process

package
v0.0.0-...-7961fa7 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 19, 2025 License: AGPL-3.0 Imports: 29 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	QpointStrategyEnvVar = "QPOINT_STRATEGY"
	QpointTagsEnvVar     = "QPOINT_TAGS"
)

Variables

This section is empty.

Functions

func AllProcs 

func AllProcs(path string) ([]int, error)

AllProcs returns a list of all currently available processes.

func CmdLine 

func CmdLine(pid int) ([]string, error)

CmdLine returns the command line of a process.

func Environ 

func Environ(pid int) ([]string, error)

Environ reads process environments from `/proc/<pid>/environ`.

func Executable 

func Executable(pid int) (string, error)

Executable returns the absolute path to the executable of the process.

func IsKernelProcess 

func IsKernelProcess(pid int) (bool, error)

IsKernelProcess returns true if the process is a kernel process.

Types

type Cgroup 

type Cgroup struct {
	// HierarchyID that can be matched to a named hierarchy using /proc/cgroups. Cgroups V2 only has one
	// hierarchy, so HierarchyID is always 0. For cgroups v1 this is a unique ID number
	HierarchyID int
	// Controllers using this hierarchy of processes. Controllers are also known as subsystems. For
	// Cgroups V2 this may be empty, as all active controllers use the same hierarchy
	Controllers []string
	// Path of this control group, relative to the mount point of the cgroupfs representing this specific
	// hierarchy
	Path string
}

Cgroup models one line from /proc/[pid]/cgroup. Each Cgroup struct describes the placement of a PID inside a specific control hierarchy. The kernel has two cgroup APIs, v1 and v2. v1 has one hierarchy per available resource controller, while v2 has one unified hierarchy shared by all controllers. Regardless of v1 or v2, all hierarchies contain all running processes, so the question answerable with a Cgroup struct is 'where is this process in this hierarchy' (where==what path on the specific cgroupfs). By prefixing this path with the mount point of *this specific* hierarchy, you can locate the relevant pseudo-files needed to read/set the data for this PID in this hierarchy

Also see http://man7.org/linux/man-pages/man7/cgroups.7.html

func Cgroups 

func Cgroups(pid int) ([]Cgroup, error)

Cgroups reads from /proc/<pid>/cgroups and returns a []*Cgroup struct locating this PID in each process control hierarchy running on this system. On every system (v1 and v2), all hierarchies contain all processes, so the len of the returned struct is equal to the number of active hierarchies on this system.

type Container 

type Container struct {
	ID          string            `json:"container_id,omitempty"`
	Name        string            `json:"container_name,omitempty"`
	Labels      map[string]string `json:"container_labels,omitempty"`
	Image       string            `json:"container_image,omitempty"`
	ImageDigest string            `json:"container_imageDigest,omitempty"`
	RootFS      string            `json:"-"`
}

func (Container) ControlValues 

func (c Container) ControlValues() map[string]any

func (Container) Fields 

func (c Container) Fields() []zap.Field

type ContainerEnricher 

type ContainerEnricher struct {
	DefaultObserver
	// contains filtered or unexported fields
}

func NewContainerEnricher 

func NewContainerEnricher(containerManager *container.Manager) *ContainerEnricher

func (*ContainerEnricher) ProcessStarted 

func (e *ContainerEnricher) ProcessStarted(ctx context.Context, p *Process) error

type DefaultObserver 

type DefaultObserver struct{}

func (*DefaultObserver) ProcessReplaced 

func (d *DefaultObserver) ProcessReplaced(ctx context.Context, proc *Process) error

func (*DefaultObserver) ProcessStarted 

func (d *DefaultObserver) ProcessStarted(ctx context.Context, proc *Process) error

func (*DefaultObserver) ProcessStopped 

func (d *DefaultObserver) ProcessStopped(ctx context.Context, proc *Process) error

type Eventer 

type Eventer interface {
	Start(ctx context.Context) error
	Stop() error
	Register(Receiver)
	SetMeta(p *Process) error
}

