/
model_ebpf.go
45 lines (37 loc) · 1.44 KB
/
model_ebpf.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
// Unless explicitly stated otherwise all files in this repository are licensed
// under the Apache License Version 2.0.
// This product includes software developed at Datadog (https://www.datadoghq.com/).
// Copyright 2016-present Datadog, Inc.
//go:build linux
// Package probe holds probe related files
package probe
import (
"fmt"
"github.com/DataDog/datadog-agent/pkg/security/probe/constantfetch"
"github.com/DataDog/datadog-agent/pkg/security/secl/compiler/eval"
"github.com/DataDog/datadog-agent/pkg/security/secl/model"
)
// NewEBPFModel returns a new model with some extra field validation
func NewEBPFModel(probe *EBPFProbe) *model.Model {
return &model.Model{
ExtraValidateFieldFnc: func(field eval.Field, fieldValue eval.FieldValue) error {
switch field {
case "bpf.map.name":
if offset, found := probe.constantOffsets[constantfetch.OffsetNameBPFMapStructName]; !found || offset == constantfetch.ErrorSentinel {
return fmt.Errorf("%s is not available on this kernel version", field)
}
case "bpf.prog.name":
if offset, found := probe.constantOffsets[constantfetch.OffsetNameBPFProgAuxStructName]; !found || offset == constantfetch.ErrorSentinel {
return fmt.Errorf("%s is not available on this kernel version", field)
}
}
return nil
},
}
}
// NewEBPFEvent returns a new event
func NewEBPFEvent(fh *EBPFFieldHandlers) *model.Event {
event := model.NewFakeEvent()
event.FieldHandlers = fh
return event
}