github.com/DataDog/datadog-agent/pkg/security/secl@v0.55.0-devel.0.20240517055856-10c4965fea94/model/model_unix.go (about) 1 // Unless explicitly stated otherwise all files in this repository are licensed 2 // under the Apache License Version 2.0. 3 // This product includes software developed at Datadog (https://www.datadoghq.com/). 4 // Copyright 2016-present Datadog, Inc. 5 6 //go:build unix 7 8 //go:generate go run github.com/DataDog/datadog-agent/pkg/security/secl/compiler/generators/accessors -tags unix -types-file model.go -output accessors_unix.go -field-handlers field_handlers_unix.go -doc ../../../../docs/cloud-workload-security/secl.json -field-accessors-output field_accessors_unix.go 9 10 // Package model holds model related files 11 package model 12 13 import ( 14 "time" 15 16 "github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval" 17 ) 18 19 // Event represents an event sent from the kernel 20 // genaccessors 21 type Event struct { 22 BaseEvent 23 24 // globals 25 Async bool `field:"event.async,handler:ResolveAsync" event:"*"` // SECLDoc[event.async] Definition:`True if the syscall was asynchronous` 26 27 // context 28 SpanContext SpanContext `field:"-"` 29 NetworkContext NetworkContext `field:"network" event:"dns"` 30 31 // fim events 32 Chmod ChmodEvent `field:"chmod" event:"chmod"` // [7.27] [File] A file’s permissions were changed 33 Chown ChownEvent `field:"chown" event:"chown"` // [7.27] [File] A file’s owner was changed 34 Open OpenEvent `field:"open" event:"open"` // [7.27] [File] A file was opened 35 Mkdir MkdirEvent `field:"mkdir" event:"mkdir"` // [7.27] [File] A directory was created 36 Rmdir RmdirEvent `field:"rmdir" event:"rmdir"` // [7.27] [File] A directory was removed 37 Rename RenameEvent `field:"rename" event:"rename"` // [7.27] [File] A file/directory was renamed 38 Unlink UnlinkEvent `field:"unlink" event:"unlink"` // [7.27] [File] A file was deleted 39 Utimes UtimesEvent `field:"utimes" event:"utimes"` // [7.27] [File] Change file access/modification times 40 Link LinkEvent `field:"link" event:"link"` // [7.27] [File] Create a new name/alias for a file 41 SetXAttr SetXAttrEvent `field:"setxattr" event:"setxattr"` // [7.27] [File] Set exteneded attributes 42 RemoveXAttr SetXAttrEvent `field:"removexattr" event:"removexattr"` // [7.27] [File] Remove extended attributes 43 Splice SpliceEvent `field:"splice" event:"splice"` // [7.36] [File] A splice command was executed 44 Mount MountEvent `field:"mount" event:"mount"` // [7.42] [File] [Experimental] A filesystem was mounted 45 Chdir ChdirEvent `field:"chdir" event:"chdir"` // [7.52] [File] [Experimental] A process changed the current directory 46 47 // process events 48 Exec ExecEvent `field:"exec" event:"exec"` // [7.27] [Process] A process was executed or forked 49 SetUID SetuidEvent `field:"setuid" event:"setuid"` // [7.27] [Process] A process changed its effective uid 50 SetGID SetgidEvent `field:"setgid" event:"setgid"` // [7.27] [Process] A process changed its effective gid 51 Capset CapsetEvent `field:"capset" event:"capset"` // [7.27] [Process] A process changed its capacity set 52 Signal SignalEvent `field:"signal" event:"signal"` // [7.35] [Process] A signal was sent 53 Exit ExitEvent `field:"exit" event:"exit"` // [7.38] [Process] A process was terminated 54 Syscalls SyscallsEvent `field:"-"` 55 56 // anomaly detection related events 57 AnomalyDetectionSyscallEvent AnomalyDetectionSyscallEvent `field:"-"` 58 59 // kernel events 60 SELinux SELinuxEvent `field:"selinux" event:"selinux"` // [7.30] [Kernel] An SELinux operation was run 61 BPF BPFEvent `field:"bpf" event:"bpf"` // [7.33] [Kernel] A BPF command was executed 62 PTrace PTraceEvent `field:"ptrace" event:"ptrace"` // [7.35] [Kernel] A ptrace command was executed 63 