securityprofile

package
v0.0.0-...-4623533 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 21, 2026 License: Apache-2.0 Imports: 46 Imported by: 0

Documentation

Overview

Package securityprofile holds security profiles related files

Package securityprofile holds security profiles related files

Index

Constants

View Source 
const (
	// ActivityDumpSource defines the source of activity dumps
	ActivityDumpSource = "runtime-security-agent"
	// DefaultProfileName used as default profile name
	DefaultProfileName = "default"
)

Variables

View Source 
var ErrActivityDumpManagerDisabled = errors.New("ActivityDumpManager is disabled")

ErrActivityDumpManagerDisabled is returned when the activity dump manager is disabled

View Source 
var ErrSecurityProfileManagerDisabled = errors.New("SecurityProfileManager is disabled")

ErrSecurityProfileManagerDisabled is returned when the security profile manager is disabled

View Source 
var (
	// TracedEventTypesReductionOrder is the order by which event types are reduced
	TracedEventTypesReductionOrder = []model.EventType{model.BindEventType, model.IMDSEventType, model.DNSEventType, model.SyscallsEventType, model.FileOpenEventType}
)

Functions

func GenerateRules 

func GenerateRules(ads []*profile.Profile, opts SECLRuleOpts) []*rules.RuleDefinition

GenerateRules return rules from activity dumps

func LoadActivityDumpsFromFiles 

func LoadActivityDumpsFromFiles(path string) ([]*profile.Profile, error)

LoadActivityDumpsFromFiles load ads from a file or a directory

Types

type EventFilteringResult 

type EventFilteringResult uint8

EventFilteringResult is used to compute metrics for the event filtering feature 

const (
	// NA not applicable for profil NoProfile and ProfileAtMaxSize state
	NA EventFilteringResult = iota
	// InProfile is used to count the events that matched a profile
	InProfile
	// NotInProfile is used to count the events that didn't match their profile
	NotInProfile
)

type Manager 

type Manager struct {
	// contains filtered or unexported fields
}

Manager is the manager for activity dumps and security profiles

func NewManager 

func NewManager(cfg *config.Config, statsdClient statsd.ClientInterface, ebpf *ebpfmanager.Manager, resolvers *resolvers.EBPFResolvers, kernelVersion *kernel.Version, newEvent func() *model.Event, dumpHandler backend.ActivityDumpHandler, hostname string) (*Manager, error)

NewManager returns a new instance of the security profile manager

func (*Manager) DumpActivity 

func (m *Manager) DumpActivity(params *api.ActivityDumpParams) (*api.ActivityDumpMessage, error)

DumpActivity handles an activity dump request

func (*Manager) FillProfileContextFromWorkloadID 

func (m *Manager) FillProfileContextFromWorkloadID(id containerutils.WorkloadID, ctx *model.SecurityProfileContext, imageTag string)

FillProfileContextFromWorkloadID fills the given ctx with workload id infos

func (*Manager) FinalizeKernelEventCollection 

func (m *Manager) FinalizeKernelEventCollection(ad *dump.ActivityDump, releaseTracedCgroupSpot bool)

FinalizeKernelEventCollection finalizes an active dump: envs and args are scrubbed, tags, service and container ID are set. If a cgroup spot can be released, the dump will be fully stopped.

func (*Manager) GenerateTranscoding 

func (m *Manager) GenerateTranscoding(params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error)

GenerateTranscoding executes the requested transcoding operation

func (*Manager) GetNodesInProcessCache 

func (m *Manager) GetNodesInProcessCache() map[activity_tree.ImageProcessKey]bool

GetNodesInProcessCache returns a map with ImageProcessKey as key and bool as value for all filepaths in the process cache

func (*Manager) HandleCGroupTracingEvent 

func (m *Manager) HandleCGroupTracingEvent(event *model.CgroupTracingEvent)

HandleCGroupTracingEvent handles a cgroup tracing event

func (*Manager) HasActiveActivityDump 

func (m *Manager) HasActiveActivityDump(event *model.Event) bool

HasActiveActivityDump returns true if the given event has an active dump

func (*Manager) ListActivityDumps 

func (m *Manager) ListActivityDumps(_ *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error)

ListActivityDumps returns the list of active activity dumps

func (*Manager) ListSecurityProfiles 

func (m *Manager) ListSecurityProfiles(params *api.SecurityProfileListParams) (*api.SecurityProfileListMessage, error)

