github.com/inspektor-gadget/inspektor-gadget@v0.28.1/pkg/gadget-collection/gadgets/audit/seccomp/gadget.go

github.com/inspektor-gadget/inspektor-gadget@v0.28.1/pkg/gadget-collection/gadgets/audit/seccomp/gadget.go (about)

     1  // Copyright 2019-2022 The Inspektor Gadget authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package auditseccomp
    16  
    17  import (
    18  	"fmt"
    19  
    20  	gadgetv1alpha1 "github.com/inspektor-gadget/inspektor-gadget/pkg/apis/gadget/v1alpha1"
    21  	"github.com/inspektor-gadget/inspektor-gadget/pkg/gadget-collection/gadgets"
    22  	auditseccomptracer "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/audit/seccomp/tracer"
    23  	types "github.com/inspektor-gadget/inspektor-gadget/pkg/gadgets/audit/seccomp/types"
    24  	eventtypes "github.com/inspektor-gadget/inspektor-gadget/pkg/types"
    25  )
    26  
    27  type Trace struct {
    28  	helpers gadgets.GadgetHelpers
    29  	tracer  *auditseccomptracer.Tracer
    30  
    31  	started bool
    32  }
    33  
    34  type TraceFactory struct {
    35  	gadgets.BaseFactory
    36  }
    37  
    38  func NewFactory() gadgets.TraceFactory {
    39  	return &TraceFactory{
    40  		BaseFactory: gadgets.BaseFactory{DeleteTrace: deleteTrace},
    41  	}
    42  }
    43  
    44  func (f *TraceFactory) Description() string {
    45  	return `The Audit Seccomp gadget provides a stream of events with syscalls that had
    46  their seccomp filters generating an audit log. An audit log can be generated in
    47  one of those two conditions:
    48  
    49  * The Seccomp profile has the flag SECCOMP_FILTER_FLAG_LOG (currently
    50    [unsupported by runc](https://github.com/opencontainers/runc/pull/3390)) and
    51    returns any action other than SECCOMP_RET_ALLOW.
    52  * The Seccomp profile does not have the flag SECCOMP_FILTER_FLAG_LOG but
    53    returns SCMP_ACT_LOG or SCMP_ACT_KILL*.
    54  `
    55  }
    56  
    57  func (f *TraceFactory) OutputModesSupported() map[gadgetv1alpha1.TraceOutputMode]struct{} {
    58  	return map[gadgetv1alpha1.TraceOutputMode]struct{}{
    59  		gadgetv1alpha1.TraceOutputModeStream: {},
    60  	}
    61  }
    62  
    63  func deleteTrace(name string, t interface{}) {
    64  	trace := t.(*Trace)
    65  	if trace.started {
    66  		trace.tracer.Close()
    67  		trace.tracer = nil
    68  	}
    69  }
    70  
    71  func (f *TraceFactory) Operations() map[gadgetv1alpha1.Operation]gadgets.TraceOperation {
    72  	n := func() interface{} {
    73  		return &Trace{
    74  			helpers: f.Helpers,
    75  		}
    76  	}
    77  	return map[gadgetv1alpha1.Operation]gadgets.TraceOperation{
    78  		gadgetv1alpha1.OperationStart: {
    79  			Doc: "Start audit seccomp",
    80  			Operation: func(name string, trace *gadgetv1alpha1.Trace) {
    81  				f.LookupOrCreate(name, n).(*Trace).Start(trace)
    82  			},
    83  		},
    84  		gadgetv1alpha1.OperationStop: {
    85  			Doc: "Stop audit seccomp",
    86  			Operation: func(name string, trace *gadgetv1alpha1.Trace) {
    87  				f.LookupOrCreate(name, n).(*Trace).Stop(trace)
    88  			},
    89  		},
    90  	}
    91  }
    92  
    93  func (t *Trace) Start(trace *gadgetv1alpha1.Trace) {
    94  	if t.started {
    95  		trace.Status.State = gadgetv1alpha1.TraceStateStarted
    96  		return
    97  	}
    98  
    99  	traceName := gadgets.TraceName(trace.ObjectMeta.Namespace, trace.ObjectMeta.Name)
   100  	eventCallback := func(event *types.Event) {
   101  		event.K8s.Node = trace.Spec.Node
   102  
   103  		t.helpers.PublishEvent(
   104  			traceName,
   105  			eventtypes.EventString(event),
   106  		)
   107  	}
   108  
   109  	var err error
   110  
   111  	mountNsMap, err := t.helpers.TracerMountNsMap(traceName)
   112  	if err != nil {
   113  		trace.Status.OperationError = fmt.Sprintf("failed to find tracer's mount ns map: %s", err)
   114  		return
   115  	}
   116  
   117  	config := &auditseccomptracer.Config{
   118  		MountnsMap: mountNsMap,
   119  	}
   120  	t.tracer, err = auditseccomptracer.NewTracer(config, t.helpers, eventCallback)
   121  	if err != nil {
   122  		trace.Status.OperationError = fmt.Sprintf("Failed to start audit seccomp tracer: %s", err)
   123  		return
   124  	}
   125  	t.started = true
   126  
   127  	trace.Status.State = gadgetv1alpha1.TraceStateStarted
   128  }
   129  
   130  func (t *Trace) Stop(trace *gadgetv1alpha1.Trace) {
   131  	if !t.started {
   132  		trace.Status.OperationError = "Not started"
   133  		return
   134  	}
   135  
   136  	t.tracer.Close()
   137  	t.tracer = nil
   138  
   139  	t.started = false
   140  
   141  	trace.Status.State = gadgetv1alpha1.TraceStateStopped
   142  }