Affected by GO-2025-3917 and 3 other vulnerabilities

GO-2025-3917: NeuVector has an insecure password storage vulnerable to rainbow attack in github.com/neuvector/neuvector

GO-2025-3918: NeuVector admin account has insecure default password in github.com/neuvector/neuvector

GO-2025-3919: NeuVector process with sensitive arguments lead to leakage in github.com/neuvector/neuvector

GO-2025-4044: NeuVector telemetry sender is vulnerable to MITM and DoS in github.com/neuvector/neuvector

probe

package

v0.0.0-test Latest Latest Go to latest Published: Dec 11, 2024 License: Apache-2.0 Imports: 30 Imported by: 4

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/neuvector/neuvector

Links

Open Source Insights

Documentation ¶

Rendered for

Index ¶

Constants
Variables
type BtrfsLayerData
type FileAccessCtrl
- func NewFileAccessCtrl(p *Probe) (*FileAccessCtrl, bool)
type FileAccessProbeData
type FileNotificationCtr
- func NewFsnCenter(p *Probe, rtStorageDriver string) (*FileNotificationCtr, bool)
type Probe
- func New(pc *ProbeConfig, logLevel string) (*Probe, error)
type ProbeConfig
type ProbeEscalation
type ProbeMessage
type ProbeProcess

Constants ¶

View Source

const (
	RTMGRP_LINK        uint32 = 0x1
	RTMGRP_IPV4_IFADDR uint32 = 0x10
	RTMGRP_IPV6_IFADDR uint32 = 0x100
)

View Source

const (
	PROBE_PROCESS_CHANGE = iota
	PROBE_CONTAINER_START
	PROBE_CONTAINER_STOP
	PROBE_CONTAINER_NEW_IP
	PROBE_REPORT_ESCALATION
	PROBE_REPORT_SUSPICIOUS
	PROBE_REPORT_TUNNEL
	PROBE_REPORT_FILE_MODIFIED
	PROBE_REPORT_PROCESS_VIOLATION
	PROBE_REPORT_PROCESS_DENIED
	PROBE_HOST_NEW_IP // obsolete
)

View Source

const INET_DIAG_INFO = 2

Variables ¶

View Source

var ProbeMsgName = []string{
	PROBE_PROCESS_CHANGE:           "process_change",
	PROBE_CONTAINER_START:          "container_start",
	PROBE_CONTAINER_STOP:           "container_stop",
	PROBE_CONTAINER_NEW_IP:         "container_new_ip",
	PROBE_REPORT_ESCALATION:        "escalation",
	PROBE_REPORT_SUSPICIOUS:        "suspicious_process",
	PROBE_REPORT_TUNNEL:            "tunnel_connection",
	PROBE_REPORT_FILE_MODIFIED:     "file_modified",
	PROBE_REPORT_PROCESS_VIOLATION: "process_profile_violation",
	PROBE_REPORT_PROCESS_DENIED:    "process_profile_denied",
	PROBE_HOST_NEW_IP:              "host_new_ip",
}

View Source

var ProcFilters = []bpf.Instruction{
	bpf.LoadAbsolute{Off: posProcEventWhat, Size: 4},

	bpf.JumpIf{Val: utils.Htonl(netlink.PROC_EVENT_FORK), SkipFalse: 7},
	bpf.LoadAbsolute{Off: posForkChildPid, Size: 4},
	bpf.StoreScratch{Src: bpf.RegA, N: 0},
	bpf.LoadScratch{Dst: bpf.RegX, N: 0},
	bpf.LoadAbsolute{Off: posForkChildTgid, Size: 4},
	bpf.JumpIfX{SkipFalse: 1},
	bpf.RetConstant{Val: 0xffffffff},
	bpf.RetConstant{Val: 0x0},

	bpf.JumpIf{Val: utils.Htonl(netlink.PROC_EVENT_EXIT), SkipFalse: 7},
	bpf.LoadAbsolute{Off: posExitProcessPid, Size: 4},
	bpf.StoreScratch{Src: bpf.RegA, N: 0},
	bpf.LoadScratch{Dst: bpf.RegX, N: 0},
	bpf.LoadAbsolute{Off: posExitProcessTgid, Size: 4},
	bpf.JumpIfX{SkipFalse: 1},
	bpf.RetConstant{Val: 0xffffffff},
	bpf.RetConstant{Val: 0x0},

	bpf.RetConstant{Val: 0xfffffff},
}

berkeley packet filter (BPF) Filter out unused fork/exit thread's packets

Functions ¶

This section is empty.