ListSecurityProfiles returns the list of security profiles

func (*Manager) LookupEventInProfiles 

func (m *Manager) LookupEventInProfiles(event *model.Event)

LookupEventInProfiles lookups event in profiles

func (*Manager) ProcessEvent 

func (m *Manager) ProcessEvent(event *model.Event)

ProcessEvent processes a new event and insert it in an activity dump if applicable

func (*Manager) SaveSecurityProfile 

func (m *Manager) SaveSecurityProfile(params *api.SecurityProfileSaveParams) (*api.SecurityProfileSaveMessage, error)

SaveSecurityProfile saves the requested security profile to disk

func (*Manager) SendStats 

func (m *Manager) SendStats() error

SendStats sends the manager stats

func (*Manager) Start 

func (m *Manager) Start(ctx context.Context)

Start runs the manager

func (*Manager) StopActivityDump 

func (m *Manager) StopActivityDump(params *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error)

StopActivityDump stops an active activity dump

func (*Manager) SyncTracedCgroups 

func (m *Manager) SyncTracedCgroups()

SyncTracedCgroups recovers lost CGroup tracing events by going through the kernel space map of cgroups

type ManagerV2 

type ManagerV2 struct {
	// contains filtered or unexported fields
}

func NewManagerV2 

func NewManagerV2(cfg *config.Config, statsdClient statsd.ClientInterface, resolvers *resolvers.EBPFResolvers, kernelVersion *kernel.Version, dumpHandler backend.ActivityDumpHandler, sendAnomalyDetection func(*model.Event), hostname string) (*ManagerV2, error)

func (*ManagerV2) DumpActivity 

func (m *ManagerV2) DumpActivity(_ *api.ActivityDumpParams) (*api.ActivityDumpMessage, error)

DumpActivity dumps the activity. NO-OP in V2: V2 doesn't support on-demand activity dumping through this API.

func (*ManagerV2) FillProfileContextFromWorkloadID 

func (m *ManagerV2) FillProfileContextFromWorkloadID(id containerutils.WorkloadID, ctx *model.SecurityProfileContext, imageTag string)

FillProfileContextFromWorkloadID fills the given ctx with workload id infos

func (*ManagerV2) GenerateTranscoding 

func (m *ManagerV2) GenerateTranscoding(_ *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error)

GenerateTranscoding generates a transcoding request for the given activity dump. NO-OP in V2: V2 doesn't support transcoding through this API.

func (*ManagerV2) GetNodesInProcessCache 

func (m *ManagerV2) GetNodesInProcessCache(workloadID containerutils.WorkloadID, containersOnly bool) map[activity_tree.ImageProcessKey]bool

GetNodesInProcessCache returns a map with ImageProcessKey as key and bool as value for filepaths in the process cache

func (*ManagerV2) HandleCGroupTracingEvent 

func (m *ManagerV2) HandleCGroupTracingEvent(_ *model.CgroupTracingEvent)

HandleCGroupTracingEvent handles a cgroup tracing event. NO-OP in V2: V2 doesn't use cgroup tracing events from kernel space. Profiles are built from activity dump samples instead.

func (*ManagerV2) HasActiveActivityDump 

func (m *ManagerV2) HasActiveActivityDump(_ *model.Event) bool

HasActiveActivityDump returns true if the given event has an active dump. NO-OP in V2: Always returns false. V2 doesn't use the traditional activity dump mechanism with kernel-space traced cgroups. Instead, it builds profiles directly from activity dump samples.

func (*ManagerV2) ListActivityDumps 

func (m *ManagerV2) ListActivityDumps(_ *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error)

ListActivityDumps lists the activity dumps. NO-OP in V2: V2 doesn't expose individual activity dumps through this API.

func (*ManagerV2) ListSecurityProfiles 

func (m *ManagerV2) ListSecurityProfiles(params *api.SecurityProfileListParams) (*api.SecurityProfileListMessage, error)

ListSecurityProfiles lists the security profiles for the ManagerV2

func (*ManagerV2) LookupEventInProfiles 

func (m *ManagerV2) LookupEventInProfiles(_ *model.Event)

LookupEventInProfiles lookups event in profiles. NO-OP in V2: Event filtering is handled differently through ProcessEvent which builds profiles from activity dump samples. The profile lookup/filtering logic from V1 is not applicable to the V2 lifecycle.

