diff --git a/x-pack/auditbeat/tracing/cpu.go b/auditbeat/tracing/cpu.go similarity index 73% rename from x-pack/auditbeat/tracing/cpu.go rename to auditbeat/tracing/cpu.go index e0fd15e09ce..280cc395bf1 100644 --- a/x-pack/auditbeat/tracing/cpu.go +++ b/auditbeat/tracing/cpu.go @@ -1,6 +1,19 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. //go:build linux @@ -9,7 +22,7 @@ package tracing import ( "bytes" "fmt" - "io/ioutil" + "os" "strconv" "strings" ) @@ -72,7 +85,7 @@ func (s CPUSet) AsList() []int { // NewCPUSetFromFile creates a new CPUSet from the contents of a file. func NewCPUSetFromFile(path string) (cpus CPUSet, err error) { - contents, err := ioutil.ReadFile(path) + contents, err := os.ReadFile(path) if err != nil { return cpus, err } @@ -84,9 +97,12 @@ func NewCPUSetFromFile(path string) (cpus CPUSet, err error) { // Where: // RANGE := | - func NewCPUSetFromExpression(contents string) (CPUSet, error) { - var ranges [][]int - var max, count int - for _, expr := range strings.Split(contents, ",") { + expressions := strings.Split(contents, ",") + + ranges := make([][]int, 0, len(expressions)) + + var maximum, count int + for _, expr := range expressions { if len(expr) == 0 { continue } @@ -99,16 +115,16 @@ func NewCPUSetFromExpression(contents string) (CPUSet, error) { } num := int(num16) r = append(r, num) - if num+1 > max { - max = num + 1 + if num+1 > maximum { + maximum = num + 1 } } ranges = append(ranges, r) } - if max == 0 { + if maximum == 0 { return CPUSet{}, nil } - mask := make([]bool, max) + mask := make([]bool, maximum) for _, r := range ranges { from, to := -1, -1 switch len(r) { diff --git a/x-pack/auditbeat/tracing/cpu_test.go b/auditbeat/tracing/cpu_test.go similarity index 76% rename from x-pack/auditbeat/tracing/cpu_test.go rename to auditbeat/tracing/cpu_test.go index 3f6921895da..bfce3a72de0 100644 --- a/x-pack/auditbeat/tracing/cpu_test.go +++ b/auditbeat/tracing/cpu_test.go @@ -1,6 +1,19 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. //go:build linux diff --git a/x-pack/auditbeat/tracing/decoder.go b/auditbeat/tracing/decoder.go similarity index 90% rename from x-pack/auditbeat/tracing/decoder.go rename to auditbeat/tracing/decoder.go index 8755b25f5dd..d669e8c8e98 100644 --- a/x-pack/auditbeat/tracing/decoder.go +++ b/auditbeat/tracing/decoder.go @@ -1,6 +1,19 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. //go:build linux @@ -183,9 +196,13 @@ func NewStructDecoder(desc ProbeFormat, allocFn AllocateFn) (Decoder, error) { } var name string + var allowUndefined bool var greedy bool for idx, param := range strings.Split(values, ",") { switch param { + case "allowundefined": + // it is okay not to find it in the desc.Fields + allowUndefined = true case "greedy": greedy = true default: @@ -214,6 +231,9 @@ func NewStructDecoder(desc ProbeFormat, allocFn AllocateFn) (Decoder, error) { inField, found := desc.Fields[name] if !found { + if allowUndefined { + continue + } return nil, fmt.Errorf("field '%s' not found in kprobe format description", name) } @@ -326,14 +346,14 @@ func (d *structDecoder) Decode(raw []byte, meta Metadata) (s interface{}, err er case FieldTypeString: offset := uintptr(MachineEndian.Uint16(raw[dec.src:])) - len := uintptr(MachineEndian.Uint16(raw[dec.src+2:])) - if offset+len > n { + length := uintptr(MachineEndian.Uint16(raw[dec.src+2:])) + if offset+length > n { return