-
Notifications
You must be signed in to change notification settings - Fork 320
/
tetragon.proto
647 lines (589 loc) · 23.1 KB
/
tetragon.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
// SPDX-License-Identifier: Apache-2.0
// Copyright Authors of Hubble
syntax = "proto3";
import "google/protobuf/timestamp.proto";
import "google/protobuf/wrappers.proto";
package tetragon;
import "tetragon/capabilities.proto";
message Image {
// Identifier of the container image composed of the registry path and the
// sha256.
string id = 1;
// Name of the container image composed of the registry path and the tag.
string name = 2;
}
message Container {
// Identifier of the container.
string id = 1;
// Name of the container.
string name = 2;
// Image of the container.
Image image = 3;
// Start time of the container.
google.protobuf.Timestamp start_time = 4;
// Process identifier in the container namespace.
google.protobuf.UInt32Value pid = 5;
// If this is set true, it means that the process might have been originated from
// a Kubernetes exec probe. For this field to be true, the following must be true:
// 1. The binary field matches the first element of the exec command list for either
// liveness or readiness probe excluding the basename. For example, "/bin/ls"
// and "ls" are considered a match.
// 2. The arguments field exactly matches the rest of the exec command list.
bool maybe_exec_probe = 13;
}
message Pod {
// Kubernetes namespace of the Pod.
string namespace = 1;
// Name of the Pod.
string name = 2;
// Container of the Pod from which the process that triggered the event
// originates.
Container container = 4;
// Contains all the labels of the pod.
map<string, string> pod_labels = 5;
// Kubernetes workload of the Pod.
string workload = 6;
// Kubernetes workload kind (e.g. "Deployment", "DaemonSet") of the Pod.
string workload_kind = 7;
}
message Capabilities {
// Permitted set indicates what capabilities the process can use. This is a
// limiting superset for the effective capabilities that the thread may
// assume. It is also a limiting superset for the capabilities that may be
// added to the inheritable set by a thread without the CAP_SETPCAP in its
// effective set.
repeated CapabilitiesType permitted = 1;
// Effective set indicates what capabilities are active in a process. This
// is the set used by the kernel to perform permission checks for the
// thread.
repeated CapabilitiesType effective = 2;
// Inheritable set indicates which capabilities will be inherited by the
// current process when running as a root user.
repeated CapabilitiesType inheritable = 3;
}
message Namespace {
// Inode number of the namespace.
uint32 inum = 1;
// Indicates if namespace belongs to host.
bool is_host = 2;
}
message Namespaces {
// Hostname and NIS domain name.
Namespace uts = 1;
// System V IPC, POSIX message queues.
Namespace ipc = 2;
// Mount points.
Namespace mnt = 3;
// Process IDs.
Namespace pid = 4;
// Process IDs for children processes.
Namespace pid_for_children = 5;
// Network devices, stacks, ports, etc.
Namespace net = 6;
// Boot and monotonic clocks.
Namespace time = 7;
// Boot and monotonic clocks for children processes.
Namespace time_for_children = 8;
// Cgroup root directory.
Namespace cgroup = 9;
// User and group IDs.
Namespace user = 10;
}
message UserNamespace {
// Nested level of the user namespace. Init or host user namespace is at level 0.
google.protobuf.Int32Value level = 1;
// The owner user ID of the namespace
google.protobuf.UInt32Value uid = 2;
// The owner group ID of the namepace.
google.protobuf.UInt32Value gid = 3;
// The user namespace details that include the inode number of the namespace.
Namespace ns = 4;
}
message ProcessCredentials {
// The real user ID
google.protobuf.UInt32Value uid = 1;
// The real group ID
google.protobuf.UInt32Value gid = 2;
// The effective user ID
google.protobuf.UInt32Value euid = 3;
// The effective group ID
google.protobuf.UInt32Value egid = 4;
// The saved user ID
google.protobuf.UInt32Value suid = 5;
// The saved group ID
google.protobuf.UInt32Value sgid = 6;
// the filesystem user ID
google.protobuf.UInt32Value fsuid = 7;
// The filesystem group ID
google.protobuf.UInt32Value fsgid = 8;
// Secure management flags
repeated SecureBitsType securebits = 9;
// Set of capabilities that define the permissions the process can execute with.
Capabilities caps = 10;
// User namespace where the UIDs, GIDs and capabilities are relative to.