MMap MMapEvent `field:"mmap" event:"mmap"` // [7.35] [Kernel] A mmap command was executed 64 MProtect MProtectEvent `field:"mprotect" event:"mprotect"` // [7.35] [Kernel] A mprotect command was executed 65 LoadModule LoadModuleEvent `field:"load_module" event:"load_module"` // [7.35] [Kernel] A new kernel module was loaded 66 UnloadModule UnloadModuleEvent `field:"unload_module" event:"unload_module"` // [7.35] [Kernel] A kernel module was deleted 67 68 // network events 69 DNS DNSEvent `field:"dns" event:"dns"` // [7.36] [Network] A DNS request was sent 70 Bind BindEvent `field:"bind" event:"bind"` // [7.37] [Network] A bind was executed 71 72 // internal usage 73 Umount UmountEvent `field:"-"` 74 InvalidateDentry InvalidateDentryEvent `field:"-"` 75 ArgsEnvs ArgsEnvsEvent `field:"-"` 76 MountReleased MountReleasedEvent `field:"-"` 77 CgroupTracing CgroupTracingEvent `field:"-"` 78 NetDevice NetDeviceEvent `field:"-"` 79 VethPair VethPairEvent `field:"-"` 80 UnshareMountNS UnshareMountNSEvent `field:"-"` 81 // used for ebpfless 82 NSID uint64 `field:"-"` 83 } 84 85 // SyscallEvent contains common fields for all the event 86 type SyscallEvent struct { 87 Retval int64 `field:"retval"` // SECLDoc[retval] Definition:`Return value of the syscall` Constants:`Error constants` 88 } 89 90 // ChmodEvent represents a chmod event 91 type ChmodEvent struct { 92 SyscallEvent 93 File FileEvent `field:"file"` 94 Mode uint32 `field:"file.destination.mode; file.destination.rights"` // SECLDoc[file.destination.mode] Definition:`New mode of the chmod-ed file` Constants:`File mode constants` SECLDoc[file.destination.rights] Definition:`New rights of the chmod-ed file` Constants:`File mode constants` 95 } 96 97 // ChownEvent represents a chown event 98 type ChownEvent struct { 99 SyscallEvent 100 File FileEvent `field:"file"` 101 UID int64 `field:"file.destination.uid"` // SECLDoc[file.destination.uid] Definition:`New UID of the chown-ed file's owner` 102 User string `field:"file.destination.user,handler:ResolveChownUID"` // SECLDoc[file.destination.user] Definition:`New user of the chown-ed file's owner` 103 GID int64 `field:"file.destination.gid"` // SECLDoc[file.destination.gid] Definition:`New GID of the chown-ed file's owner` 104 Group string `field:"file.destination.group,handler:ResolveChownGID"` // SECLDoc[file.destination.group] Definition:`New group of the chown-ed file's owner` 105 } 106 107 // SetuidEvent represents a setuid event 108 type SetuidEvent struct { 109 UID uint32 `field:"uid"` // SECLDoc[uid] Definition:`New UID of the process` 110 User string `field:"user,handler:ResolveSetuidUser"` // SECLDoc[user] Definition:`New user of the process` 111 EUID uint32 `field:"euid"` // SECLDoc[euid] Definition:`New effective UID of the process` 112 EUser string `field:"euser,handler:ResolveSetuidEUser"` // SECLDoc[euser] Definition:`New effective user of the process` 113 FSUID uint32 `field:"fsuid"` // SECLDoc[fsuid] Definition:`New FileSystem UID of the process` 114 FSUser string `field:"fsuser,handler:ResolveSetuidFSUser"` // SECLDoc[fsuser] Definition:`New FileSystem user of the process` 115 } 116 117 // SetgidEvent represents a setgid event 118 type SetgidEvent struct { 119 GID uint32 `field:"gid"` // SECLDoc[gid] Definition:`New GID of the process` 120 Group string `field:"group,handler:ResolveSetgidGroup"` // SECLDoc[group] Definition:`New group of the process` 121 EGID uint32 `field:"egid"` // SECLDoc[egid] Definition:`New effective GID of the process` 122 EGroup string `field:"egroup,handler:ResolveSetgidEGroup"` // SECLDoc[egroup] Definition:`New effective group of the process` 123 FSGID uint32 `field:"fsgid"` // SECLDoc[fsgid] Definition:`New FileSystem GID of the process` 124 FSGroup string `field:"fsgroup,handler:ResolveSetgidFSGroup"` // SECLDoc[fsgroup] Definition:`New FileSystem group of the process` 125 } 126 127 // CapsetEvent represents a capset event 128 type CapsetEvent struct { 129 CapEffective uint64 `field:"cap_effective"` // SECLDoc[cap_effective] Definition:`Effective capability set of the process` Constants:`Kernel Capability constants` 130 CapPermitted uint64 `field:"cap_permitted"` // SECLDoc[cap_permitted] Definition:`Permitted capability set of the process` Constants:`Kernel Capability constants` 131 } 132 133 // Credentials represents the kernel credentials of a process 134 type Credentials struct { 135 UID uint32 `field:"uid"` // SECLDoc[uid] Definition:`UID of the process` 136 GID uint32 `field:"gid"` // SECLDoc[gid] Definition:`GID of the process` 137 User string `field:"user"` // SECLDoc[user] Definition:`User of the process` Example:`process.user == "root"` Description:`Constrain an event to be triggered by a process running as the root user.` 138 Group string `field:"group"` // SECLDoc[group] Definition:`Group of the process` 139 140 EUID uint32 `field:"euid"` // SECLDoc[euid] Definition:`Effective UID of the process` 141 EGID uint32 `field:"egid"` // SECLDoc[egid] Definition:`Effective GID of the process` 142 EUser string `field:"euser"` // SECLDoc[euser] Definition:`Effective user of the process` 143 EGroup string `field:"egroup"` // SECLDoc[egroup] Definition:`Effective group of the process` 144 145 FSUID uint32 `field:"fsuid"` // SECLDoc[fsuid] Definition:`FileSystem-uid of the process` 146 FSGID uint32 `field:"fsgid"` // SECLDoc[fsgid] Definition:`FileSystem-gid of the process` 147 FSUser string `field:"fsuser"` // SECLDoc[fsuser] Definition:`FileSystem-user of the process` 148 FSGroup string `field:"fsgroup"` // SECLDoc[fsgroup] Definition:`FileSystem-group of the process` 149 150 CapEffective uint64 `field:"cap_effective"` // SECLDoc[cap_effective] Definition:`Effective capability set of the process` Constants:`Kernel Capability constants` 151 CapPermitted uint64 `field:"cap_permitted"` // SECLDoc[cap_permitted] Definition:`Permitted capability set of the process` Constants:`Kernel Capability constants` 152 } 153 154 // LinuxBinprm contains content from the linux_binprm struct, which holds the arguments used for loading binaries 155 type LinuxBinprm struct { 156 FileEvent FileEvent `field:"file"` 157 } 158 159 // Process represents a process 160 type Process struct { 161 PIDContext 162 163 FileEvent FileEvent `field:"file,check:IsNotKworker"` 164 165 ContainerID string `field:"container.id"` // SECLDoc[container.id] Definition:`Container ID` 166 167 SpanID uint64 `field:"-"` 168 TraceID uint64 `field:"-"` 169 170 TTYName string `field:"tty_name"` // SECLDoc[tty_name] Definition:`Name of the TTY associated with the process` 171 Comm string `field:"comm"` // SECLDoc[comm] Definition:`Comm attribute of the process` 172 LinuxBinprm LinuxBinprm `field:"interpreter,check:HasInterpreter"` // Script interpreter as identified by the shebang 173 174 // pid_cache_t 175 ForkTime time.Time `field:"fork_time,opts:getters_only"` 176 ExitTime time.Time `field:"exit_time,opts:getters_only"` 177 ExecTime time.Time `field:"exec_time,opts:getters_only"` 178 179 // TODO: merge with ExecTime 180 CreatedAt uint64 `field:"created_at,handler:ResolveProcessCreatedAt"` // SECLDoc[created_at] Definition:`Timestamp of the creation of the process` 181 182 Cookie uint64 `field:"-"` 183 PPid uint32 `field:"ppid"` // SECLDoc[ppid] Definition:`Parent process ID` 184 185 // credentials_t section of pid_cache_t 186 Credentials 187 188 UserSession UserSessionContext `field:"user_session"` // SECLDoc[user_session] Definition:`User Session context of this process` 189 190 ArgsID uint32 `field:"-"` 191 EnvsID uint32 `field:"-"` 192 193 ArgsEntry *ArgsEntry `field:"-"` 194 EnvsEntry *EnvsEntry `field:"-"` 195 196 // defined to generate accessors, ArgsTruncated and EnvsTruncated are used during by unmarshaller 197 Argv0 string `field:"argv0,handler:ResolveProcessArgv0,weight:100"` // SECLDoc[argv0] Definition:`First argument of the process` 198 Args string `field:"args,handler:ResolveProcessArgs,weight:500"` // SECLDoc[args] Definition:`Arguments of the process (as a string, excluding argv0)` Example:`exec.args == "-sV -p 22,53,110,143,4564 198.116.0-255.1-127"` Description:`Matches any process with these exact arguments.` Example:`exec.args =~ "* -F * http*"` Description:`Matches any process that has the "-F" argument anywhere before an argument starting with "http".` 199 Argv []string `field:"argv,handler:ResolveProcessArgv,weight:500; cmdargv,handler:ResolveProcessCmdArgv,opts:getters_only; args_flags,handler:ResolveProcessArgsFlags,opts:helper; args_options,handler:ResolveProcessArgsOptions,opts:helper"` // SECLDoc[argv] Definition:`Arguments of the process (as an array, excluding argv0)` Example:`exec.argv in ["127.0.0.1"]` Description:`Matches any process that has this IP address as one of its arguments.` SECLDoc[args_flags] Definition:`Flags in the process arguments` Example:`exec.args_flags in ["s"] && exec.args_flags in ["V"]` Description:`Matches any process with both "-s" and "-V" flags in its arguments. Also matches "-sV".` SECLDoc[args_options] Definition:`Argument of the process as options` Example:`exec.args_options in ["p=0-1024"]` Description:`Matches any process that has either "-p 0-1024" or "--p=0-1024" in its arguments.` 200 ArgsTruncated bool `field:"args_truncated,handler:ResolveProcessArgsTruncated"` // SECLDoc[args_truncated] Definition:`Indicator of arguments truncation` 201 Envs []string `field:"envs,handler:ResolveProcessEnvs,weight:100"` // SECLDoc[envs] Definition:`Environment variable names of the process` 202 Envp []string `field:"envp,handler:ResolveProcessEnvp,weight:100"` // SECLDoc[envp] Definition:`Environment variables of the process` 203 EnvsTruncated bool `field:"envs_truncated,handler:ResolveProcessEnvsTruncated"` // SECLDoc[envs_truncated] Definition:`Indicator of environment variables truncation` 204 205 ArgsScrubbed string `field:"args_scrubbed,handler:ResolveProcessArgsScrubbed,opts:getters_only"` 206 ArgvScrubbed []string `field:"argv_scrubbed,handler:ResolveProcessArgvScrubbed,opts:getters_only"` 207 208 // symlink to the process binary 209 SymlinkPathnameStr [MaxSymlinks]string `field:"-"` 210 SymlinkBasenameStr string `field:"-"` 211 212 // cache version 213 ScrubbedArgvResolved bool `field:"-"` 214 Variables eval.Variables `field:"-"` 215 216 IsThread bool `field:"is_thread"` // SECLDoc[is_thread] Definition:`Indicates whether the process is considered a thread (that is, a child process that hasn't executed another program)` 217 IsExecExec bool `field:"-"` // Indicates whether the process is an exec following another exec 218 IsParentMissing bool `field:"-"` // Indicates the direct parent is missing 219 220 Source uint64 `field:"-"` 221 222 // lineage 223 hasValidLineage *bool `field:"-"` 224 lineageError error `field:"-"` 225 } 226 227 // ExecEvent represents a exec event 228 type ExecEvent struct { 229 *Process 230 } 231 232 // FileFields holds the information required to identify a file 233 type FileFields struct { 234 UID uint32 `field:"uid"` // SECLDoc[uid] Definition:`UID of the file's owner` 235 User string `field:"user,handler:ResolveFileFieldsUser"` // SECLDoc[user] Definition:`User of the file's owner` 236 GID uint32 `field:"gid"` // SECLDoc[gid] Definition:`GID of the file's owner` 237 Group string `field:"group,handler:ResolveFileFieldsGroup"` // SECLDoc[group] Definition:`Group of the file's owner` 238 Mode