nil, fmt.Errorf("perf event string data for field %s overflows message of size %d", dec.name, n) } - if len > 0 && raw[offset+len-1] == 0 { - len-- + if length > 0 && raw[offset+length-1] == 0 { + length-- } - *(*string)(unsafe.Add(destPtr, dec.dst)) = string(raw[offset : offset+len]) + *(*string)(unsafe.Add(destPtr, dec.dst)) = string(raw[offset : offset+length]) case FieldTypeMeta: *(*Metadata)(unsafe.Add(destPtr, dec.dst)) = meta @@ -357,7 +377,8 @@ type dumpDecoder struct { // - integer of 64bit (u64 / s64). // - dump consecutive memory. func NewDumpDecoder(format ProbeFormat) (Decoder, error) { - var fields []Field + fields := make([]Field, 0, len(format.Fields)) + for name, field := range format.Fields { if strings.Index(name, "arg") != 0 { continue diff --git a/auditbeat/tracing/doc.go b/auditbeat/tracing/doc.go new file mode 100644 index 00000000000..5f4e8b92331 --- /dev/null +++ b/auditbeat/tracing/doc.go @@ -0,0 +1,22 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +// Package tracing provides a set of tools built on top of +// golang.org/x/sys/unix/linux/perf that simplify working with KProbes and +// UProbes, using tracing perf channels to receive events from the kernel and +// decoding of this raw events into more useful types. +package tracing diff --git a/auditbeat/tracing/endian.go b/auditbeat/tracing/endian.go new file mode 100644 index 00000000000..d7fa00c6fa2 --- /dev/null +++ b/auditbeat/tracing/endian.go @@ -0,0 +1,28 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build linux + +package tracing + +import ( + "encoding/binary" +) + +// MachineEndian is either binary.BigEndian or binary.LittleEndian, depending +// on the current architecture. +var MachineEndian = binary.NativeEndian diff --git a/x-pack/auditbeat/tracing/events_test.go b/auditbeat/tracing/events_test.go similarity index 90% rename from x-pack/auditbeat/tracing/events_test.go rename to auditbeat/tracing/events_test.go index d89f4946ca1..0b5efaec53a 100644 --- a/x-pack/auditbeat/tracing/events_test.go +++ b/auditbeat/tracing/events_test.go @@ -1,6 +1,19 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. //go:build linux @@ -9,7 +22,6 @@ package tracing import ( "fmt" "io" - "io/ioutil" "os" "path/filepath" "strings" @@ -301,7 +313,7 @@ func TestKProbeReal(t *testing.T) { func TestKProbeEventsList(t *testing.T) { // Make dir to monitor. - tmpDir, err := ioutil.TempDir("", "events_test") + tmpDir, err := os.MkdirTemp("", "events_test") if err != nil { t.Fatal(err) } @@ -358,7 +370,7 @@ w:future feature func TestKProbeEventsAddRemoveKProbe(t *testing.T) { // Make dir to monitor. - tmpDir, err := ioutil.TempDir("", "events_test") + tmpDir, err := os.MkdirTemp("", "events_test") if err != nil { t.Fatal(err) } @@ -397,7 +409,7 @@ w:future feature off, err := file.Seek(int64(0), io.SeekStart) assert.NoError(t, err) assert.Equal(t, int64(0), off) - contents, err := ioutil.ReadAll(file) + contents, err := io.ReadAll(file) assert.NoError(t, err) expected := append([]byte(baseContents), []byte( `p:kprobe/myprobe sys_open path=+0(%di):string mode=%si diff --git a/auditbeat/tracing/int_aligned.go b/auditbeat/tracing/int_aligned.go new file mode 100644 index 00000000000..cbcadf96f32 --- /dev/null +++ b/auditbeat/tracing/int_aligned.go @@ -0,0 +1,71 @@ +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. + +//go:build linux && !386 && !amd64 && !amd64p32 + +// Alignment-safe integer reading and writing functions. + +package tracing + +import ( + "errors" + "unsafe" +) + +var errBadSize = errors.New("bad size for integer") + +func copyInt(dst unsafe.Pointer, src unsafe.Pointer, len uint8) error { + copy(unsafe.Slice((*byte)(dst), len), unsafe.Slice((*byte)(src), len)) + return nil +} + +func readInt(ptr unsafe.Pointer, len uint8, signed bool) (any, error) { + var value any + asSlice := unsafe.Slice((*byte)(ptr), len) + switch len { + case 1: + if signed { + value = int8(asSlice[0]) + } else { + value = asSlice[0] + } + case 2: + if signed { + value = int16(MachineEndian.Uint16(asSlice)) + } else { + value = MachineEndian.Uint16(asSlice) + } + + case 4: + if signed { + value = int32(MachineEndian.Uint32(asSlice)) + } else { + value = MachineEndian.Uint32(asSlice) + } + + case 8: + if signed { + value = int64(MachineEndian.Uint64(asSlice)) + } else { + value = MachineEndian.Uint64(asSlice) + } + + default: + return nil, errBadSize + } + return value, nil +} diff --git a/x-pack/auditbeat/tracing/int_unaligned.go b/auditbeat/tracing/int_unaligned.go similarity index 52% rename from x-pack/auditbeat/tracing/int_unaligned.go rename to auditbeat/tracing/int_unaligned.go index 38a767dd642..d4c1a3f6b16 100644 --- a/x-pack/auditbeat/tracing/int_unaligned.go +++ b/auditbeat/tracing/int_unaligned.go @@ -1,6 +1,19 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. //go:build linux && (386 || amd64 || amd64p32) @@ -35,7 +48,9 @@ func copyInt(dst unsafe.Pointer, src unsafe.Pointer, len uint8) error { return nil } -func readInt(ptr unsafe.Pointer, len uint8, signed bool) (value interface{}, err error) { +func readInt(ptr unsafe.Pointer, len uint8, signed bool) (any, error) { + var value any + switch len { case 1: if signed { @@ -67,5 +82,5 @@ func readInt(ptr unsafe.Pointer, len uint8, signed bool) (value interface{}, err default: return nil, errBadSize } - return + return value, nil } diff --git a/x-pack/auditbeat/tracing/perfevent.go b/auditbeat/tracing/perfevent.go similarity index 88% rename from x-pack/auditbeat/tracing/perfevent.go rename to auditbeat/tracing/perfevent.go index 4b97772b18f..36f595aa676 100644 --- a/x-pack/auditbeat/tracing/perfevent.go +++ b/auditbeat/tracing/perfevent.go @@ -1,6 +1,19 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. //go:build linux @@ -57,14 +70,14 @@ type PerfChannel struct { cpus CPUSet // Settings - attr perf.Attr - mappedPages int - pid int - pollTimeout time.Duration - sizeSampleC int - sizeErrC int - sizeLostC int - withTime bool + attr perf.Attr + mappedPages int + pid int + pollTimeout time.Duration + sizeSampleC int + sizeErrC int + sizeLostC int + wakeUpEvents uint32 } // PerfChannelConf instances change the configuration of a perf channel. @@ -89,14 +102,15 @@ func NewPerfChannel(cfg ...PerfChannelConf) (channel *PerfChannel, err error) { // Defaults channel = &PerfChannel{ - sizeSampleC: 1024, - sizeErrC: 8, - sizeLostC: 64, - mappedPages: 64, - pollTimeout: time.Millisecond * 200, - done: make(chan struct{}, 0), - streams: make(map[uint64]stream), - pid: perf.AllThreads, + sizeSampleC: 1024, + sizeErrC: 8, + sizeLostC: 64, + mappedPages: 64, + wakeUpEvents: 1, + pollTimeout: time.Millisecond * 200, + done: make(chan struct{}), + streams: make(map[uint64]stream), + pid: perf.AllThreads, attr: perf.Attr{ Type: perf.TracepointEvent, ClockID: unix.CLOCK_MONOTONIC, @@ -108,8 +122,6 @@ func NewPerfChannel(cfg ...PerfChannelConf) (channel *PerfChannel, err error) { }, }, } - channel.attr.SetSamplePeriod(1) - channel.attr.SetWakeupEvents(1) // Load the list of online CPUs from /sys/devices/system/cpu/online. // This is necessary in order to to install each kprobe on all online CPUs. @@ -130,6 +142,10 @@ func NewPerfChannel(cfg ...PerfChannelConf) (channel *PerfChannel, err error) { return nil, err } } + + channel.attr.SetSamplePeriod(1) + channel.attr.SetWakeupEvents(channel.wakeUpEvents) + return channel, nil } @@ -157,6 +173,18 @@ func WithErrBufferSize(size int) PerfChannelConf { } } +// WithWakeUpEvents configures sets how many samples happen before an overflow +// notification happens. Setting wakeUpEvents to 0 is equivalent to 1. +func WithWakeUpEvents(wakeUpEvents uint32) PerfChannelConf { + return func(channel *PerfChannel) error { + if wakeUpEvents == 0 { + wakeUpEvents = 1 + } + channel.wakeUpEvents = wakeUpEvents + return nil + } +} + // WithLostBufferSize configures the capacity of the channel used to pass lost // event notifications (PerfChannel.LostC()). func WithLostBufferSize(size int) PerfChannelConf { @@ -462,7 +490,7 @@ func (m *recordMerger) readSampleNonBlock(ev *perf.Event, ctx context.Context) ( return nil, false } if err != nil { - if err == perf.ErrBadRecord { + if errors.Is(err, perf.ErrBadRecord) { m.channel.lostC <- ^uint64(0) continue } @@ -503,7 +531,7 @@ func pollAll(evs []*perf.Event, timeout time.Duration) (active int, closed int, } ts := unix.NsecToTimespec(timeout.Nanoseconds()) - for err = unix.EINTR; err == unix.EINTR; { + for err = unix.EINTR; errors.Is(err, unix.EINTR); { _, err = unix.Ppoll(pollfds, &ts, nil) } if err != nil { @@ -518,5 +546,5 @@ func pollAll(evs []*perf.Event, timeout time.Duration) (active int, closed int, closed++ } } - return + return active, closed, err } diff --git a/x-pack/auditbeat/tracing/probe.go b/auditbeat/tracing/probe.go similarity index 80% rename from x-pack/auditbeat/tracing/probe.go rename to auditbeat/tracing/probe.go index 61bf353ef5f..5bfd5977c07 100644 --- a/x-pack/auditbeat/tracing/probe.go +++ b/auditbeat/tracing/probe.go @@ -1,6 +1,19 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. //go:build linux diff --git a/x-pack/auditbeat/tracing/tracefs.go b/auditbeat/tracing/tracefs.go similarity index 89% rename from x-pack/auditbeat/tracing/tracefs.go rename to auditbeat/tracing/tracefs.go index b26eb17312c..532eb75ca45 100644 --- a/x-pack/auditbeat/tracing/tracefs.go +++ b/auditbeat/tracing/tracefs.go @@ -1,6 +1,19 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. +// Licensed to Elasticsearch B.V. under one or more contributor +// license agreements. See the NOTICE file distributed with +// this work for additional information regarding copyright +// ownership. Elasticsearch B.V. licenses this file to you under +// the Apache License, Version 2.0 (the "License"); you may +// not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, +// software distributed under the License is distributed on an +// "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY +// KIND, either express or implied. See the License for the +// specific language governing permissions and limitations +// under the License. //go:build linux @@ -26,9 +39,9 @@ const ( var ( // p[:[GRP/]EVENT] [MOD:]SYM[+offs]|MEMADDR [FETCHARGS] : Set a probe // r[MAXACTIVE][:[GRP/]EVENT] [MOD:]SYM[+0] [FETCHARGS] : Set a return probe - kprobeRegexp *regexp.Regexp = regexp.MustCompile("^([pr])[0-9]*:(?:([^/ ]*)/)?