UserNamespace user_ns = 11;
}
message InodeProperties {
// The inode number
uint64 number = 1;
// The inode links on the file system. If zero means the file is only in memory
google.protobuf.UInt32Value links = 2;
}
message FileProperties {
// Inode of the file
InodeProperties inode = 1;
// Path of the file
string path = 2;
}
message BinaryProperties {
// If set then this is the set user ID used for execution
google.protobuf.UInt32Value setuid = 1;
// If set then this is the set group ID used for execution
google.protobuf.UInt32Value setgid = 2;
// The reasons why this binary execution changed privileges. Usually this happens when the process executes
// a binary with the set-user-ID to root or file capability sets.
// The final granted privileges can be listed inside the `process_credentials` or capabilities fields part of of the `process` object.
repeated ProcessPrivilegesChanged privileges_changed = 3;
// File properties in case the executed binary is:
// 1. An anonymous shared memory file https://man7.org/linux/man-pages/man7/shm_overview.7.html.
// 2. An anonymous file obtained with memfd API https://man7.org/linux/man-pages/man2/memfd_create.2.html.
// 3. Or it was deleted from the file system.
FileProperties file = 4;
}
// User records
message UserRecord {
// The UNIX username for this record. Corresponds to `pw_name` field of [struct passwd](https://man7.org/linux/man-pages/man3/getpwnam.3.html)
// and the `sp_namp` field of [struct spwd](https://man7.org/linux/man-pages/man3/getspnam.3.html).
string name = 1;
}
message Process {
// Exec ID uniquely identifies the process over time across all the nodes in the cluster.
string exec_id = 1;
// Process identifier from host PID namespace.
google.protobuf.UInt32Value pid = 2;
// User identifier associated with the process.
google.protobuf.UInt32Value uid = 3;
// Current working directory of the process.
string cwd = 4;
// Absolute path of the executed binary.
string binary = 5;
// Arguments passed to the binary at execution.
string arguments = 6;
// Flags are for debugging purposes only and should not be considered a
// reliable source of information. They hold various information about
// which syscalls generated events, use of internal Tetragon buffers,
// errors and more.
// - `execve` This event is generated by an execve syscall for a new
// process. See procFs for the other option. A correctly formatted event
// should either set execve or procFS (described next).
// - `procFS` This event is generated from a proc interface. This happens
// at Tetragon init when existing processes are being loaded into Tetragon
// event buffer. All events should have either execve or procFS set.
// - `truncFilename` Indicates a truncated processes filename because the
// buffer size is too small to contain the process filename. Consider
// increasing buffer size to avoid this.
// - `truncArgs` Indicates truncated the processes arguments because the
// buffer size was too small to contain all exec args. Consider increasing
// buffer size to avoid this.
// - `taskWalk` Primarily useful for debugging. Indicates a walked process
// hierarchy to find a parent process in the Tetragon buffer. This may
// happen when we did not receive an exec event for the immediate parent of
// a process. Typically means we are looking at a fork that in turn did
// another fork we don't currently track fork events exactly and instead
// push an event with the original parent exec data. This flag can provide
// this insight into the event if needed.
// - `miss` An error flag indicating we could not find parent info in the
// Tetragon event buffer. If this is set it should be reported to Tetragon
// developers for debugging. Tetragon will do its best to recover
// information about the process from available kernel data structures
// instead of using cached info in this case. However, args will not be
// available.
// - `needsAUID` An internal flag for Tetragon to indicate the audit has
// not yet been resolved. The BPF hooks look at this flag to determine if
// probing the audit system is necessary.
// - `errorFilename` An error flag indicating an error happened while
// reading the filename. If this is set it should be reported to Tetragon
// developers for debugging.
// - `errorArgs` An error flag indicating an error happened while reading
// the process args. If this is set it should be reported to Tetragon
// developers for debugging
// - `needsCWD` An internal flag for Tetragon to indicate the current
// working directory has not yet been resolved. The Tetragon hooks look at
// this flag to determine if probing the CWD is necessary.
// - `noCWDSupport` Indicates that CWD is removed from the event because
// the buffer size is too small. Consider increasing buffer size to avoid
// this.
// - `rootCWD` Indicates that CWD is the root directory. This is necessary
// to inform readers the CWD is not in the event buffer and is '/' instead.
// - `errorCWD` An error flag indicating an error occurred while reading
// the CWD of a process. If this is set it should be reported to Tetragon
// developers for debugging.
