v1

package
v1.3.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 19, 2022 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	FileDescriptorMapIDKey  = "map_id"
	FileDescriptorProgIDKey = "prog_id"
)
View Source 
const (
	NamespaceMount  string = "mnt"
	NamespaceIPC    string = "ipc"
	NamespaceCgroup string = "cgroup"
	NamespacePid    string = "pid"
	NamespaceNet    string = "net"
	NamespaceUTS    string = "uts"
	NamespaceTime   string = "time"
)
View Source 
const (
	DefaultEBPFFileSystemDataDir = "/sys/fs/bpf"
)

Variables

This section is empty.

Functions

func IDFromMap added in v1.1.0 

func IDFromMap(mp string) int

IDFromMap returns the first value in uid_map and gid_map in /proc

func IDFromMapString added in v1.1.0 

func IDFromMapString(mp string) string

func StatusFileIsThread added in v1.1.0 

func StatusFileIsThread(status string) bool

Types

type ContainerModule added in v1.1.0 

type ContainerModule struct {
	CgroupNamespaceUnique bool `json:"isCgroupNamespaceUnique,omitempty"`
	// contains filtered or unexported fields
}

func NewContainerModule added in v1.1.0 

func NewContainerModule() *ContainerModule

func (*ContainerModule) Execute added in v1.1.0 

func (m *ContainerModule) Execute(p *Process) error

func (*ContainerModule) Meta added in v1.1.0 

func (m *ContainerModule) Meta() *Meta

type EBPFFileSystemData added in v1.1.0 

type EBPFFileSystemData struct {
	Maps  map[string]*Map
	Progs map[string]*Prog
}

EBPFFileSystemData is structured data from /sys/fs/bpf/*

func NewEBPFFileSystemData added in v1.1.0 

func NewEBPFFileSystemData() (*EBPFFileSystemData, error)

NewEBPFFileSystemData will read from /sys/fs/bpf/[maps.debug, progs.debug]

type EBPFModule added in v1.1.0 

type EBPFModule struct {
	Mounts string   `json:"mount,omitempty"`
	Progs  []string `json:"progs,omitempty"`
	Maps   []string `json:"maps,omitempty"`
}

func NewEBPFModule added in v1.1.0 

func NewEBPFModule() *EBPFModule

func (*EBPFModule) Execute added in v1.1.0 

func (m *EBPFModule) Execute(p *Process) error

func (*EBPFModule) Meta added in v1.1.0 

func (m *EBPFModule) Meta() *Meta

type Group 

type Group struct {
	ID   int    `json:"gid,omitempty"`
	Name string `json:"name,omitempty"`
}

type Map added in v1.1.0 

type Map struct {
	ID         string
	Name       string
	MaxEntries string
}

type Meta added in v1.1.0 

type Meta struct {
	Name        string
	Description string
	Authors     []string
}

type NamespaceModule added in v1.1.0 

type NamespaceModule struct {
	Net    string `json:"net,omitempty"`
	PID    string `json:"pid,omitempty"`
	Cgroup string `json:"cgroup,omitempty"`
	IPC    string `json:"ipc,omitempty"`
	Mount  string `json:"mnt,omitempty"`
	UTS    string `json:"uts,omitempty"`
	Time   string `json:"time,omitempty"`
}

func NewNamespaceModule added in v1.1.0 

func NewNamespaceModule() *NamespaceModule

func (*NamespaceModule) Execute added in v1.1.0 

func (m *NamespaceModule) Execute(p *Process) error

func (*NamespaceModule) Meta added in v1.1.0 

func (m *NamespaceModule) Meta() *Meta

type ProcModule added in v1.1.0 

type ProcModule struct {
	Opendir int    `json:"opendir,omitempty"`
	Chdir   int    `json:"chdir,omitempty"`
	Dent    int    `json:"dents,omitempty"`
	Comm    string `json:"comm,omitempty"`
	Cmdline string `json:"cmdline,omitempty"`
	Status  string `json:"status,omitempty"`
}