([^/ ]+) ([^ ]+) ?(.*)") + kprobeRegexp *regexp.Regexp = regexp.MustCompile(`^([pr])[0-9]*:(?:([^/ ]*)/)?([^/ ]+) ([^ ]+) ?(.*)`) - formatRegexp *regexp.Regexp = regexp.MustCompile("\\s+([^:]+):([^;]*);") + formatRegexp *regexp.Regexp = regexp.MustCompile(`\s+([^:]+):([^;]*);`) ) // TraceFS is an accessor to manage event tracing via tracefs or debugfs. @@ -72,13 +85,14 @@ func IsTraceFSAvailableAt(path string) error { // IsTraceFSAvailable returns nil if a tracefs or debugfs supporting KProbes // is available at the well-known paths. Otherwise returns an error. -func IsTraceFSAvailable() (err error) { +func IsTraceFSAvailable() error { + var err error for _, path := range []string{traceFSPath, debugFSTracingPath} { if err = IsTraceFSAvailableAt(path); err == nil { - break + return nil } } - return + return err } // ListKProbes lists the currently installed kprobes / kretprobes @@ -122,7 +136,7 @@ func (dfs *TraceFS) listProbes(filename string) (probes []Probe, err error) { } // AddKProbe installs a new kprobe/kretprobe. -func (dfs *TraceFS) AddKProbe(probe Probe) (err error) { +func (dfs *TraceFS) AddKProbe(probe Probe) error { return dfs.appendToFile(kprobeCfgFile, probe.String()) } diff --git a/x-pack/auditbeat/module/system/socket/events.go b/x-pack/auditbeat/module/system/socket/events.go index ad652b9aac5..beb0a988a7c 100644 --- a/x-pack/auditbeat/module/system/socket/events.go +++ b/x-pack/auditbeat/module/system/socket/events.go @@ -18,7 +18,7 @@ import ( "golang.org/x/sys/unix" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" + "github.com/elastic/beats/v7/auditbeat/tracing" ) const ( diff --git a/x-pack/auditbeat/module/system/socket/guess/creds.go b/x-pack/auditbeat/module/system/socket/guess/creds.go index 7df1b0c1c2f..8c808dcdbe5 100644 --- a/x-pack/auditbeat/module/system/socket/guess/creds.go +++ b/x-pack/auditbeat/module/system/socket/guess/creds.go @@ -14,8 +14,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/cskxmit6.go b/x-pack/auditbeat/module/system/socket/guess/cskxmit6.go index d77dc7a2bbe..258d9f21a4f 100644 --- a/x-pack/auditbeat/module/system/socket/guess/cskxmit6.go +++ b/x-pack/auditbeat/module/system/socket/guess/cskxmit6.go @@ -13,8 +13,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/deref.go b/x-pack/auditbeat/module/system/socket/guess/deref.go index 7996a8cd8b3..e2c3c0082c5 100644 --- a/x-pack/auditbeat/module/system/socket/guess/deref.go +++ b/x-pack/auditbeat/module/system/socket/guess/deref.go @@ -13,8 +13,8 @@ import ( "strconv" "syscall" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/guess.go b/x-pack/auditbeat/module/system/socket/guess/guess.go index 05c2aa4668a..718afa0ad7b 100644 --- a/x-pack/auditbeat/module/system/socket/guess/guess.go +++ b/x-pack/auditbeat/module/system/socket/guess/guess.go @@ -12,8 +12,8 @@ import ( "fmt" "time" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/inetsock.go b/x-pack/auditbeat/module/system/socket/guess/inetsock.go index 707db38b7e7..f9d1db85639 100644 --- a/x-pack/auditbeat/module/system/socket/guess/inetsock.go +++ b/x-pack/auditbeat/module/system/socket/guess/inetsock.go @@ -14,8 +14,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/inetsock6.go