uint16 `field:"mode;rights,handler:ResolveRights,opts:helper"` // SECLDoc[mode] Definition:`Mode of the file` Constants:`Inode mode constants` SECLDoc[rights] Definition:`Rights of the file` Constants:`File mode constants` 239 CTime uint64 `field:"change_time"` // SECLDoc[change_time] Definition:`Change time (ctime) of the file` 240 MTime uint64 `field:"modification_time"` // SECLDoc[modification_time] Definition:`Modification time (mtime) of the file` 241 242 PathKey 243 Device uint32 `field:"-"` 244 245 InUpperLayer bool `field:"in_upper_layer,handler:ResolveFileFieldsInUpperLayer"` // SECLDoc[in_upper_layer] Definition:`Indicator of the file layer, for example, in an OverlayFS` 246 247 NLink uint32 `field:"-"` 248 Flags int32 `field:"-"` 249 } 250 251 // FileEvent is the common file event type 252 type FileEvent struct { 253 FileFields 254 255 PathnameStr string `field:"path,handler:ResolveFilePath,opts:length" op_override:"ProcessSymlinkPathname"` // SECLDoc[path] Definition:`File's path` Example:`exec.file.path == "/usr/bin/apt"` Description:`Matches the execution of the file located at /usr/bin/apt` Example:`open.file.path == "/etc/passwd"` Description:`Matches any process opening the /etc/passwd file.` 256 BasenameStr string `field:"name,handler:ResolveFileBasename,opts:length" op_override:"ProcessSymlinkBasename"` // SECLDoc[name] Definition:`File's basename` Example:`exec.file.name == "apt"` Description:`Matches the execution of any file named apt.` 257 Filesystem string `field:"filesystem,handler:ResolveFileFilesystem"` // SECLDoc[filesystem] Definition:`File's filesystem` 258 259 PathResolutionError error `field:"-"` 260 261 PkgName string `field:"package.name,handler:ResolvePackageName"` // SECLDoc[package.name] Definition:`[Experimental] Name of the package that provided this file` 262 PkgVersion string `field:"package.version,handler:ResolvePackageVersion"` // SECLDoc[package.version] Definition:`[Experimental] Full version of the package that provided this file` 263 PkgSrcVersion string `field:"package.source_version,handler:ResolvePackageSourceVersion"` // SECLDoc[package.source_version] Definition:`[Experimental] Full version of the source package of the package that provided this file` 264 265 HashState HashState `field:"-"` 266 Hashes []string `field:"hashes,handler:ResolveHashesFromEvent,opts:skip_ad,weight:999"` // SECLDoc[hashes] Definition:`[Experimental] List of cryptographic hashes computed for this file` 267 268 // used to mark as already resolved, can be used in case of empty path 269 IsPathnameStrResolved bool `field:"-"` 270 IsBasenameStrResolved bool `field:"-"` 271 } 272 273 // InvalidateDentryEvent defines a invalidate dentry event 274 type InvalidateDentryEvent struct { 275 Inode uint64 276 MountID uint32 277 } 278 279 // MountReleasedEvent defines a mount released event 280 type MountReleasedEvent struct { 281 MountID uint32 282 } 283 284 // LinkEvent represents a link event 285 type LinkEvent struct { 286 SyscallEvent 287 Source FileEvent `field:"file"` 288 Target FileEvent `field:"file.destination"` 289 } 290 291 // MkdirEvent represents a mkdir event 292 type MkdirEvent struct { 293 SyscallEvent 294 File FileEvent `field:"file"` 295 Mode uint32 `field:"file.destination.mode; file.destination.rights"` // SECLDoc[file.destination.mode] Definition:`Mode of the new directory` Constants:`File mode constants` SECLDoc[file.destination.rights] Definition:`Rights of the new directory` Constants:`File mode constants` 296 } 297 298 // ArgsEnvsEvent defines a args/envs event 299 type ArgsEnvsEvent struct { 300 ArgsEnvs 301 } 302 303 // Mount represents a mountpoint (used by MountEvent and UnshareMountNSEvent) 304 type Mount struct { 305 MountID uint32 `field:"-"` 306 Device uint32 `field:"-"` 307 