Eventer is the interface for the process eventer

type ExeFilter 

type ExeFilter struct {
	// contains filtered or unexported fields
}

func (*ExeFilter) Bitmask 

func (f *ExeFilter) Bitmask() uint8

func (*ExeFilter) Evaluate 

func (f *ExeFilter) Evaluate(p *Process) (bool, error)

func (*ExeFilter) String 

func (f *ExeFilter) String() string

type ExeRegexFilter 

type ExeRegexFilter struct {
	// contains filtered or unexported fields
}

func (*ExeRegexFilter) Bitmask 

func (f *ExeRegexFilter) Bitmask() uint8

func (*ExeRegexFilter) Evaluate 

func (f *ExeRegexFilter) Evaluate(p *Process) (bool, error)

func (*ExeRegexFilter) String 

func (f *ExeRegexFilter) String() string

type Filter 

type Filter interface {
	Evaluate(*Process) (bool, error)
	Bitmask() uint8
	String() string
}

func FromConfigFilter 

func FromConfigFilter(filter *config.TapFilter) (Filter, error)

type Manager 

type Manager struct {
	Logger *zap.Logger

	// observers
	Observers []Observer
	// contains filtered or unexported fields
}

func NewProcessManager 

func NewProcessManager(logger *zap.Logger, procEventer Eventer) *Manager

func (*Manager) Await 

func (m *Manager) Await(ctx context.Context, pid int) (*Process, error)

Await gets a process by pid. If it exists, it is returned immediately. Otherwise, it will wait for it to be discovered and then return it. The context can be used to set a timeout.

func (*Manager) Get 

func (m *Manager) Get(pid int) *Process

func (*Manager) MaskEnvVars 

func (m *Manager) MaskEnvVars(envVars []string)

func (*Manager) Observe 

func (m *Manager) Observe(observer Observer)

func (*Manager) RegisterProcess 

func (m *Manager) RegisterProcess(ctx context.Context, p *Process) error

func (*Manager) SetConfig 

func (m *Manager) SetConfig(cfg *config.Config)

func (*Manager) SnapshotProcesses 

func (m *Manager) SnapshotProcesses(fn func(pid int, p *Process) bool)

SnapshotProcesses takes a snapshot of all the current processes and calls the given function for each process. The function can return false to stop the iteration.

func (*Manager) Start 

func (m *Manager) Start() error

func (*Manager) Stop 

func (m *Manager) Stop() error

func (*Manager) UnregisterProcess 

func (m *Manager) UnregisterProcess(ctx context.Context, pid, exitCode int) error

type Observer 

type Observer interface {
	ProcessStarted(ctx context.Context, proc *Process) error
	ProcessReplaced(ctx context.Context, proc *Process) error
	ProcessStopped(ctx context.Context, proc *Process) error
}

type PIDFilter 

type PIDFilter struct {
	PID int
	// contains filtered or unexported fields
}

func (*PIDFilter) Bitmask 

func (f *PIDFilter) Bitmask() uint8

func (*PIDFilter) Evaluate 

func (f *PIDFilter) Evaluate(p *Process) (bool, error)

func (*PIDFilter) String 

func (f *PIDFilter) String() string

type Pod 

type Pod struct {
	Name        string            `json:"pod_name,omitempty"`
	Namespace   string            `json:"pod_namespace,omitempty"`
	Labels      map[string]string `json:"pod_labels,omitempty"`
	Annotations map[string]string `json:"pod_annotations,omitempty"`
}

func (Pod) ControlValues 

func (p Pod) ControlValues() map[string]any

func (Pod) Fields 

func (p Pod) Fields() []zap.Field

type Process 

type Process struct {
	Pid         int
	PidExe      string // PidExe is the path to the /proc process symlink
	PodID       string // TODO: remove
	Cgroup      string
	ContainerID string
	RootID      uint64
	Binary      string
	// Exe is the absolute path to the executable of the process.
	// If the process is running in a container, this path will be relative to the container's root filesystem.
	Exe            string
	ExeFilename    string // ExeFilename is the path to the file that was called by the syscall. It can be empty.
	Args           []string
	Root           string
	Env            map[string]string
	Strategy       QpointStrategy
	PredatesQpoint bool
	User           resolvable.V[*ProcessUser]
	UserShell      resolvable.V[bool]
	ExitCode       int