b/x-pack/auditbeat/module/system/socket/guess/inetsock6.go index 4a937a55485..438c09d65c3 100644 --- a/x-pack/auditbeat/module/system/socket/guess/inetsock6.go +++ b/x-pack/auditbeat/module/system/socket/guess/inetsock6.go @@ -14,8 +14,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/inetsockaf.go b/x-pack/auditbeat/module/system/socket/guess/inetsockaf.go index 60fbfed7105..69676b41a2d 100644 --- a/x-pack/auditbeat/module/system/socket/guess/inetsockaf.go +++ b/x-pack/auditbeat/module/system/socket/guess/inetsockaf.go @@ -12,8 +12,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/iplocalout.go b/x-pack/auditbeat/module/system/socket/guess/iplocalout.go index 6a997af23ae..26a95405e8e 100644 --- a/x-pack/auditbeat/module/system/socket/guess/iplocalout.go +++ b/x-pack/auditbeat/module/system/socket/guess/iplocalout.go @@ -13,8 +13,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/skbuff.go b/x-pack/auditbeat/module/system/socket/guess/skbuff.go index 85589f8a4fe..ba53089aed3 100644 --- a/x-pack/auditbeat/module/system/socket/guess/skbuff.go +++ b/x-pack/auditbeat/module/system/socket/guess/skbuff.go @@ -17,8 +17,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/sockaddrin.go b/x-pack/auditbeat/module/system/socket/guess/sockaddrin.go index 2a76d564ba5..bfaebf544af 100644 --- a/x-pack/auditbeat/module/system/socket/guess/sockaddrin.go +++ b/x-pack/auditbeat/module/system/socket/guess/sockaddrin.go @@ -14,8 +14,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/sockaddrin6.go b/x-pack/auditbeat/module/system/socket/guess/sockaddrin6.go index 5564015530b..f9f7c187421 100644 --- a/x-pack/auditbeat/module/system/socket/guess/sockaddrin6.go +++ b/x-pack/auditbeat/module/system/socket/guess/sockaddrin6.go @@ -13,8 +13,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/socketsk.go b/x-pack/auditbeat/module/system/socket/guess/socketsk.go index 5ebc0ab7de6..3c12cd29463 100644 --- a/x-pack/auditbeat/module/system/socket/guess/socketsk.go +++ b/x-pack/auditbeat/module/system/socket/guess/socketsk.go @@ -12,8 +12,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/syscallargs.go b/x-pack/auditbeat/module/system/socket/guess/syscallargs.go index 3930e7134b9..902940985b9 100644 --- a/x-pack/auditbeat/module/system/socket/guess/syscallargs.go +++ b/x-pack/auditbeat/module/system/socket/guess/syscallargs.go @@ -12,8 +12,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/tcpsendmsgargs.go b/x-pack/auditbeat/module/system/socket/guess/tcpsendmsgargs.go index faa3910ba5f..058736eec56 100644 --- a/x-pack/auditbeat/module/system/socket/guess/tcpsendmsgargs.go +++ b/x-pack/auditbeat/module/system/socket/guess/tcpsendmsgargs.go @@ -10,8 +10,8 @@ package guess import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/tcpsendmsgsk.go b/x-pack/auditbeat/module/system/socket/guess/tcpsendmsgsk.go index 450a336df6e..73f810e7414 100644 --- a/x-pack/auditbeat/module/system/socket/guess/tcpsendmsgsk.go +++ b/x-pack/auditbeat/module/system/socket/guess/tcpsendmsgsk.go @@ -12,8 +12,8 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/guess/udpsendmsg.go b/x-pack/auditbeat/module/system/socket/guess/udpsendmsg.go index 5ab70f92a48..09241e6641e 100644 --- a/x-pack/auditbeat/module/system/socket/guess/udpsendmsg.go +++ b/x-pack/auditbeat/module/system/socket/guess/udpsendmsg.go @@ -10,8 +10,8 @@ package guess import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/helper/probes.go