// - `clone` Indicates the process issued a clone before exec*. This is the
// general flow to exec* a new process, however its possible to replace the
// current process with a new process by doing an exec* without a clone. In
// this case the flag will be omitted and the same PID will be used by the
// kernel for both the old process and the newly exec'd process.
string flags = 7;
// Start time of the execution.
google.protobuf.Timestamp start_time = 8;
// Audit user ID, this ID is assigned to a user upon login and is inherited
// by every process even when the user's identity changes. For example, by
// switching user accounts with su - john.
google.protobuf.UInt32Value auid = 9;
// Information about the the Kubernetes Pod where the event originated.
Pod pod = 10;
// The 15 first digits of the container ID.
string docker = 11;
// Exec ID of the parent process.
string parent_exec_id = 12;
// Reference counter from the Tetragon process cache.
uint32 refcnt = 13;
// Set of capabilities that define the permissions the process can execute with.
Capabilities cap = 14;
// Linux namespaces of the process, disabled by default, can be enabled by
// the `--enable-process-ns` flag.
Namespaces ns = 15;
// Thread ID, note that for the thread group leader, tid is equal to pid.
google.protobuf.UInt32Value tid = 16;
// Process credentials
ProcessCredentials process_credentials = 17;
// Executed binary properties. This field is only available on ProcessExec events.
BinaryProperties binary_properties = 18;
// UserRecord contains user information about the event.
//
// UserRecord is only supported when i) Tetragon is running as a systemd service or directly on the host, and
// ii) when `--username-metadata` is set to "unix". In this case, the information is retrieved from
// the traditional user database `/etc/passwd` and no name services lookups are performed.
// The resolution will only be attempted for processes in the host namespace.
// Note that this resolution happens in user-space, which means that mapping might have changed
// between the in-kernel BPF hook being executed and the username resolution.
UserRecord user = 19;
}
message ProcessExec {
// Process that triggered the exec.
Process process = 1;
// Immediate parent of the process.
Process parent = 2;
// Ancestors of the process beyond the immediate parent.
repeated Process ancestors = 3;
}
message ProcessExit {
// Process that triggered the exit.
Process process = 1;
// Immediate parent of the process.
Process parent = 2;
// Signal that the process received when it exited, for example SIGKILL or
// SIGTERM (list all signal names with `kill -l`). If there is no signal
// handler implemented for a specific process, we report the exit status
// code that can be found in the status field.
string signal = 3;
// Status code on process exit. For example, the status code can indicate
// if an error was encountered or the program exited successfully.
uint32 status = 4;
// Date and time of the event.
google.protobuf.Timestamp time = 5;
}
message KprobeSock {
string family = 1;
string type = 2;
string protocol = 3;
uint32 mark = 4;
uint32 priority = 5;
string saddr = 6;
string daddr = 7;
uint32 sport = 8;
uint32 dport = 9;
uint64 cookie = 10;
string state = 11;
}
message KprobeSkb {
uint32 hash = 1;
uint32 len = 2;
uint32 priority = 3;
uint32 mark = 4;
string saddr = 5;
string daddr = 6;
uint32 sport = 7;
uint32 dport = 8;
uint32 proto = 9;
uint32 sec_path_len = 10;
uint32 sec_path_olen = 11;
string protocol = 12;
string family = 13;
}
message KprobeNetDev {
string name = 1;
}
message KprobePath {
string mount = 1;
string path = 2;
string flags = 3;
string permission = 4;
}
message KprobeFile {
string mount = 1;
string path = 2;
string flags = 3;
string permission = 4;
}
message KprobeTruncatedBytes {
bytes bytes_arg = 1;
uint64 orig_size = 2;
}
message KprobeCred {
repeated CapabilitiesType permitted = 1;
repeated CapabilitiesType effective = 2;
repeated CapabilitiesType inheritable = 3;
}
message KprobeLinuxBinprm {
string path = 1;
string flags = 2;
string permission = 3;
}
message KprobeCapability {
google.protobuf.Int32Value value = 1;
string name = 2;
}
message KprobeUserNamespace {
google.protobuf.Int32Value level = 1;
google.protobuf.UInt32Value owner = 2;
google.protobuf.UInt32Value group = 3;
Namespace ns = 4;
}
message KprobeBpfAttr {
string ProgType = 1;
uint32 InsnCnt = 2;
string ProgName = 3;
}
message KprobePerfEvent {
string KprobeFunc = 1;
string Type = 2;
uint64 Config = 3;
uint64 ProbeOffset = 4;
}
message KprobeBpfMap {
string MapType = 1;
uint32 KeySize = 2;
uint32 ValueSize = 3;
uint32 MaxEntries = 4;
string MapName = 5;
}
message KprobeArgument {
oneof arg {
string string_arg = 1;
int32 int_arg = 2;
KprobeSkb skb_arg = 3;
uint64 size_arg = 4;
bytes bytes_arg = 5;
KprobePath path_arg = 6;
KprobeFile file_arg = 7;
KprobeTruncatedBytes truncated_bytes_arg = 8;
KprobeSock sock_arg = 9;
KprobeCred cred_arg = 10;
int64 long_arg = 11;
KprobeBpfAttr bpf_attr_arg = 12;
KprobePerfEvent perf_event_arg = 13;
KprobeBpfMap bpf_map_arg = 14;
uint32 uint_arg = 15;
KprobeUserNamespace user_namespace_arg = 16 [deprecated = true];
KprobeCapability capability_arg = 17;
ProcessCredentials process_credentials_arg = 19;
UserNamespace user_ns_arg = 20;
KernelModule module_arg = 21;
string kernel_cap_t_arg = 22; // Capabilities in hexadecimal format.