	// TLSProbeTypesDetected are the the probes that have scanned the process binary and found matching hooks.
	TLSProbeTypesDetected []string

	Container resolvable.V[*Container]
	Pod       resolvable.V[*Pod]
	// contains filtered or unexported fields
}

func AllProcesses 

func AllProcesses(ctx context.Context, logger *zap.Logger) ([]*Process, error)

func NewProcess 

func NewProcess(pid int, exeFilename string, logger *zap.Logger) *Process

func (*Process) CacheKey 

func (p *Process) CacheKey() string

func (*Process) Close 

func (p *Process) Close() error

func (*Process) ClosedAt 

func (p *Process) ClosedAt() *time.Time

func (*Process) ControlValues 

func (p *Process) ControlValues() map[string]any

func (*Process) CreatedAt 

func (p *Process) CreatedAt() time.Time

func (*Process) Discover 

func (p *Process) Discover(ctx context.Context, mountPoint string, envMask *synq.Map[string, bool]) error

func (*Process) Exited 

func (p *Process) Exited() bool

func (*Process) Filter 

func (p *Process) Filter() uint8

func (*Process) FullCmd 

func (p *Process) FullCmd() []string

func (*Process) Hostname 

func (p *Process) Hostname() (string, error)

func (*Process) IsFiltered 

func (p *Process) IsFiltered(flag ...config.FilterLevel) bool

func (*Process) Lock 

func (p *Process) Lock()

func (*Process) RootFS 

func (p *Process) RootFS() string

func (*Process) SetDetectedTLSProbeTypes 

func (p *Process) SetDetectedTLSProbeTypes(types []string)

func (*Process) SetHostname 

func (p *Process) SetHostname(hostname string)

func (*Process) SetNotifier 

func (p *Process) SetNotifier(n func() error)

func (*Process) SetTlsOk 

func (p *Process) SetTlsOk(tlsOk bool) error

func (*Process) SetUser 

func (p *Process) SetUser(uid uint, user string)

func (*Process) Tags 

func (p *Process) Tags() tags.List

func (*Process) TlsOk 

func (p *Process) TlsOk() bool

func (*Process) Unlock 

func (p *Process) Unlock()

type ProcessUser 

type ProcessUser struct {
	UID      uint
	Username string
}

ProcessUser contains information about the user running a process

func GetProcessUser 

func GetProcessUser(pid int) (*ProcessUser, error)

GetProcessUser retrieves user information for a given process ID using the /proc filesystem

type QpointStrategy 

type QpointStrategy uint32

QpointStrategy represents the different qpoint strategies that can be used. 

const (
	StrategyObserve QpointStrategy = iota
	StrategyIgnore
	StrategyAudit
	StrategyForward
	StrategyProxy
)

func QpointStrategyFromString 

func QpointStrategyFromString(s string, p *Process) (QpointStrategy, error)

func (QpointStrategy) String 

func (s QpointStrategy) String() string

type Receiver 

type Receiver interface {
	RegisterProcess(ctx context.Context, p *Process) error
	UnregisterProcess(ctx context.Context, pid, exitCode int) error
}

Receiver is the interface for the process manager

type TlsProbeError 

type TlsProbeError struct {
	ProbeName string
	Err       error
}

func (*TlsProbeError) Error 

func (e *TlsProbeError) Error() string

func (*TlsProbeError) Unwrap 

func (e *TlsProbeError) Unwrap() error

Source Files

View all Source files

Directories

Path Synopsis
Package mocks is a generated GoMock package.
 Package mocks is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.