-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathtypes.h
More file actions
114 lines (101 loc) · 2.61 KB
/
types.h
File metadata and controls
114 lines (101 loc) · 2.61 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#pragma once
/**
* This file is used to generate bindings to the Rust side and needs to
* be kept as minimal as possible, avoid including vmlinux.h or any
* other sources of bloat into this file.
*/
/**
* Kernel constant, taken from:
* https://github.com/torvalds/linux/blob/f0b9d8eb98dfee8d00419aa07543bdc2c1a44fb1/include/uapi/linux/limits.h#L13
*/
#define PATH_MAX 4096
#define TASK_COMM_LEN 16
#define LINEAGE_MAX 2
#define LPM_SIZE_MAX 256
typedef struct lineage_t {
unsigned int uid;
char exe_path[PATH_MAX];
} lineage_t;
typedef struct process_t {
char comm[TASK_COMM_LEN];
char args[4096];
unsigned int args_len;
char exe_path[PATH_MAX];
char memory_cgroup[PATH_MAX];
unsigned int uid;
unsigned int gid;
unsigned int login_uid;
unsigned int pid;
lineage_t lineage[LINEAGE_MAX];
unsigned int lineage_len;
char in_root_mount_ns;
} process_t;
typedef struct inode_key_t {
unsigned long inode;
unsigned long dev;
} inode_key_t;
// We can't use bool here because it is not a standard C type, we would
// need to include vmlinux.h but that would explode our Rust bindings.
// For the time being we just keep a char.
typedef char inode_value_t;
typedef enum file_activity_type_t {
FILE_ACTIVITY_INIT = -1,
FILE_ACTIVITY_OPEN = 0,
FILE_ACTIVITY_CREATION,
FILE_ACTIVITY_UNLINK,
FILE_ACTIVITY_CHMOD,
FILE_ACTIVITY_CHOWN,
FILE_ACTIVITY_RENAME,
} file_activity_type_t;
struct event_t {
unsigned long timestamp;
process_t process;
char filename[PATH_MAX];
inode_key_t inode;
inode_key_t parent_inode;
file_activity_type_t type;
union {
struct {
short unsigned int new;
short unsigned int old;
} chmod;
struct {
struct {
unsigned int uid;
unsigned int gid;
} old, new;
} chown;
struct {
char old_filename[PATH_MAX];
inode_key_t old_inode;
} rename;
};
};
/**
* Used as the key for the path_prefix map.
*
* The memory layout is specific and must always have a 4 byte length
* field first.
*
* See https://docs.ebpf.io/linux/map-type/BPF_MAP_TYPE_LPM_TRIE/
* for a detailed description of how the LPM map works.
*/
struct path_prefix_t {
unsigned int bit_len;
const char path[LPM_SIZE_MAX];
};
// Metrics types
struct metrics_by_hook_t {
unsigned long long total;
unsigned long long added;
unsigned long long error;
unsigned long long ignored;
unsigned long long ringbuffer_full;
};
struct metrics_t {
struct metrics_by_hook_t file_open;
struct metrics_by_hook_t path_unlink;
struct metrics_by_hook_t path_chmod;
struct metrics_by_hook_t path_chown;
struct metrics_by_hook_t path_rename;
};