b/x-pack/auditbeat/module/system/socket/helper/probes.go index 24ad0eda3d9..3ebb3e2cfcb 100644 --- a/x-pack/auditbeat/module/system/socket/helper/probes.go +++ b/x-pack/auditbeat/module/system/socket/helper/probes.go @@ -12,7 +12,7 @@ import ( "strings" "text/template" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/helper/types.go b/x-pack/auditbeat/module/system/socket/helper/types.go index 1365aeaf9e0..d466e847e75 100644 --- a/x-pack/auditbeat/module/system/socket/helper/types.go +++ b/x-pack/auditbeat/module/system/socket/helper/types.go @@ -7,7 +7,7 @@ package helper import ( - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" + "github.com/elastic/beats/v7/auditbeat/tracing" ) // Logger exposes logging functions. diff --git a/x-pack/auditbeat/module/system/socket/kprobes.go b/x-pack/auditbeat/module/system/socket/kprobes.go index 3660f6a5a1d..a8781345991 100644 --- a/x-pack/auditbeat/module/system/socket/kprobes.go +++ b/x-pack/auditbeat/module/system/socket/kprobes.go @@ -14,8 +14,8 @@ import ( "github.com/joeshaw/multierror" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/module/system/socket/kprobes_test.go b/x-pack/auditbeat/module/system/socket/kprobes_test.go index fdaeac8f8bc..8ddca79e957 100644 --- a/x-pack/auditbeat/module/system/socket/kprobes_test.go +++ b/x-pack/auditbeat/module/system/socket/kprobes_test.go @@ -11,9 +11,9 @@ import ( "strings" "testing" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/guess" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" ) func probeName(p tracing.Probe) string { diff --git a/x-pack/auditbeat/module/system/socket/socket_linux.go b/x-pack/auditbeat/module/system/socket/socket_linux.go index c7b7a979453..b334b848892 100644 --- a/x-pack/auditbeat/module/system/socket/socket_linux.go +++ b/x-pack/auditbeat/module/system/socket/socket_linux.go @@ -23,13 +23,13 @@ import ( "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/cfgwarn" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/guess" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/logp" "github.com/elastic/elastic-agent-libs/mapstr" "github.com/elastic/go-perf" diff --git a/x-pack/auditbeat/module/system/socket/state.go b/x-pack/auditbeat/module/system/socket/state.go index a302bba0caa..19bb729a844 100644 --- a/x-pack/auditbeat/module/system/socket/state.go +++ b/x-pack/auditbeat/module/system/socket/state.go @@ -20,12 +20,12 @@ import ( "github.com/joeshaw/multierror" "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/libbeat/common" "github.com/elastic/beats/v7/libbeat/common/flowhash" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/dns" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/helper" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" "github.com/elastic/go-libaudit/v2/aucoalesce" ) diff --git a/x-pack/auditbeat/module/system/socket/state_test.go b/x-pack/auditbeat/module/system/socket/state_test.go index 611581c5d30..fd3e125cc40 100644 --- a/x-pack/auditbeat/module/system/socket/state_test.go +++ b/x-pack/auditbeat/module/system/socket/state_test.go @@ -18,10 +18,10 @@ import ( "github.com/stretchr/testify/assert" "golang.org/x/sys/unix" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/libbeat/beat" "github.com/elastic/beats/v7/metricbeat/mb" "github.com/elastic/beats/v7/x-pack/auditbeat/module/system/socket/dns" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" ) type logWrapper testing.T diff --git a/x-pack/auditbeat/module/system/socket/template.go b/x-pack/auditbeat/module/system/socket/template.go index 84f890e5be1..c1a97a163b9 100644 --- a/x-pack/auditbeat/module/system/socket/template.go +++ b/x-pack/auditbeat/module/system/socket/template.go @@ -10,8 +10,8 @@ import ( "strings" "unsafe" + "github.com/elastic/beats/v7/auditbeat/tracing" "github.com/elastic/beats/v7/libbeat/common" - "github.com/elastic/beats/v7/x-pack/auditbeat/tracing" "github.com/elastic/elastic-agent-libs/mapstr" ) diff --git a/x-pack/auditbeat/tracing/doc.go b/x-pack/auditbeat/tracing/doc.go deleted file mode 100644 index 0d716eaf7c9..00000000000 --- a/x-pack/auditbeat/tracing/doc.go +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -// Package tracing provides a set of tools built on top of -// golang.org/x/sys/unix/linux/perf that simplify working with KProbes and -// UProbes, using tracing perf channels to receive events from the kernel and -// decoding of this raw events into more useful types. -package tracing diff --git a/x-pack/auditbeat/tracing/endian.go b/x-pack/auditbeat/tracing/endian.go deleted file mode 100644 index acb18aa9afa..00000000000 --- a/x-pack/auditbeat/tracing/endian.go +++ /dev/null @@ -1,29 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -//go:build linux - -package tracing - -import ( - "encoding/binary" - "unsafe" -) - -// MachineEndian is either binary.BigEndian or binary.LittleEndian, depending -// on the current architecture. -var MachineEndian = getCPUEndianness() - -func getCPUEndianness() binary.ByteOrder { - myInt32 := new(uint32) - copy((*[4]byte)(unsafe.Pointer(myInt32))[:], []byte{0x12, 0x34, 0x56, 0x78}) - switch *myInt32 { - case 0x12345678: - return binary.BigEndian - case 0x78563412: - return binary.LittleEndian - default: - panic("cannot determine endianness") - } -} diff --git a/x-pack/auditbeat/tracing/int_aligned.go b/x-pack/auditbeat/tracing/int_aligned.go deleted file mode 100644 index 6c8c4c53972..00000000000 --- a/x-pack/auditbeat/tracing/int_aligned.go +++ /dev/null @@ -1,57 +0,0 @@ -// Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one -// or more contributor license agreements. Licensed under the Elastic License; -// you may not use this file except in compliance with the Elastic License. - -//go:build linux && !386 && !amd64 && !amd64p32 - -// Alignment-safe integer reading and writing functions. - -package tracing - -import ( - "errors" - "unsafe" -) - -var errBadSize = errors.New("bad size for integer") - -func copyInt(dst unsafe.Pointer, src unsafe.Pointer, len uint8) error { - copy((*(*[maxIntSizeBytes]byte)(dst))[:len], (*(*[maxIntSizeBytes]byte)(src))[:len]) - return nil -} - -func readInt(ptr unsafe.Pointer, len uint8, signed bool) (value interface{}, err error) { - asSlice := (*(*[maxIntSizeBytes]byte)(ptr))[:] - switch len { - case 1: - if signed { - value = int8(asSlice[0]) - } else { - value = uint8(asSlice[0]) - } - case 2: - if signed { - value = int16(MachineEndian.Uint16(asSlice)) - } else { - value = MachineEndian.Uint16(asSlice) - } - - case 4: - if signed { - value = int32(MachineEndian.Uint32(asSlice)) - } else { - value = MachineEndian.Uint32(asSlice) - } - - case 8: - if signed { - value = int64(MachineEndian.Uint64(asSlice)) - } else { - value = MachineEndian.Uint64(asSlice) - } - - default: - return nil, errBadSize - } - return -}