Types ¶

type BtrfsLayerData ¶

type BtrfsLayerData struct {
	ID      string    `json:"id"`
	Parent  string    `json:"parent"`
	Names   []string  `json:"names"`
	Created time.Time `json:"created"`
}

/////////////////////

type FileAccessCtrl ¶

type FileAccessCtrl struct {
	// contains filtered or unexported fields
}

global control data

func NewFileAccessCtrl ¶

func NewFileAccessCtrl(p *Probe) (*FileAccessCtrl, bool)

//////////

func (*FileAccessCtrl) AddContainerControlByPolicyOrder ¶

func (fa *FileAccessCtrl) AddContainerControlByPolicyOrder(id, setting, svcGroup string, rootpid int, ppe_list []*share.CLUSProcessProfileEntry) bool

///

func (*FileAccessCtrl) Close ¶

func (fa *FileAccessCtrl) Close()

///

func (*FileAccessCtrl) GetProbeData ¶

func (fa *FileAccessCtrl) GetProbeData() *FileAccessProbeData

///

func (*FileAccessCtrl) RemoveContainerControl ¶

func (fa *FileAccessCtrl) RemoveContainerControl(id string) bool

type FileAccessProbeData ¶

type FileAccessProbeData struct {
	// contains filtered or unexported fields
}

type FileNotificationCtr ¶

type FileNotificationCtr struct {
	// contains filtered or unexported fields
}

global control data

func NewFsnCenter ¶

func NewFsnCenter(p *Probe, rtStorageDriver string) (*FileNotificationCtr, bool)

//////////

func (*FileNotificationCtr) AddContainer ¶

func (fsn *FileNotificationCtr) AddContainer(id, cPath, role string, pid int) (bool, map[string]*fileInfo)

func (*FileNotificationCtr) Close ¶

func (fsn *FileNotificationCtr) Close()

func (*FileNotificationCtr) GetUpperFileInfo ¶

func (fsn *FileNotificationCtr) GetUpperFileInfo(id, file string) (*fileInfo, bool)

must be valid as a new file

func (*FileNotificationCtr) IsNotExistingImageFile ¶

func (fsn *FileNotificationCtr) IsNotExistingImageFile(id, file string) (*fileInfo, bool)

func (*FileNotificationCtr) RemoveContainer ¶

func (fsn *FileNotificationCtr) RemoveContainer(id, cPath string) bool

type Probe ¶

type Probe struct {
	FaEndChan chan bool

	IsNvProtectAlerted bool
	// contains filtered or unexported fields
}

func New ¶

func New(pc *ProbeConfig, logLevel string) (*Probe, error)

func (*Probe) BuildProcessFamilyGroups ¶

func (p *Probe) BuildProcessFamilyGroups(id string, rootPid int, bSandboxPod, bPrivileged bool, healthCheck []string)

func (*Probe) CheckDNSTunneling ¶

func (p *Probe) CheckDNSTunneling(ids []string, clientPort share.CLUSProtoPort, locIp, remIp net.IP, locPort, remPort uint16) bool

func (*Probe) Close ¶

func (p *Probe) Close()

func (*Probe) GetContainerAppPorts ¶

func (p *Probe) GetContainerAppPorts(id string) (utils.Set, map[share.CLUSProtoPort]*share.CLUSApp)

get a container's listen ports and application map

func (*Probe) GetContainerMap ¶

func (p *Probe) GetContainerMap() []*share.CLUSProbeContainer

func (*Probe) GetContainerProcHistory ¶

func (p *Probe) GetContainerProcHistory(id string) []*share.CLUSProcess

func (*Probe) GetContainerProcs ¶

func (p *Probe) GetContainerProcs(id string) []*share.CLUSProcess

func (*Probe) GetHostModeSessions ¶

func (p *Probe) GetHostModeSessions(ids utils.Set) []*share.CLUSSession

func (*Probe) GetProbeSummary ¶

func (p *Probe) GetProbeSummary() *share.CLUSProbeSummary

func (*Probe) GetProcessInfo ¶

func (p *Probe) GetProcessInfo(pid int) (*procInternal, bool)

func (*Probe) GetProcessMap ¶

func (p *Probe) GetProcessMap() []*share.CLUSProbeProcess

func (*Probe) HandleAnchorModeChange ¶

func (p *Probe) HandleAnchorModeChange(bAdd bool, id, cPath string, rootPid int)

func (*Probe) HandleAnchorNvProtectChange ¶

func (p *Probe) HandleAnchorNvProtectChange(bAdd bool, id, cPath, role string, rootPid int)

func (*Probe) HandleProcessPolicyChange ¶

func (p *Probe) HandleProcessPolicyChange(id string, pid int, pg *share.CLUSProcessProfile, bAddContainer, bBlocking bool)

