activitytree

package
v0.0.0-...-a4b29c3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 5, 2026 License: Apache-2.0 Imports: 38 Imported by: 0

Documentation

Overview

Package activitytree holds activitytree related files

Package activitytree holds activitytree related files

Index

Constants

View Source 
const CookieToProcessNodeCacheSize = 128

CookieToProcessNodeCacheSize defines the "cookie to process" node cache size

View Source 
const MaxMmapedFiles = 128

MaxMmapedFiles defines the max mmaped files

Variables

View Source 
var (
	// ErrBrokenLineage is returned when the given process don't have a full lineage
	ErrBrokenLineage = errors.New("broken lineage")
	// ErrNotValidRootNode is returned when trying to insert a process with an invalide root node
	ErrNotValidRootNode = errors.New("root node not valid")
)

Functions

func AppendIfNotPresent 

func AppendIfNotPresent(slice []string, toAdd string) ([]string, bool)

AppendIfNotPresent append a token to a slice only if the token is not already present

func ExtractFirstParent 

func ExtractFirstParent(path string) (string, int)

ExtractFirstParent extracts first parent

func GetNextAncestorBinaryOrArgv0 

func GetNextAncestorBinaryOrArgv0(entry *model.ProcessContext) *model.ProcessCacheEntry

GetNextAncestorBinaryOrArgv0 returns the first ancestor with a different binary, or a different argv0 in the case of busybox processes

func ProtoDecodeActivityTree 

func ProtoDecodeActivityTree(dest *ActivityTree, nodes []*adproto.ProcessActivityNode)

ProtoDecodeActivityTree decodes an ActivityTree structure

func ProtoDecodeTimestamp 

func ProtoDecodeTimestamp(nanos uint64) time.Time

ProtoDecodeTimestamp decodes a nanosecond representation of a timestamp

func TimestampToProto 

func TimestampToProto(t *time.Time) uint64

TimestampToProto encode a timestamp

func ToProto 

func ToProto(at *ActivityTree) []*adproto.ProcessActivityNode

ToProto encodes an activity tree to its protobuf representation

Types

type ActivityTree 

type ActivityTree struct {
	Stats *Stats

	DNSMatchMaxDepth int

	CookieToProcessNode *simplelru.LRU[cookieSelector, *ProcessNode]
	ProcessNodes        []*ProcessNode `json:"-"`

	// top level lists used to summarize the content of the tree
	DNSNames     *utils.StringKeys
	SyscallsMask map[int]int
	// contains filtered or unexported fields
}

ActivityTree contains a process tree and its activities. This structure has no locks.

func NewActivityTree 

func NewActivityTree(validator Owner, pathsReducer *PathsReducer, treeType string) *ActivityTree

NewActivityTree returns a new ActivityTree instance

func (*ActivityTree) AppendChild 

func (at *ActivityTree) AppendChild(node *ProcessNode)

AppendChild appends a new root node in the ActivityTree

func (*ActivityTree) AppendImageTag 

func (at *ActivityTree) AppendImageTag(_ string, _ time.Time)

AppendImageTag appends the given image tag

func (*ActivityTree) ComputeActivityTreeStats 

func (at *ActivityTree) ComputeActivityTreeStats()

ComputeActivityTreeStats computes the initial counts of the activity tree stats

func (*ActivityTree) ComputeSyscallsList 

func (at *ActivityTree) ComputeSyscallsList() []uint32

ComputeSyscallsList computes the top level list of syscalls

func (*ActivityTree) Contains 

func (at *ActivityTree) Contains(event *model.Event, insertMissingProcesses bool, imageTag string, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (bool, error)

Contains looks up the event in the activity tree

func (*ActivityTree) CreateProcessNode 

func (at *ActivityTree) CreateProcessNode(entry *model.ProcessCacheEntry, imageTag string, generationType NodeGenerationType, dryRun bool, resolvers *resolvers.EBPFResolvers) (*ProcessNode, bool, error)

CreateProcessNode looks up or inserts the provided entry in the tree

func (*ActivityTree) Debug 

func (at *ActivityTree) Debug(w io.Writer)

Debug dumps the content of an activity tree

func (*ActivityTree) DifferentiateArgs 

func (at *ActivityTree) DifferentiateArgs()

DifferentiateArgs enables the args differentiation feature

func (*ActivityTree) EvictImageTag 

func (at *ActivityTree) EvictImageTag(imageTag string)

EvictImageTag will remove every trace of the given image tag from the tree

func (*ActivityTree) EvictUnusedNodes 

func (at *ActivityTree) EvictUnusedNodes(before time.Time, filepathsInProcessCache map[ImageProcessKey]bool, profileImageName, profileImageTag string) int