ParentPathKey PathKey `field:"-"` 308 RootPathKey PathKey `field:"-"` 309 BindSrcMountID uint32 `field:"-"` 310 FSType string `field:"fs_type"` // SECLDoc[fs_type] Definition:`Type of the mounted file system` 311 MountPointStr string `field:"-"` 312 RootStr string `field:"-"` 313 Path string `field:"-"` 314 } 315 316 // MountEvent represents a mount event 317 type MountEvent struct { 318 SyscallEvent 319 Mount 320 MountPointPath string `field:"mountpoint.path,handler:ResolveMountPointPath"` // SECLDoc[mountpoint.path] Definition:`Path of the mount point` 321 MountSourcePath string `field:"source.path,handler:ResolveMountSourcePath"` // SECLDoc[source.path] Definition:`Source path of a bind mount` 322 MountRootPath string `field:"root.path,handler:ResolveMountRootPath"` // SECLDoc[root.path] Definition:`Root path of the mount` 323 MountPointPathResolutionError error `field:"-"` 324 MountSourcePathResolutionError error `field:"-"` 325 MountRootPathResolutionError error `field:"-"` 326 } 327 328 // UnshareMountNSEvent represents a mount cloned from a newly created mount namespace 329 type UnshareMountNSEvent struct { 330 Mount 331 } 332 333 // ChdirEvent represents a chdir event 334 type ChdirEvent struct { 335 SyscallEvent 336 File FileEvent `field:"file"` 337 } 338 339 // OpenEvent represents an open event 340 type OpenEvent struct { 341 SyscallEvent 342 File FileEvent `field:"file"` 343 Flags uint32 `field:"flags"` // SECLDoc[flags] Definition:`Flags used when opening the file` Constants:`Open flags` 344 Mode uint32 `field:"file.destination.mode"` // SECLDoc[file.destination.mode] Definition:`Mode of the created file` Constants:`File mode constants` 345 } 346 347 // SELinuxEvent represents a selinux event 348 type SELinuxEvent struct { 349 File FileEvent `field:"-"` 350 EventKind SELinuxEventKind `field:"-"` 351 BoolName string `field:"bool.name,handler:ResolveSELinuxBoolName"` // SECLDoc[bool.name] Definition:`SELinux boolean name` 352 BoolChangeValue string `field:"bool.state"` // SECLDoc[bool.state] Definition:`SELinux boolean new value` 353 BoolCommitValue bool `field:"bool_commit.state"` // SECLDoc[bool_commit.state] Definition:`Indicator of a SELinux boolean commit operation` 354 EnforceStatus string `field:"enforce.status"` // SECLDoc[enforce.status] Definition:`SELinux enforcement status (one of "enforcing", "permissive", "disabled")` 355 } 356 357 // PIDContext holds the process context of a kernel event 358 type PIDContext struct { 359 Pid uint32 `field:"pid"` // SECLDoc[pid] Definition:`Process ID of the process (also called thread group ID)` 360 Tid uint32 `field:"tid"` // SECLDoc[tid] Definition:`Thread ID of the thread` 361 NetNS uint32 `field:"-"` 362 IsKworker bool `field:"is_kworker"` // SECLDoc[is_kworker] Definition:`Indicates whether the process is a kworker` 363 ExecInode uint64 `field:"-"` // used to track exec and event loss 364 } 365 366 // RenameEvent represents a rename event 367 type RenameEvent struct { 368 SyscallEvent 369 Old FileEvent `field:"file"` 370 New FileEvent `field:"file.destination"` 371 } 372 373 // RmdirEvent represents a rmdir event 374 type RmdirEvent struct { 375 SyscallEvent 376 File FileEvent `field:"file"` 377 } 378 379 // SetXAttrEvent represents an extended attributes event 380 type SetXAttrEvent struct { 381 SyscallEvent 382 File FileEvent `field:"file"` 383 Namespace string `field:"file.destination.namespace,handler:ResolveXAttrNamespace"` // SECLDoc[file.destination.namespace] Definition:`Namespace of the extended attribute` 384 Name string `field:"file.destination.name,handler:ResolveXAttrName"` // SECLDoc[file.destination.name] Definition:`Name of the extended attribute` 385 386 NameRaw [200]byte `field:"-"` 387 } 388 389 // UnlinkEvent represents an unlink event 390 type