ctrID containerutils.ContainerID, ts uint64, tty string) *model.ProcessCacheEntry

AddProcFSEntry add a procfs entry

func (*EBPFLessResolver) DeleteEntry 

func (p *EBPFLessResolver) DeleteEntry(key CacheResolverKey, exitTime time.Time)

DeleteEntry tries to delete an entry in the process cache

func (*EBPFLessResolver) Dump 

func (p *EBPFLessResolver) Dump(_ bool) (string, error)

Dump create a temp file and dump the cache

func (*EBPFLessResolver) GetProcessArgvScrubbed 

func (p *EBPFLessResolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool)

GetProcessArgvScrubbed returns the scrubbed args of the event as an array

func (*EBPFLessResolver) GetProcessEnvp 

func (p *EBPFLessResolver) GetProcessEnvp(pr *model.Process) ([]string, bool)

GetProcessEnvp returns the unscrubbed envs of the event with their values. Use with caution.

func (*EBPFLessResolver) GetProcessEnvs 

func (p *EBPFLessResolver) GetProcessEnvs(pr *model.Process) ([]string, bool)

GetProcessEnvs returns the envs of the event

func (*EBPFLessResolver) NewEntry 

func (p *EBPFLessResolver) NewEntry(key CacheResolverKey, ppid uint32, file string, argv []string, argsTruncated bool,
	envs []string, envsTruncated bool, ctrID containerutils.ContainerID, ts uint64, tty string, source uint64) *model.ProcessCacheEntry

NewEntry returns a new entry

func (*EBPFLessResolver) Resolve 

func (p *EBPFLessResolver) Resolve(key CacheResolverKey) *model.ProcessCacheEntry

Resolve returns the cache entry for the given pid

func (*EBPFLessResolver) SendStats 

func (p *EBPFLessResolver) SendStats() error

SendStats sends process resolver metrics

func (*EBPFLessResolver) Snapshot 

func (p *EBPFLessResolver) Snapshot()

Snapshot snapshot existing entryCache

func (*EBPFLessResolver) Start 

func (p *EBPFLessResolver) Start(_ context.Context) error

Start starts the resolver

func (*EBPFLessResolver) UpdateGroup 

func (p *EBPFLessResolver) UpdateGroup(key CacheResolverKey, gid int32, egid int32, group string, egroup string)

UpdateGID updates the credentials of the provided pid

func (*EBPFLessResolver) UpdateUser 

func (p *EBPFLessResolver) UpdateUser(key CacheResolverKey, uid int32, euid int32, user string, euser string)

UpdateUID updates the credentials of the provided pid

func (*EBPFLessResolver) Walk 

func (p *EBPFLessResolver) Walk(callback func(entry *model.ProcessCacheEntry))

Walk iterates through the entire tree and call the provided callback on each entry

type EBPFResolver 

type EBPFResolver struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

EBPFResolver resolved process context

func NewEBPFResolver 

func NewEBPFResolver(manager *manager.Manager, config *config.Config, statsdClient statsd.ClientInterface,
	scrubber *utils.Scrubber, mountResolver mount.ResolverInterface,
	cgroupResolver *cgroup.Resolver, userGroupResolver *usergroup.Resolver, timeResolver *stime.Resolver,
	pathResolver spath.ResolverInterface, envVarsResolver *envvars.Resolver, userSessionResolver *usersessions.Resolver, opts *ResolverOpts) (*EBPFResolver, error)

NewEBPFResolver returns a new process resolver

func (*EBPFResolver) AddExecEntry 

func (p *EBPFResolver) AddExecEntry(event *model.Event, cgroupContext model.CGroupContext) error

AddExecEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFResolver) AddForkEntry 

func (p *EBPFResolver) AddForkEntry(event *model.Event, cgroupContext model.CGroupContext, newEntryCb func(*model.ProcessCacheEntry, error)) error

AddForkEntry adds an entry to the local cache and returns the newly created entry

func (*EBPFResolver) AddTracerMetadata 

func (p *EBPFResolver) AddTracerMetadata(pid uint32, event *model.Event) error

AddTracerMetadata reads tracer metadata from a memfd and adds it to the process cache entry

func (*EBPFResolver) ApplyBootTime 

func (p *EBPFResolver) ApplyBootTime(entry *model.ProcessCacheEntry)

ApplyBootTime realign timestamp from the boot time

func (*EBPFResolver) ApplyExitEntry 

func (p *EBPFResolver) ApplyExitEntry(event *model.Event, newEntryCb func(*model.ProcessCacheEntry, error)) bool

ApplyExitEntry delete entry from the local cache if present

func (*EBPFResolver) CountBrokenLineage 

func (p *EBPFResolver) CountBrokenLineage()