EvictUnusedNodes evicts all nodes that haven't been touched since the given timestamp and returns the total number of nodes evicted

func (*ActivityTree) ExtractPaths 

func (at *ActivityTree) ExtractPaths(_, fimEnabled, lineageEnabled bool) (map[string][]string, map[string][]string)

ExtractPaths returns the exec / fim, exec / parent paths

func (*ActivityTree) ExtractSyscalls 

func (at *ActivityTree) ExtractSyscalls(arch string) []string

ExtractSyscalls return the syscalls present in an activity tree

func (*ActivityTree) FindMatchingRootNodes 

func (at *ActivityTree) FindMatchingRootNodes(arg0 string) []*ProcessNode

FindMatchingRootNodes finds and returns the matching root nodes

func (*ActivityTree) GetChildren 

func (at *ActivityTree) GetChildren() *[]*ProcessNode

GetChildren returns the list of root ProcessNodes from the ActivityTree

func (*ActivityTree) GetParent 

func (at *ActivityTree) GetParent() ProcessNodeParent

GetParent returns nil for the ActivityTree

func (*ActivityTree) GetSiblings 

func (at *ActivityTree) GetSiblings() *[]*ProcessNode

GetSiblings returns the list of siblings of the current node

func (*ActivityTree) Insert 

func (at *ActivityTree) Insert(event *model.Event, insertMissingProcesses bool, imageTag string, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) (bool, error)

Insert inserts the event in the activity tree

func (*ActivityTree) IsEmpty 

func (at *ActivityTree) IsEmpty() bool

IsEmpty returns true if the tree is empty

func (*ActivityTree) PrepareGraphData 

func (at *ActivityTree) PrepareGraphData(name string, selector string, resolver *process.EBPFResolver) utils.Graph

PrepareGraphData returns a graph from the activity tree

func (*ActivityTree) ScrubProcessArgsEnvs 

func (at *ActivityTree) ScrubProcessArgsEnvs(resolver *process.EBPFResolver)

ScrubProcessArgsEnvs scrubs and retains process args and envs

func (*ActivityTree) SendStats 

func (at *ActivityTree) SendStats(client statsd.ClientInterface) error

SendStats sends the tree statistics

func (*ActivityTree) SetType 

func (at *ActivityTree) SetType(treeType string, validator Owner)

SetType changes the type and owner of the ActivityTree

func (*ActivityTree) Snapshot 

func (at *ActivityTree) Snapshot(newEvent func() *model.Event)

Snapshot uses procfs to snapshot the nodes of the tree

func (*ActivityTree) TagAllNodes 

func (at *ActivityTree) TagAllNodes(imageTag string, timestamp time.Time)

TagAllNodes tags all the activity tree's nodes with the given image tag

type BindNode 

type BindNode struct {
	NodeBase

	MatchedRules []*model.MatchedRule

	GenerationType NodeGenerationType
	Port           uint16
	IP             string
	Protocol       uint16
}

BindNode is used to store a bind node

func (*BindNode) Matches 

func (bn *BindNode) Matches(toMatch *BindNode) bool

Matches returns true if BindNodes matches

type CapabilityNode 

type CapabilityNode struct {
	NodeBase
	GenerationType NodeGenerationType

	Capability uint64 // The capability number
	Capable    bool   // Whether the process was capable of using the capability
}

CapabilityNode stores capabilities usage information for a process in the activity tree.

func NewCapabilityNode 

func NewCapabilityNode(capability uint64, capable bool, timestamp time.Time, imageTag string, generationType NodeGenerationType) *CapabilityNode

NewCapabilityNode creates a new CapabilityNode

type DNSNode 

type DNSNode struct {
	NodeBase
	MatchedRules   []*model.MatchedRule
	GenerationType NodeGenerationType
	Requests       []model.DNSEvent
}

DNSNode is used to store a DNS node

func NewDNSNode 

func NewDNSNode(event *model.DNSEvent, evt *model.Event, rules []*model.MatchedRule, generationType NodeGenerationType, imageTag string) *DNSNode

NewDNSNode returns a new DNSNode instance

type FileNode 

type FileNode struct {
	NodeBase
	MatchedRules   []*model.MatchedRule
	Name           string
	IsPattern      bool
	File           *model.FileEvent
	GenerationType NodeGenerationType
	Open           *OpenNode