UnlinkEvent struct { 391 SyscallEvent 392 File FileEvent `field:"file"` 393 Flags uint32 `field:"flags"` // SECLDoc[flags] Definition:`Flags of the unlink syscall` Constants:`Unlink flags` 394 } 395 396 // UmountEvent represents an umount event 397 type UmountEvent struct { 398 SyscallEvent 399 MountID uint32 400 } 401 402 // UtimesEvent represents a utime event 403 type UtimesEvent struct { 404 SyscallEvent 405 File FileEvent `field:"file"` 406 Atime time.Time `field:"-"` 407 Mtime time.Time `field:"-"` 408 } 409 410 // BPFEvent represents a BPF event 411 type BPFEvent struct { 412 SyscallEvent 413 414 Map BPFMap `field:"map"` // eBPF map involved in the BPF command 415 Program BPFProgram `field:"prog"` // eBPF program involved in the BPF command 416 Cmd uint32 `field:"cmd"` // SECLDoc[cmd] Definition:`BPF command name` Constants:`BPF commands` 417 } 418 419 // BPFMap represents a BPF map 420 type BPFMap struct { 421 ID uint32 `field:"-"` // ID of the eBPF map 422 Type uint32 `field:"type"` // SECLDoc[type] Definition:`Type of the eBPF map` Constants:`BPF map types` 423 Name string `field:"name"` // SECLDoc[name] Definition:`Name of the eBPF map (added in 7.35)` 424 } 425 426 // BPFProgram represents a BPF program 427 type BPFProgram struct { 428 ID uint32 `field:"-"` // ID of the eBPF program 429 Type uint32 `field:"type"` // SECLDoc[type] Definition:`Type of the eBPF program` Constants:`BPF program types` 430 AttachType uint32 `field:"attach_type"` // SECLDoc[attach_type] Definition:`Attach type of the eBPF program` Constants:`BPF attach types` 431 Helpers []uint32 `field:"helpers"` // SECLDoc[helpers] Definition:`eBPF helpers used by the eBPF program (added in 7.35)` Constants:`BPF helper functions` 432 Name string `field:"name"` // SECLDoc[name] Definition:`Name of the eBPF program (added in 7.35)` 433 Tag string `field:"tag"` // SECLDoc[tag] Definition:`Hash (sha1) of the eBPF program (added in 7.35)` 434 } 435 436 // PTraceEvent represents a ptrace event 437 type PTraceEvent struct { 438 SyscallEvent 439 440 Request uint32 `field:"request"` // SECLDoc[request] Definition:`ptrace request` Constants:`Ptrace constants` 441 PID uint32 `field:"-"` 442 Address uint64 `field:"-"` 443 Tracee *ProcessContext `field:"tracee"` // process context of the tracee 444 } 445 446 // MMapEvent represents a mmap event 447 type MMapEvent struct { 448 SyscallEvent 449 450 File FileEvent `field:"file"` 451 Addr uint64 `field:"-"` 452 Offset uint64 `field:"-"` 453 Len uint64 `field:"-"` 454 Protection uint64 `field:"protection"` // SECLDoc[protection] Definition:`memory segment protection` Constants:`Protection constants` 455 Flags uint64 `field:"flags"` // SECLDoc[flags] Definition:`memory segment flags` Constants:`MMap flags` 456 } 457 458 // MProtectEvent represents a mprotect event 459 type MProtectEvent struct { 460 SyscallEvent 461 462 VMStart uint64 `field:"-"` 463 VMEnd uint64 `field:"-"` 464 VMProtection int `field:"vm_protection"` // SECLDoc[vm_protection] Definition:`initial memory segment protection` Constants:`Virtual Memory flags` 465 ReqProtection int `field:"req_protection"` // SECLDoc[req_protection] Definition:`new memory segment protection` Constants:`Virtual Memory flags` 466 } 467 468 // LoadModuleEvent represents a load_module event 469 type LoadModuleEvent struct { 470 SyscallEvent 471 472 File FileEvent `field:"file"` // Path to the kernel module file 473 LoadedFromMemory bool `field:"loaded_from_memory"` // SECLDoc[loaded_from_memory] Definition:`Indicates if the kernel module was loaded from memory` 474 Name string `field:"name"` // SECLDoc[name] Definition:`Name of the new kernel module` 475 Args string `field:"args,handler:ResolveModuleArgs"` // SECLDoc[args] Definition:`Parameters (as a string) of the new kernel