CountBrokenLineage increments the counter of broken lineage

func (*EBPFResolver) DeleteEntry 

func (p *EBPFResolver) DeleteEntry(pid uint32, exitTime time.Time)

DeleteEntry tries to delete an entry in the process cache

func (*EBPFResolver) DequeueExited 

func (p *EBPFResolver) DequeueExited()

DequeueExited dequeue exited process

func (*EBPFResolver) FetchAWSSecurityCredentials 

func (p *EBPFResolver) FetchAWSSecurityCredentials(e *model.Event) []model.AWSSecurityCredentials

FetchAWSSecurityCredentials returns the list of AWS Security Credentials valid at the time of the event, and prunes expired entries

func (*EBPFResolver) Get 

func (p *EBPFResolver) Get(pid uint32) *model.ProcessCacheEntry

Get returns the cache entry for a specified pid

func (*EBPFResolver) GetProcessArgvScrubbed 

func (p *EBPFResolver) GetProcessArgvScrubbed(pr *model.Process) ([]string, bool)

GetProcessArgvScrubbed returns the scrubbed args of the event as an array

func (*EBPFResolver) GetProcessEnvp 

func (p *EBPFResolver) GetProcessEnvp(pr *model.Process) ([]string, bool)

GetProcessEnvp returns the unscrubbed envs of the event with their values. Use with caution.

func (*EBPFResolver) GetProcessEnvs 

func (p *EBPFResolver) GetProcessEnvs(pr *model.Process) ([]string, bool)

GetProcessEnvs returns the envs of the event

func (*EBPFResolver) NewProcessCacheEntry 

func (p *EBPFResolver) NewProcessCacheEntry(pidContext model.PIDContext) *model.ProcessCacheEntry

NewProcessCacheEntry returns a new process cache entry

func (*EBPFResolver) Resolve 

func (p *EBPFResolver) Resolve(pid, tid uint32, inode uint64, useProcFS bool, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry

Resolve returns the cache entry for the given pid

func (*EBPFResolver) ResolveFromCache 

func (p *EBPFResolver) ResolveFromCache(pid, tid uint32, inode uint64) *model.ProcessCacheEntry

ResolveFromCache resolves cache entry from the cache

func (*EBPFResolver) ResolveFromKernelMaps 

func (p *EBPFResolver) ResolveFromKernelMaps(pid, tid uint32, inode uint64, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry

ResolveFromKernelMaps resolves the entry from the kernel maps

func (*EBPFResolver) ResolveFromProcfs 

func (p *EBPFResolver) ResolveFromProcfs(pid uint32, inode uint64, newEntryCb func(*model.ProcessCacheEntry, error)) *model.ProcessCacheEntry

ResolveFromProcfs resolves the entry from procfs

func (*EBPFResolver) RetrieveFileFieldsFromProcfs 

func (p *EBPFResolver) RetrieveFileFieldsFromProcfs(filename string) (*model.FileFields, error)

RetrieveFileFieldsFromProcfs fetches inode metadata from kernel space. stat the file which triggers the security_inode_getattr, which fill a map with the needed data

func (*EBPFResolver) SendStats 

func (p *EBPFResolver) SendStats() error

SendStats sends process resolver metrics

func (*EBPFResolver) SetProcessArgs 

func (p *EBPFResolver) SetProcessArgs(pce *model.ProcessCacheEntry)

SetProcessArgs set arguments to cache entry

func (*EBPFResolver) SetProcessEnvs 

func (p *EBPFResolver) SetProcessEnvs(pce *model.ProcessCacheEntry)

SetProcessEnvs set envs to cache entry 

func (p *EBPFResolver) SetProcessSymlink(entry *model.ProcessCacheEntry)

SetProcessSymlink resolves process file symlink path

func (*EBPFResolver) SetProcessTTY 

func (p *EBPFResolver) SetProcessTTY(pce *model.ProcessCacheEntry) string

SetProcessTTY resolves TTY and cache the result

func (*EBPFResolver) SetProcessUsersGroups 

func (p *EBPFResolver) SetProcessUsersGroups(pce *model.ProcessCacheEntry)

SetProcessUsersGroups resolves and set users and groups

func (*EBPFResolver) SetState 

func (p *EBPFResolver) SetState(state int64)

SetState sets the process resolver state

func (*EBPFResolver) Start 

func (p *EBPFResolver) Start(ctx context.Context) error

Start starts the resolver

func (*EBPFResolver) SyncCache 

func (p *EBPFResolver) SyncCache(proc *process.Process)

SyncCache snapshots /proc for the provided pid.

func (*EBPFResolver) ToDot 

func (p *EBPFResolver) ToDot(withArgs bool) (string, error)