	Children map[string]*FileNode
}

FileNode holds a tree representation of a list of files

func NewFileNode 

func NewFileNode(fileEvent *model.FileEvent, event *model.Event, name string, imageTag string, generationType NodeGenerationType, reducedFilePath string, resolvers *resolvers.EBPFResolvers) *FileNode

NewFileNode returns a new FileActivityNode instance

func (*FileNode) InsertFileEvent 

func (fn *FileNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, remainingPath string, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool, reducedPath string, resolvers *resolvers.EBPFResolvers) bool

InsertFileEvent inserts an event in a FileNode. This function returns true if a new entry was added, false if the event was dropped.

type FlowNode 

type FlowNode struct {
	NodeBase
	GenerationType NodeGenerationType
	Flow           model.Flow
}

FlowNode is used to store a flow node

func NewFlowNode 

func NewFlowNode(flow model.Flow, event *model.Event, generationType NodeGenerationType, imageTag string) *FlowNode

NewFlowNode returns a new FlowNode instance

type IMDSNode 

type IMDSNode struct {
	NodeBase
	MatchedRules   []*model.MatchedRule
	GenerationType NodeGenerationType
	Event          model.IMDSEvent
}

IMDSNode is used to store a IMDS node

func NewIMDSNode 

func NewIMDSNode(event *model.IMDSEvent, evt *model.Event, rules []*model.MatchedRule, generationType NodeGenerationType, imageTag string) *IMDSNode

NewIMDSNode creates a new IMDSNode instance

type ImageProcessKey 

type ImageProcessKey struct {
	ImageName string
	ImageTag  string
	Filepath  string
}

ImageProcessKey represents a unique key for process cache entries by image name, tag, and filepath

type ImageTagTimes 

type ImageTagTimes struct {
	FirstSeen time.Time
	LastSeen  time.Time
}

ImageTagTimes holds the first and last seen timestamps for a specific ImageTag (image tag).

type NetworkDeviceNode 

type NetworkDeviceNode struct {
	MatchedRules   []*model.MatchedRule
	GenerationType NodeGenerationType
	Context        model.NetworkDeviceContext
	// FlowNodes are indexed by source IPPortContexts
	FlowNodes map[model.FiveTuple]*FlowNode
}

NetworkDeviceNode is used to store a Network Device node

func NewNetworkDeviceNode 

func NewNetworkDeviceNode(ctx *model.NetworkDeviceContext, generationType NodeGenerationType) *NetworkDeviceNode

NewNetworkDeviceNode returns a new NetworkDeviceNode instance

type NodeBase 

type NodeBase struct {
	Seen map[string]*ImageTagTimes // imageTag → timestamps
}

NodeBase provides the base functionality for all nodes in the activity tree

func NewNodeBase 

func NewNodeBase() NodeBase

NewNodeBase creates a new NodeBase instance

func (*NodeBase) AppendImageTag 

func (b *NodeBase) AppendImageTag(imageTag string, timestamp time.Time)

AppendImageTag adds a new entry in the map or updates the LastSeen for the given imageTag at time 'now'.

func (*NodeBase) EvictBeforeTimestamp 

func (b *NodeBase) EvictBeforeTimestamp(before time.Time) int

EvictBeforeTimestamp removes all imageTags whose LastSeen is before the given timestamp. Returns the number of imageTags that were removed.

func (*NodeBase) EvictImageTag 

func (b *NodeBase) EvictImageTag(imageTag string) bool

EvictImageTag removes the stored timestamps for an imageTag returns false if the imageTag was not present or if the imageTag is empty returns true if the imageTag was present and the map is now empty

func (*NodeBase) HasImageTag 

func (b *NodeBase) HasImageTag(imageTag string) bool

HasImageTag returns true if the imageTag exists in the Seen map.

func (*NodeBase) RecordWithTimestamps 

func (b *NodeBase) RecordWithTimestamps(imageTag string, firstSeen, lastSeen time.Time)

RecordWithTimestamps sets both FirstSeen and LastSeen for the given imageTag with the provided timestamps.