module` 476 Argv []string `field:"argv,handler:ResolveModuleArgv"` // SECLDoc[argv] Definition:`Parameters (as an array) of the new kernel module` 477 ArgsTruncated bool `field:"args_truncated"` // SECLDoc[args_truncated] Definition:`Indicates if the arguments were truncated or not` 478 } 479 480 // UnloadModuleEvent represents an unload_module event 481 type UnloadModuleEvent struct { 482 SyscallEvent 483 484 Name string `field:"name"` // SECLDoc[name] Definition:`Name of the kernel module that was deleted` 485 } 486 487 // SignalEvent represents a signal event 488 type SignalEvent struct { 489 SyscallEvent 490 491 Type uint32 `field:"type"` // SECLDoc[type] Definition:`Signal type (ex: SIGHUP, SIGINT, SIGQUIT, etc)` Constants:`Signal constants` 492 PID uint32 `field:"pid"` // SECLDoc[pid] Definition:`Target PID` 493 Target *ProcessContext `field:"target"` // Target process context 494 } 495 496 // SpliceEvent represents a splice event 497 type SpliceEvent struct { 498 SyscallEvent 499 500 File FileEvent `field:"file"` // File modified by the splice syscall 501 PipeEntryFlag uint32 `field:"pipe_entry_flag"` // SECLDoc[pipe_entry_flag] Definition:`Entry flag of the "fd_out" pipe passed to the splice syscall` Constants:`Pipe buffer flags` 502 PipeExitFlag uint32 `field:"pipe_exit_flag"` // SECLDoc[pipe_exit_flag] Definition:`Exit flag of the "fd_out" pipe passed to the splice syscall` Constants:`Pipe buffer flags` 503 } 504 505 // CgroupTracingEvent is used to signal that a new cgroup should be traced by the activity dump manager 506 type CgroupTracingEvent struct { 507 ContainerContext ContainerContext 508 Config ActivityDumpLoadConfig 509 ConfigCookie uint64 510 } 511 512 // ActivityDumpLoadConfig represents the load configuration of an activity dump 513 type ActivityDumpLoadConfig struct { 514 TracedEventTypes []EventType 515 Timeout time.Duration 516 WaitListTimestampRaw uint64 517 StartTimestampRaw uint64 518 EndTimestampRaw uint64 519 Rate uint32 // max number of events per sec 520 Paused uint32 521 } 522 523 // NetworkDeviceContext represents the network device context of a network event 524 type NetworkDeviceContext struct { 525 NetNS uint32 `field:"-"` 526 IfIndex uint32 `field:"ifindex"` // SECLDoc[ifindex] Definition:`interface ifindex` 527 IfName string `field:"ifname,handler:ResolveNetworkDeviceIfName"` // SECLDoc[ifname] Definition:`interface ifname` 528 } 529 530 // BindEvent represents a bind event 531 type BindEvent struct { 532 SyscallEvent 533 534 Addr IPPortContext `field:"addr"` // Bound address 535 AddrFamily uint16 `field:"addr.family"` // SECLDoc[addr.family] Definition:`Address family` 536 } 537 538 // NetDevice represents a network device 539 type NetDevice struct { 540 Name string 541 NetNS uint32 542 IfIndex uint32 543 PeerNetNS uint32 544 PeerIfIndex uint32 545 } 546 547 // NetDeviceEvent represents a network device event 548 type NetDeviceEvent struct { 549 SyscallEvent 550 551 Device NetDevice 552 } 553 554 // VethPairEvent represents a veth pair event 555 type VethPairEvent struct { 556 SyscallEvent 557 558 HostDevice NetDevice 559 PeerDevice NetDevice 560 } 561 562 // SyscallsEvent represents a syscalls event 563 type SyscallsEvent struct { 564 Syscalls []Syscall // 64 * 8 = 512 > 450, bytes should be enough to hold all 450 syscalls 565 } 566 567 // AnomalyDetectionSyscallEvent represents an anomaly detection for a syscall event 568 type AnomalyDetectionSyscallEvent struct { 569 SyscallID Syscall 570 } 571 572 // PathKey identifies an entry in the dentry cache 573 type PathKey struct { 574 Inode uint64 `field:"inode"` // SECLDoc[inode] Definition:`Inode of the file` 575 MountID uint32 `field:"mount_id"` // SECLDoc[mount_id] Definition:`Mount ID of the file` 576 PathID uint32 `field:"-"` 577 }