Skip to content

Commit

Permalink
pkg/proctree: add process tree to events pipeline
Browse files Browse the repository at this point in the history 
Create a process tree that feed upon the tracee's events.
Register the process tree into the events pipeline.
  • Loading branch information
@AlonZivony
AlonZivony committed May 4, 2023
1 parent 2a41c60 commit fdfd3df
Show file tree
Hide file tree
Showing 16 changed files with 2,072 additions and 0 deletions.
3 changes: 3 additions & 0 deletions go.mod
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ go 1.19
require (
github.com/IBM/fluent-forward-go v0.2.1
github.com/Masterminds/sprig/v3 v3.2.2
github.com/RoaringBitmap/roaring v1.2.3
github.com/aquasecurity/libbpfgo v0.4.6-libbpf-1.1.0
github.com/aquasecurity/libbpfgo/helpers v0.4.6-0.20230321190037-f591a2c5734f
github.com/aquasecurity/tracee/types v0.0.0-20230420201357-51135cc9bc89
Expand Down Expand Up @@ -35,6 +36,7 @@ require (
github.com/AdaLogics/go-fuzz-headers v0.0.0-20230106234847-43070de90fa1 // indirect
github.com/AdamKorcz/go-118-fuzz-build v0.0.0-20221215162035-5330a85ea652 // indirect
github.com/StackExchange/wmi v0.0.0-20210224194228-fe8f1750fd46 // indirect
github.com/bits-and-blooms/bitset v1.2.0 // indirect
github.com/containerd/typeurl/v2 v2.1.0 // indirect
github.com/cyphar/filepath-securejoin v0.2.3 // indirect
github.com/emicklei/go-restful/v3 v3.10.1 // indirect
Expand All @@ -53,6 +55,7 @@ require (
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mitchellh/go-ps v1.0.0 // indirect
github.com/moby/sys/sequential v0.5.0 // indirect
github.com/mschoch/smat v0.2.0 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/philhofer/fwd v1.1.1 // indirect
github.com/pyroscope-io/dotnetdiag v1.2.1 // indirect
Expand Down
6 changes: 6 additions & 0 deletions go.sum
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,8 @@ github.com/Microsoft/hcsshim v0.10.0-rc.7/go.mod h1:ILuwjA+kNW+MrN/w5un7n3mTqkws
github.com/OneOfOne/xxhash v1.2.2/go.mod h1:HSdplMjZKSmBqAxg5vPj2TmRDmfkzw+cTzAElWljhcU=
github.com/OneOfOne/xxhash v1.2.8 h1:31czK/TI9sNkxIKfaUfGlU47BAxQ0ztGgd9vPyqimf8=
github.com/OneOfOne/xxhash v1.2.8/go.mod h1:eZbhyaAYD41SGSSsnmcpxVoRiQ/MPUTjUdIIOT9Um7Q=
github.com/RoaringBitmap/roaring v1.2.3 h1:yqreLINqIrX22ErkKI0vY47/ivtJr6n+kMhVOVmhWBY=
github.com/RoaringBitmap/roaring v1.2.3/go.mod h1:plvDsJQpxOC5bw8LRteu/MLWHsHez/3y6cubLI4/1yE=
github.com/StackExchange/wmi v0.0.0-20210224194228-fe8f1750fd46 h1:5sXbqlSomvdjlRbWyNqkPsJ3Fg+tQZCbgeX1VGljbQY=
github.com/StackExchange/wmi v0.0.0-20210224194228-fe8f1750fd46/go.mod h1:3eOhrUMpNV+6aFIbp5/iudMxNCF27Vw2OZgy4xEx0Fg=
github.com/agnivade/levenshtein v1.1.1 h1:QY8M92nrzkmr798gCo3kmMyqXFzdQVpxLlGPRBij0P8=
Expand All @@ -79,6 +81,8 @@ github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
github.com/bits-and-blooms/bitset v1.2.0 h1:Kn4yilvwNtMACtf1eYDlG8H77R07mZSPbMjLyS07ChA=
github.com/bits-and-blooms/bitset v1.2.0/go.mod h1:gIdJ4wp64HaoK2YrL1Q5/N7Y16edYb8uY+O0FJTyyDA=
github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 h1:3uZCA/BLTIu+DqCfguByNMJa2HVHpXvjfy0Dy7g6fuA=
github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
Expand Down Expand Up @@ -338,6 +342,8 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G
github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
github.com/morikuni/aec v1.0.0 h1:nP9CBfwrvYnBRgY6qfDQkygYDmYwOilePFkwzv4dU8A=
github.com/mrunalp/fileutils v0.5.0/go.mod h1:M1WthSahJixYnrXQl/DFQuteStB1weuxD2QJNHXfbSQ=
github.com/mschoch/smat v0.2.0 h1:8imxQsjDm8yFEAVBe7azKmKSgzSkZXDuKkSq9374khM=
github.com/mschoch/smat v0.2.0/go.mod h1:kc9mz7DoBKqDyiRL7VZN8KvXQMWeTaVnttLRXOlotKw=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
Expand Down
3 changes: 3 additions & 0 deletions pkg/ebpf/events_pipeline.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,9 @@ func (t *Tracee) handleEvents(ctx context.Context) {
eventsChan, errc = t.processEvents(ctx, eventsChan)
errcList = append(errcList, errc)