type NodeDroppedReason 

type NodeDroppedReason byte

NodeDroppedReason is used to list the reasons to drop a node

func (NodeDroppedReason) String 

func (reason NodeDroppedReason) String() string

func (NodeDroppedReason) Tag 

func (reason NodeDroppedReason) Tag() string

Tag returns the metric tag associated with this dropped reason, it's basically fmt.Sprintf("reason:%s", reason)

type NodeGenerationType 

type NodeGenerationType byte

NodeGenerationType is used to indicate if a node was generated by a runtime or snapshot event IMPORTANT: IT MUST STAY IN SYNC WITH `adproto.GenerationType` 

const (
	// Unknown is a node that was added at an unknown time
	Unknown NodeGenerationType = 0
	// Runtime is a node that was added at runtime
	Runtime NodeGenerationType = 1
	// Snapshot is a node that was added during the snapshot
	Snapshot NodeGenerationType = 2
	// ProfileDrift is a node that was added because of a drift from a security profile
	ProfileDrift NodeGenerationType = 3
	// WorkloadWarmup is a node that was added of a drift in a warming up profile
	WorkloadWarmup NodeGenerationType = 4
	// MaxNodeGenerationType is the maximum node type
	MaxNodeGenerationType NodeGenerationType = 4
)

func (NodeGenerationType) String 

func (genType NodeGenerationType) String() string

func (NodeGenerationType) Tag 

func (genType NodeGenerationType) Tag() string

Tag returns the metric tag associated with this generation type, it's basically fmt.Sprintf("generation_type:%s", genType)

type OpenNode 

type OpenNode struct {
	model.SyscallEvent
	Flags uint32
	Mode  uint32
}

OpenNode contains the relevant fields of an Open event on which we might want to write a profiling rule

type Owner 

type Owner interface {
	MatchesSelector(entry *model.ProcessCacheEntry) bool
	IsEventTypeValid(evtType model.EventType) bool
	NewProcessNodeCallback(p *ProcessNode)
}

Owner is used to communicate with the owner of the activity tree

type PathsReducer 

type PathsReducer struct {
	// contains filtered or unexported fields
}

PathsReducer is used to reduce the paths in an activity tree according to predefined heuristics

func NewPathsReducer 

func NewPathsReducer() *PathsReducer

NewPathsReducer returns a new PathsReducer

func (*PathsReducer) ReducePath 

func (r *PathsReducer) ReducePath(path string, fileEvent *model.FileEvent, node *ProcessNode) string

ReducePath reduces a path according to the predefined heuristics

type PatternReducer 

type PatternReducer struct {
	Pattern  *regexp.Regexp
	Hint     string
	PreCheck func(path string, fileEvent *model.FileEvent) bool
	Callback func(ctx *callbackContext)
}

PatternReducer is used to reduce the paths in an activity tree according to a given pattern

type ProcessNode 

type ProcessNode struct {
	NodeBase
	Process        model.Process
	Parent         ProcessNodeParent
	GenerationType NodeGenerationType
	MatchedRules   []*model.MatchedRule

	Files          map[string]*FileNode
	DNSNames       map[string]*DNSNode
	IMDSEvents     map[model.IMDSEvent]*IMDSNode
	NetworkDevices map[model.NetworkDeviceContext]*NetworkDeviceNode

	Sockets      []*SocketNode
	Syscalls     []*SyscallNode
	Capabilities []*CapabilityNode
	Children     []*ProcessNode
}

ProcessNode holds the activity of a process

func NewProcessNode 

func NewProcessNode(entry *model.ProcessCacheEntry, generationType NodeGenerationType, resolvers *resolvers.EBPFResolvers) *ProcessNode

NewProcessNode returns a new ProcessNode instance

func (*ProcessNode) AppendChild 

func (pn *ProcessNode) AppendChild(node *ProcessNode)

AppendChild appends a new root node in the ActivityTree

func (*ProcessNode) EvictImageTag 

func (pn *ProcessNode) EvictImageTag(imageTag string, DNSNames *utils.StringKeys, SyscallsMask map[int]int) bool

EvictImageTag will remove every trace of this image tag, and returns true if the process node should be removed also, recompute the list of dnsnames and syscalls

func (*ProcessNode) EvictUnusedNodes 

func (pn *ProcessNode) EvictUnusedNodes(before time.Time, filepathsInProcessCache map[ImageProcessKey]bool, profileImageName, profileImageTag string) int

EvictUnusedNodes evicts all child nodes that haven't been touched since the given timestamp and returns the total number of process nodes evicted, a node is only evicted if all its children are evictable.

func (*ProcessNode) GetChildren 

func (pn *ProcessNode) GetChildren() *[]*ProcessNode

GetChildren returns the list of children from the ProcessNode

func (*ProcessNode) GetParent 

func (pn *ProcessNode) GetParent() ProcessNodeParent

GetParent returns nil for the ActivityTree

func (*ProcessNode) GetSiblings 

func (pn *ProcessNode) GetSiblings() *[]*ProcessNode

GetSiblings returns the list of siblings of the current node

func (*ProcessNode) InsertBindEvent 

func (pn *ProcessNode) InsertBindEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool) bool