ToDot create a temp file and dump the cache

func (*EBPFResolver) ToJSON 

func (p *EBPFResolver) ToJSON(raw bool) ([]byte, error)

ToJSON return a json version of the cache

func (*EBPFResolver) TryReparentFromKernelPPid 

func (p *EBPFResolver) TryReparentFromKernelPPid(entry *model.ProcessCacheEntry, kernelPPid uint32, newEntryCb func(*model.ProcessCacheEntry, error))

TryReparentFromKernelPPid compares the live ppid reported by the kernel in the event with the ppid stored in the cache entry. When they differ the kernel has reparented the process (e.g. subreaper) and we update the cache to reflect the new parent. The new parent is resolved from the cache or, as a fallback, from procfs.

func (*EBPFResolver) TryReparentFromProcfs 

func (p *EBPFResolver) TryReparentFromProcfs(entry *model.ProcessCacheEntry, callpathTag string, newEntryCb func(*model.ProcessCacheEntry, error))

TryReparentFromProcfs walks the ancestor chain of the given entry up to pid 1 and looks for exited ancestors whose children may not have been reparented yet. For each such ancestor it reads the children's current ppid from procfs and updates the cache links. If procfs hasn't been updated yet (race with forget_original_parent), the children stay linked to their dead parent which is still valid for field resolution (Go GC keeps the object alive). When a broken ancestor link is encountered (Ancestor is nil, PPid unknown), the parent is resolved from procfs so the walk can continue. Only ancestors within tryReparentMaxForkDepth fork levels are checked (exec transitions do not count toward the depth).

func (*EBPFResolver) TryReparentFromProcfsLocked 

func (p *EBPFResolver) TryReparentFromProcfsLocked(entry *model.ProcessCacheEntry, callpathTag string, newEntryCb func(*model.ProcessCacheEntry, error))

TryReparentFromProcfsLocked is like TryReparentFromProcfs but assumes the caller already holds the resolver lock. Use this from callbacks invoked during resolution (e.g. newEntryCb) to avoid deadlocking on the non-reentrant mutex.

func (*EBPFResolver) UpdateAWSSecurityCredentials 

func (p *EBPFResolver) UpdateAWSSecurityCredentials(pid uint32, e *model.Event)

UpdateAWSSecurityCredentials updates the list of AWS Security Credentials

func (*EBPFResolver) UpdateArgsEnvs 

func (p *EBPFResolver) UpdateArgsEnvs(event *model.ArgsEnvsEvent)

UpdateArgsEnvs updates arguments or environment variables of the given id

func (*EBPFResolver) UpdateCapset 

func (p *EBPFResolver) UpdateCapset(pid uint32, e *model.Event)

UpdateCapset updates the credentials of the provided pid

func (*EBPFResolver) UpdateGID 

func (p *EBPFResolver) UpdateGID(pid uint32, e *model.Event)

UpdateGID updates the credentials of the provided pid

func (*EBPFResolver) UpdateLoginUID 

func (p *EBPFResolver) UpdateLoginUID(pid uint32, e *model.Event)

UpdateLoginUID updates the AUID of the provided pid

func (*EBPFResolver) UpdateProcessContexts 

func (p *EBPFResolver) UpdateProcessContexts(pce *model.ProcessCacheEntry, cgroupContext model.CGroupContext, containerContext model.ContainerContext)

UpdateProcessContexts updates the cgroup context and container ID of the process matching the provided PID

func (*EBPFResolver) UpdateUID 

func (p *EBPFResolver) UpdateUID(pid uint32, e *model.Event)

UpdateUID updates the credentials of the provided pid

func (*EBPFResolver) Walk 

func (p *EBPFResolver) Walk(callback func(entry *model.ProcessCacheEntry))

Walk iterates through the entire tree and call the provided callback on each entry

type ResolverOpts 

type ResolverOpts struct {
	// contains filtered or unexported fields
}

ResolverOpts options of resolver

func NewResolverOpts 

func NewResolverOpts() *ResolverOpts

NewResolverOpts returns a new set of process resolver options

func (*ResolverOpts) WithEnvsResolutionEnabled 

func (o *ResolverOpts) WithEnvsResolutionEnabled() *ResolverOpts

WithEnvsResolutionEnabled enables the envs resolution

func (*ResolverOpts) WithEnvsValue 

func (o *ResolverOpts) WithEnvsValue(envsWithValue []string) *ResolverOpts

WithEnvsValue specifies envs with value

func (*ResolverOpts) WithTTYFallbackEnabled 

func (o *ResolverOpts) WithTTYFallbackEnabled() *ResolverOpts

WithTTYFallbackEnabled enables the TTY fallback

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.