eventsChan, errc = t.processTree.StartProcessingPipeline(ctx, eventsChan)
errcList = append(errcList, errc)

// Enrichment stage
// In this stage container events are enriched with additional runtime data
// Events may be enriched in the initial decode state if the enrichment data has been stored in the Containers structure
Expand Down
4 changes: 4 additions & 0 deletions pkg/ebpf/tracee.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,7 @@ import (
"github.com/aquasecurity/tracee/pkg/metrics"
"github.com/aquasecurity/tracee/pkg/pcaps"
"github.com/aquasecurity/tracee/pkg/policy"
"github.com/aquasecurity/tracee/pkg/proctree"
"github.com/aquasecurity/tracee/pkg/signatures/engine"
"github.com/aquasecurity/tracee/pkg/utils"
"github.com/aquasecurity/tracee/pkg/utils/proc"
Expand Down Expand Up @@ -210,6 +211,7 @@ type Tracee struct {
contSymbolsLoader *sharedobjs.ContainersSymbolsLoader
// Specific Events Needs
triggerContexts trigger.Context
processTree *proctree.ProcessTree
}

func (t *Tracee) Stats() *metrics.Stats {
Expand Down Expand Up @@ -360,6 +362,8 @@ func New(cfg Config) (*Tracee, error) {
}
}

t.processTree = proctree.InitProcessTree()

// Add/Drop capabilities to/from the Base ring (always effective)

capsToAdd, err := capabilities.ReqByString(t.config.Capabilities.AddCaps...)
Expand Down
38 changes: 38 additions & 0 deletions pkg/proctree/events_processing.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
package proctree

import (
"github.com/aquasecurity/tracee/types/trace"
)

// ProcessEvent update the process tree according to arriving event
func (tree *ProcessTree) ProcessEvent(traceeEvent *trace.Event) error {
switch traceeEvent.EventName {
case "sched_process_fork":
return tree.processForkEvent(traceeEvent)
case "sched_process_exec":
return tree.processExecEvent(traceeEvent)
case "sched_process_exit":
return tree.processExitEvent(traceeEvent)
case "exit", "init_namespaces":
return nil
default:
return tree.processDefaultEvent(traceeEvent)
}
}

// processDefaultEvent tries to expand the process tree in case of lost events or missing general information
func (tree *ProcessTree) processDefaultEvent(event *trace.Event) error {
process, err := tree.getProcess(event.HostProcessID)
if err != nil {
process = tree.addGeneralEventProcess(event)
process.addThreadID(event.HostThreadID)
} else if process.Status.Contains(uint32(hollowParent)) {
fillHollowParentProcessGeneralEvent(process, event)
}
process.addThreadID(event.HostThreadID)
if process.ParentProcess == nil {
tree.generateParentProcess(process)
}
return nil

}
Loading

0 comments on commit fdfd3df

Please sign in to comment.