InsertBindEvent inserts a bind event in a process node

func (*ProcessNode) InsertCapabilitiesUsageEvent 

func (pn *ProcessNode) InsertCapabilitiesUsageEvent(evt *model.Event, imageTag string, stats *Stats, dryRun bool) bool

InsertCapabilitiesUsageEvent inserts a capabilities usage event in a process node

func (*ProcessNode) InsertDNSEvent 

func (pn *ProcessNode) InsertDNSEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, DNSNames *utils.StringKeys, dryRun bool, dnsMatchMaxDepth int) bool

InsertDNSEvent inserts a DNS event in a process node

func (*ProcessNode) InsertFileEvent 

func (pn *ProcessNode) InsertFileEvent(fileEvent *model.FileEvent, event *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool, reducer *PathsReducer, resolvers *resolvers.EBPFResolvers) bool

InsertFileEvent inserts the provided file event in the current node. This function returns true if a new entry was added, false if the event was dropped.

func (*ProcessNode) InsertIMDSEvent 

func (pn *ProcessNode) InsertIMDSEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool) bool

InsertIMDSEvent inserts an IMDS event in a process node

func (*ProcessNode) InsertNetworkFlowMonitorEvent 

func (pn *ProcessNode) InsertNetworkFlowMonitorEvent(evt *model.Event, imageTag string, generationType NodeGenerationType, stats *Stats, dryRun bool) bool

InsertNetworkFlowMonitorEvent inserts a Network Flow Monitor event in a process node

func (*ProcessNode) InsertSyscalls 

func (pn *ProcessNode) InsertSyscalls(e *model.Event, imageTag string, syscallMask map[int]int, stats *Stats, dryRun bool) bool

InsertSyscalls inserts the syscall of the process in the dump

func (*ProcessNode) Matches 

func (pn *ProcessNode) Matches(entry *model.Process, matchArgs bool, normalize bool) bool

Matches return true if the process fields used to generate the dump are identical with the provided model.Process

func (*ProcessNode) TagAllNodes 

func (pn *ProcessNode) TagAllNodes(imageTag string, timestamp time.Time)

TagAllNodes tags this process, its files/dns/socks and childrens with the given image tag

type ProcessNodeParent 

type ProcessNodeParent interface {
	GetParent() ProcessNodeParent
	GetChildren() *[]*ProcessNode
	GetSiblings() *[]*ProcessNode
	AppendChild(node *ProcessNode)
	AppendImageTag(imageTag string, timestamp time.Time)
}

ProcessNodeParent is an interface used to identify the parent of a process node

type SocketNode 

type SocketNode struct {
	NodeBase
	Family         string
	GenerationType NodeGenerationType
	Bind           []*BindNode
}

SocketNode is used to store a Socket node and associated events

func NewSocketNode 

func NewSocketNode(family string, generationType NodeGenerationType) *SocketNode

NewSocketNode returns a new SocketNode instance

func (*SocketNode) InsertBindEvent 

func (sn *SocketNode) InsertBindEvent(evt *model.BindEvent, event *model.Event, imageTag string, generationType NodeGenerationType, rules []*model.MatchedRule, dryRun bool) bool

InsertBindEvent inserts a bind even inside a socket node

func (*SocketNode) Matches 

func (sn *SocketNode) Matches(toMatch *SocketNode) bool

Matches returns true if SocketNodes matches

type Stats 

type Stats struct {
	ProcessNodes    int64
	FileNodes       int64
	DNSNodes        int64
	SocketNodes     int64
	IMDSNodes       int64
	SyscallNodes    int64
	FlowNodes       int64
	CapabilityNodes int64
	// contains filtered or unexported fields
}

Stats represents the node counts in an activity dump

func NewActivityTreeNodeStats 

func NewActivityTreeNodeStats() *Stats

NewActivityTreeNodeStats returns a new activity tree stats

func (*Stats) ApproximateSize 

func (stats *Stats) ApproximateSize() int64

ApproximateSize returns an approximation of the size of the tree

func (*Stats) SendStats 

func (stats *Stats) SendStats(client statsd.ClientInterface, treeType string) error

SendStats sends metrics to Datadog

type SyscallNode 

type SyscallNode struct {
	NodeBase
	GenerationType NodeGenerationType
	Syscall        int
}

SyscallNode is used to store a syscall node

func NewSyscallNode 

func NewSyscallNode(syscall int, timestamp time.Time, imageTag string, generationType NodeGenerationType) *SyscallNode

NewSyscallNode returns a new SyscallNode instance

Source Files

View all Source files

Directories

Path Synopsis
Package metadata holds metadata related files
 Package metadata holds metadata related files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.