string cap_inheritable_arg = 23; // Capabilities inherited by a forked process in hexadecimal format.
string cap_permitted_arg = 24; // Capabilities that are currently permitted in hexadecimal format.
string cap_effective_arg = 25; // Capabilities that are actually used in hexadecimal format.
KprobeLinuxBinprm linux_binprm_arg = 26;
KprobeNetDev net_dev_arg = 27;
}
string label = 18;
}
enum KprobeAction {
// Unknown action
KPROBE_ACTION_UNKNOWN = 0;
// Post action creates an event (default action).
KPROBE_ACTION_POST = 1;
// Post action creates a mapping between file descriptors and file names.
KPROBE_ACTION_FOLLOWFD = 2;
// Sigkill action synchronously terminates the process.
KPROBE_ACTION_SIGKILL = 3;
// Post action removes a mapping between file descriptors and file names.
KPROBE_ACTION_UNFOLLOWFD = 4;
// Override action modifies the return value of the call.
KPROBE_ACTION_OVERRIDE = 5;
// Post action dupplicates a mapping between file descriptors and file
// names.
KPROBE_ACTION_COPYFD = 6;
// GetURL action issue an HTTP Get request against an URL from userspace.
KPROBE_ACTION_GETURL = 7;
// GetURL action issue a DNS lookup against an URL from userspace.
KPROBE_ACTION_DNSLOOKUP = 8;
// NoPost action suppresses the transmission of the event to userspace.
KPROBE_ACTION_NOPOST = 9;
// Signal action sends specified signal to the process.
KPROBE_ACTION_SIGNAL = 10;
// TrackSock action tracks socket.
KPROBE_ACTION_TRACKSOCK = 11;
// UntrackSock action un-tracks socket.
KPROBE_ACTION_UNTRACKSOCK = 12;
// NotifyEnforcer action notifies killer sensor.
KPROBE_ACTION_NOTIFYENFORCER = 13;
}
message ProcessKprobe {
// Process that triggered the kprobe.
Process process = 1;
// Immediate parent of the process.
Process parent = 2;
// Symbol on which the kprobe was attached.
string function_name = 3;
// Arguments definition of the observed kprobe.
repeated KprobeArgument args = 4;
// Return value definition of the observed kprobe.
KprobeArgument return = 5;
// Action performed when the kprobe matched.
KprobeAction action = 6;
// Kernel stack trace to the call.
repeated StackTraceEntry kernel_stack_trace = 7;
// Name of the Tracing Policy that created that kprobe.
string policy_name = 8;
// Action performed when the return kprobe executed.
KprobeAction return_action = 9;
// Short message of the Tracing Policy to inform users what is going on.
string message = 10;
// Tags of the Tracing Policy to categorize the event.
repeated string tags = 11;
// User-mode stack trace to the call.
repeated StackTraceEntry user_stack_trace = 12;
}
message ProcessTracepoint {
// Process that triggered the tracepoint.
Process process = 1;
// Immediate parent of the process.
Process parent = 2;
// Subsystem of the tracepoint.
string subsys = 4;
// Event of the subsystem.
string event = 5;
// Arguments definition of the observed tracepoint.
// TODO: once we implement all we want, rename KprobeArgument to GenericArgument
repeated KprobeArgument args = 6;
// Name of the policy that created that tracepoint.
string policy_name = 7;
// Action performed when the tracepoint matched.