////

func (*Probe) IsAllowedShieldProcess ¶

func (p *Probe) IsAllowedShieldProcess(id, mode, svcGroup string, proc *procInternal, ppe *share.CLUSProcessProfileEntry, bFromPmon bool) bool

func (*Probe) IsConnectionMonitored ¶

func (p *Probe) IsConnectionMonitored() bool

func (*Probe) NotifyPolicyChange ¶

func (p *Probe) NotifyPolicyChange(containerSet utils.Set)

func (*Probe) PatchContainerProcess ¶

func (p *Probe) PatchContainerProcess(pid int, bEval bool) bool

PatchContainerProcess() Fixed the missing process table, caused by the netlink recv errors, no process record is available. Current patch is only for important init-process of a container

func (*Probe) ProcessFsnEvent ¶

func (p *Probe) ProcessFsnEvent(id string, files []string, finfo fileInfo)

func (*Probe) ProcessLookup ¶

func (p *Probe) ProcessLookup(pid int) *fsmon.ProcInfo

func (*Probe) PutBeginningProcEventsBackToWork ¶

func (p *Probe) PutBeginningProcEventsBackToWork(id string) int

Patch for newly created conatiners, not for host

func (*Probe) RemoveProcessControl ¶

func (p *Probe) RemoveProcessControl(id string)

///

func (*Probe) ReportDockerCp ¶

func (p *Probe) ReportDockerCp(id, containerName string, toContainer bool)

func (*Probe) SendAggregateFsMonReport ¶

func (p *Probe) SendAggregateFsMonReport(pmsg *fsmon.MonitorMessage) bool

///

func (*Probe) SendAggregateProbeReport ¶

func (p *Probe) SendAggregateProbeReport(pmsg *ProbeMessage, bExtOp bool) bool

func (*Probe) SetFileMonitor ¶

func (p *Probe) SetFileMonitor(fm *fsmon.FileWatch)

func (*Probe) SetMonitorTrace ¶

func (p *Probe) SetMonitorTrace(bEnable bool, logLevel string)

func (*Probe) SetNvProtect ¶

func (p *Probe) SetNvProtect(bDisable bool)

func (*Probe) StartMonitorConnection ¶

func (p *Probe) StartMonitorConnection()

func (*Probe) StartMonitorHostInterface ¶

func (p *Probe) StartMonitorHostInterface(hid string, pid int)

obsolete

func (*Probe) StartMonitorInterface ¶

func (p *Probe) StartMonitorInterface(id string, pid int, timeout time.Duration)

func (*Probe) StopMonitorInterface ¶

func (p *Probe) StopMonitorInterface(id string)

func (*Probe) UpdateFromAllowRule ¶

func (p *Probe) UpdateFromAllowRule(id, path string)

type ProbeConfig ¶

type ProbeConfig struct {
	ProfileEnable        bool
	Pid                  int
	PidMode              string
	DpTaskCallback       dp.DPTaskCallback
	NotifyTaskChan       chan *ProbeMessage
	NotifyFsTaskChan     chan *fsmon.MonitorMessage
	PolicyLookupFunc     func(conn *dp.Connection) (uint32, uint8, bool)
	ProcPolicyLookupFunc func(id, riskType, pname, ppath string, pid, pgid, shellCmd int, proc *share.CLUSProcessProfileEntry) (string, string, string, string, bool, error)
	IsK8sGroupWithProbe  func(svcGroup string) bool
	ReportLearnProc      func(svcGroup string, proc *share.CLUSProcessProfileEntry)
	IsNeuvectorContainer func(id string) (string, bool)
	ContainerInContainer bool
	GetContainerPid      func(id string) int
	GetAllContainerList  func() utils.Set
	RerunKubeBench       func(string, string)
	GetEstimateProcGroup func(id, name, path string) (string, string)
	GetServiceGroupName  func(id string) (string, bool, bool)
	CapKubeBench         bool
	FAEndChan            chan bool
	EnableTrace          bool
	DeferContStartRpt    bool
	KubePlatform         bool
	KubeFlavor           string
	WalkHelper           *workerlet.Tasker
}

type ProbeEscalation ¶

type ProbeEscalation struct {
	ID       string
	Pid      int
	Name     string
	Path     string
	Cmds     []string
	RUid     int
	EUid     int
	RealUser string
	EffUser  string

	// parent info
	ParentPid  int
	ParentName string
	ParentPath string
	ParentCmds []string

	Msg string
}

type ProbeMessage ¶

type ProbeMessage struct {
	Type         int
	Count        int
	StartAt      time.Time
	Connections  []*dp.Connection
	ContainerIDs utils.Set
	Escalation   *ProbeEscalation
	Process      *ProbeProcess
}

type ProbeProcess ¶

type ProbeProcess struct {
	ID          string
	Name        string
	Path        string
	Cmds        []string
	Pid         int
	EUid        int
	EUser       string
	PPid        int
	PName       string
	PPath       string
	Connection  *osutil.Connection
	ConnIngress bool
	RuleID      string
	Group       string
	Msg         string
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
netlink

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL