Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feature(controller): create processes lifecycle functions
- Create 3 signal events: 1. SignalSchedProcessFork 2. SignalSchedProcessExec 3. SignalSchedProcessExit - Create the eBPF programs for the signal events (based on regular ones) - Create the controller processing functions (parsing) for the events - Organize controller functions in their own files: - containers.go (for the containers lifecycle functions) - processes.go (for the processes lifecycle functions)
- Loading branch information
1 parent
61ffd96
commit a7cf5c4
Showing
11 changed files
with
661 additions
and
85 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,76 @@ | ||
package controlplane | ||
|
||
import ( | ||
"github.com/aquasecurity/tracee/pkg/capabilities" | ||
"github.com/aquasecurity/tracee/pkg/errfmt" | ||
"github.com/aquasecurity/tracee/pkg/events/parse" | ||
"github.com/aquasecurity/tracee/pkg/logger" | ||
"github.com/aquasecurity/tracee/types/trace" | ||
) | ||
|
||
// | ||
// Containers Lifecycle | ||
// | ||
|
||
// processCgroupMkdir handles the cgroup_mkdir signal. | ||
func (p *Controller) processCgroupMkdir(args []trace.Argument) error { | ||
cgroupId, err := parse.ArgVal[uint64](args, "cgroup_id") | ||
if err != nil { | ||
return errfmt.Errorf("error parsing cgroup_mkdir signal args: %v", err) | ||
} | ||
path, err := parse.ArgVal[string](args, "cgroup_path") | ||
if err != nil { | ||
return errfmt.Errorf("error parsing cgroup_mkdir signal args: %v", err) | ||
} | ||
hId, err := parse.ArgVal[uint32](args, "hierarchy_id") | ||
if err != nil { | ||
return errfmt.Errorf("error parsing cgroup_mkdir signal args: %v", err) | ||
} | ||
info, err := p.cgroupManager.CgroupMkdir(cgroupId, path, hId) | ||
if err != nil { | ||
return errfmt.WrapError(err) | ||
} | ||
if info.Container.ContainerId == "" && !info.Dead { | ||
// If cgroupId is from a regular cgroup directory, and not the container base directory | ||
// (from known runtimes), it should be removed from the containers bpf map. | ||
err := capabilities.GetInstance().EBPF( | ||
func() error { | ||
return p.cgroupManager.RemoveFromBPFMap(p.bpfModule, cgroupId, hId) | ||
}, | ||
) | ||
if err != nil { | ||
// If the cgroupId was not found in bpf map, this could mean that it is not a container | ||
// cgroup and, as a systemd cgroup, could have been created and removed very quickly. In | ||
// this case, we don't want to return an error. | ||
logger.Debugw("Failed to remove entry from containers bpf map", "error", err) | ||
} | ||
return errfmt.WrapError(err) | ||
} | ||
|
||
if p.enrichEnabled { | ||
// If cgroupId belongs to a container, enrich now (in a goroutine) | ||
go func() { | ||
_, err := p.cgroupManager.EnrichCgroupInfo(cgroupId) | ||
if err != nil { | ||
logger.Errorw("error triggering container enrich in control plane", "error", err) | ||
} | ||
}() | ||
} | ||
|
||
return nil | ||
} | ||
|
||
// processCgroupRmdir handles the cgroup_rmdir signal. | ||
func (p *Controller) processCgroupRmdir(args []trace.Argument) error { | ||
cgroupId, err := parse.ArgVal[uint64](args, "cgroup_id") | ||
if err != nil { | ||
return errfmt.Errorf("error parsing cgroup_rmdir args: %v", err) | ||
} | ||
|
||
hId, err := parse.ArgVal[uint32](args, "hierarchy_id") | ||
if err != nil { | ||
return errfmt.Errorf("error parsing cgroup_rmdir args: %v", err) | ||
} | ||
p.cgroupManager.CgroupRemove(cgroupId, hId) | ||
return nil | ||
} |
Oops, something went wrong.