func NewProcModule added in v1.1.0 

func NewProcModule() *ProcModule

func (*ProcModule) Execute added in v1.1.0 

func (m *ProcModule) Execute(p *Process) error

func (*ProcModule) Meta added in v1.1.0 

func (m *ProcModule) Meta() *Meta

type Process 

type Process struct {

	// The process unique ID.
	PID int64 `json:"pid,omitempty"`

	// showHeader is used to also encode the header for runtime encoders.
	// This should never be used by formatting encoders such as JSON or similar.
	ShowHeader    bool `json:"-"`
	DrawLineAfter bool `json:"-"`

	// ProcessVisible is a combination of the values
	// we get from libxpid that will determine if a process
	// running in Linux is visible or not
	ProcessVisible `json:"processVisible,omitempty"`

	// User is the user associated with the process
	//
	// Group is a subset of User
	User `json:"user,omitempty"`

	// Name (proc/[pid]/comm)
	// This file exposes the process's comm value—that is, the
	// command name associated with the process.
	Name string `json:"name,omitempty"`

	// CommandLine (/proc/[pid]/cmdline)
	// This read-only file holds the complete command line for
	// the process, unless the process is a zombie.  In the
	// latter case, there is nothing in this file: that is, a
	// read on this file will return 0 characters
	CommandLine string `json:"commandLine,omitempty"`

	// EBPF is an xpid specific field that attempts to detect
	// if a specific PID is running any eBPF related probes or maps.
	//
	// Will be set to true is eBPF is detected.
	EBPF bool `json:"ebpf,omitempty"`

	// Container is an xpid specific field that attempts to detect
	// if a specific PID is running as a container
	//
	// Will be set to true if we suspect this is a container PID
	Container bool `json:"container,omitempty"`

	// Thread is a bool that will be set if the process is part of
	// a thread pool, or has a TGID that is unique from PID
	//
	// Reading from /proc/[pid]/status
	Thread bool `json:"thread,omitempty"`

	EBPFModule      `json:"ebpfModule,omitempty"`
	ProcModule      `json:"procModule,omitempty"`
	ContainerModule `json:"containerModule,omitempty"`
	NamespaceModule `json:"namespaceModule,omitempty"`
}

Process is a Linux process abstraction. By design this will have fields that are available in /proc and much more.

Some of these fields will be calculated at runtime based on certain situations in the system.

This data structure and the logic that populates it will be a substantial part of the xpid library, and the xpid API.

func ProcessPID 

func ProcessPID(pid int64) *Process

type ProcessExecutable added in v1.1.0 

type ProcessExecutable func(p *Process) (ProcessExplorerModule, error)

type ProcessExplorerModule added in v1.1.0 

type ProcessExplorerModule interface {
	Meta() *Meta
	Execute(p *Process) error
}

type ProcessVisible 

type ProcessVisible struct {

	// Opendir is if the /proc/[pid] directory can be "opened" or "listed".
	// Failing Opendir is a sign that the process may be attempted to being
	// obfuscated to the user at runtime.
	Opendir int `json:"opendir,omitempty"`

	// Chdir is if the /proc/[pid] directory can be "navigated" or "changed to".
	// Failing chdir is a sign that the current user has invalid permission,
	// or that something in the kernel is preventing the user from open the directory.
	Chdir int `json:"chdir,omitempty"`

	// After opendir we see if we can "list" files inside of the directory.
	// This call happens at a higher level and will see if a directory
	// within proc can be found by opening it's parent directory for listing.
	//
	// In this case /proc is typically opened, and then the pid directories are
	// matched against!
	Dent int `json:"dents,omitempty"`
}

type Prog added in v1.1.0 

type Prog struct {
	ID       string
	Name     string
	Attached string
}

type User 

type User struct {
	user.User `json:"-"`
	Group     `json:"group,omitempty"`
	ID        int    `json:"uid,omitempty"`
	Name      string `json:"name,omitempty"`
}

User is a user from the filesystem This can be populated from process details, or from the current user context.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.