KprobeAction action = 8;
// Short message of the Tracing Policy to inform users what is going on.
string message = 9;
// Tags of the Tracing Policy to categorize the event.
repeated string tags = 10;
}
message ProcessUprobe {
Process process = 1;
Process parent = 2;
string path = 3;
string symbol = 4;
// Name of the policy that created that uprobe.
string policy_name = 5;
// Short message of the Tracing Policy to inform users what is going on.
string message = 6;
// Arguments definition of the observed uprobe.
repeated KprobeArgument args = 7;
// Tags of the Tracing Policy to categorize the event.
repeated string tags = 8;
}
message KernelModule {
// Kernel module name
string name = 1;
// If true the module signature was verified successfully. Depends on kernels compiled with
// CONFIG_MODULE_SIG option, for details please read: https://www.kernel.org/doc/Documentation/admin-guide/module-signing.rst
google.protobuf.BoolValue signature_ok = 2;
// The module tainted flags that will be applied on the kernel. For further details please read: https://docs.kernel.org/admin-guide/tainted-kernels.html
repeated TaintedBitsType tainted = 3;
}
message Test {
uint64 arg0 = 1;
uint64 arg1 = 2;
uint64 arg2 = 3;
uint64 arg3 = 4;
}
enum HealthStatusType {
HEALTH_STATUS_TYPE_UNDEF = 0;
HEALTH_STATUS_TYPE_STATUS = 1;
}
enum HealthStatusResult {
HEALTH_STATUS_UNDEF = 0;
HEALTH_STATUS_RUNNING = 1;
HEALTH_STATUS_STOPPED = 2;
HEALTH_STATUS_ERROR = 3;
}
message GetHealthStatusRequest {
repeated HealthStatusType event_set = 1;
}
// Tainted bits to indicate if the kernel was tainted. For further details: https://docs.kernel.org/admin-guide/tainted-kernels.html
enum TaintedBitsType {
TAINT_UNSET = 0;
/* A proprietary module was loaded. */
TAINT_PROPRIETARY_MODULE = 1;
/* A module was force loaded. */
TAINT_FORCED_MODULE = 2;
/* A module was force unloaded. */
TAINT_FORCED_UNLOAD_MODULE = 4;
/* A staging driver was loaded. */
TAINT_STAGED_MODULE = 1024;
/* An out of tree module was loaded. */
TAINT_OUT_OF_TREE_MODULE = 4096;
/* An unsigned module was loaded. Supported only on kernels built with CONFIG_MODULE_SIG option. */
TAINT_UNSIGNED_MODULE = 8192;
/* The kernel has been live patched. */
TAINT_KERNEL_LIVE_PATCH_MODULE = 32768;
/* Loading a test module. */
TAINT_TEST_MODULE = 262144;
}
message HealthStatus {
HealthStatusType event = 1;
HealthStatusResult status = 2;
string details = 3;
}
message GetHealthStatusResponse {
repeated HealthStatus health_status = 1;
}
// loader sensor event triggered for loaded binary/library
message ProcessLoader {
Process process = 1;
string path = 2;
bytes buildid = 3;
}
// RuntimeHookRequest synchronously propagates information to the agent about run-time state.
message RuntimeHookRequest {
oneof event {
CreateContainer createContainer = 1;
}
}
message RuntimeHookResponse {}
// CreateContainer informs the agent that a container was created
// This is intented to be used by OCI hooks (but not limited to them) and corresponds to the
// CreateContainer hook:
// https://github.com/opencontainers/runtime-spec/blob/main/config.md#createcontainer-hooks.
message CreateContainer {
// cgroupsPath is the cgroups path for the container. The path is expected to be relative to the
// cgroups mountpoint. See: https://github.com/opencontainers/runtime-spec/blob/58ec43f9fc39e0db229b653ae98295bfde74aeab/specs-go/config.go#L174
string cgroupsPath = 1;
// rootDir is the absolute path of the root directory of the container.
// See: https://github.com/opencontainers/runtime-spec/blob/main/specs-go/config.go#L174
string rootDir = 2;
// annotations are the run-time annotations for the container
// see https://github.com/opencontainers/runtime-spec/blob/main/config.md#annotations
map<string, string> annotations = 3;
// containerName is the name of the container
string containerName = 4;
}
message StackTraceEntry {
// linear address of the function in kernel or user space.
uint64 address = 1;
// offset is the offset into the native instructions for the function.
uint64 offset = 2;
// symbol is the symbol name of the function.
string symbol = 3;
// module path for user space addresses.
string module = 4;
}