func (*ManagerV2) ProcessEvent 

func (m *ManagerV2) ProcessEvent(event *model.Event)

func (*ManagerV2) SaveSecurityProfile 

func (m *ManagerV2) SaveSecurityProfile(params *api.SecurityProfileSaveParams) (*api.SecurityProfileSaveMessage, error)

SaveSecurityProfile saves the requested security profile to disk for the ManagerV2

func (*ManagerV2) SendStats 

func (m *ManagerV2) SendStats() error

func (*ManagerV2) Start 

func (m *ManagerV2) Start(ctx context.Context)

func (*ManagerV2) StopActivityDump 

func (m *ManagerV2) StopActivityDump(_ *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error)

StopActivityDump stops an active activity dump. NO-OP in V2: V2 doesn't manage activity dumps the traditional way.

func (*ManagerV2) SyncTracedCgroups 

func (m *ManagerV2) SyncTracedCgroups()

SyncTracedCgroups recovers lost CGroup tracing events by going through the kernel space map of cgroups. NO-OP in V2: V2 doesn't manage kernel-space traced cgroups maps.

type ProfileManager 

type ProfileManager interface {
	// Start starts the profile manager
	Start(ctx context.Context)

	// ProcessEvent processes an event for activity dump / security profile
	ProcessEvent(event *model.Event)

	// SendStats sends metrics about the profile manager
	SendStats() error

	// SyncTracedCgroups recovers lost CGroup tracing events
	SyncTracedCgroups()

	// HandleCGroupTracingEvent handles a cgroup tracing event
	HandleCGroupTracingEvent(event *model.CgroupTracingEvent)

	// LookupEventInProfiles looks up an event in security profiles for filtering
	LookupEventInProfiles(event *model.Event)

	// HasActiveActivityDump returns true if the given event has an active dump
	HasActiveActivityDump(event *model.Event) bool

	// FillProfileContextFromWorkloadID fills the security profile context from a workload ID
	FillProfileContextFromWorkloadID(id containerutils.WorkloadID, ctx *model.SecurityProfileContext, imageTag string)

	// ListSecurityProfiles returns the list of security profiles
	ListSecurityProfiles(params *api.SecurityProfileListParams) (*api.SecurityProfileListMessage, error)

	// SaveSecurityProfile saves the requested security profile to disk
	SaveSecurityProfile(params *api.SecurityProfileSaveParams) (*api.SecurityProfileSaveMessage, error)

	// GenerateTranscoding generates a transcoding request for the given activity dump
	GenerateTranscoding(params *api.TranscodingRequestParams) (*api.TranscodingRequestMessage, error)

	// ListActivityDumps returns the list of active activity dumps
	ListActivityDumps(params *api.ActivityDumpListParams) (*api.ActivityDumpListMessage, error)

	// StopActivityDump stops an active activity dump if it exists
	StopActivityDump(params *api.ActivityDumpStopParams) (*api.ActivityDumpStopMessage, error)

	// DumpActivity dumps the activity dump
	DumpActivity(params *api.ActivityDumpParams) (*api.ActivityDumpMessage, error)
}

ProfileManager is the interface for profile management operations. Both Manager (V1) and ManagerV2 implement this interface, allowing the probe to use either implementation transparently.

type SECLRuleOpts 

type SECLRuleOpts struct {
	EnableKill bool
	AllowList  bool
	Lineage    bool
	ImageName  string
	ImageTag   string
	Service    string
	FIM        bool
}

SECLRuleOpts defines SECL rules options

type SeccompProfile 

type SeccompProfile struct {
	DefaultAction string          `yaml:"defaultAction" json:"defaultAction"`
	Syscalls      []SyscallPolicy `yaml:"syscalls" json:"syscalls"`
}

SeccompProfile represents a Seccomp profile

func GenerateSeccompProfile 

func GenerateSeccompProfile(ads []*profile.Profile) *SeccompProfile

GenerateSeccompProfile returns a seccomp a profile

type SyscallPolicy 

type SyscallPolicy struct {
	Names  []string `yaml:"names" json:"names"`
	Action string   `yaml:"action" json:"action"`
}

SyscallPolicy represents the policy in a seccomp profile

type WorkloadEvent 

type WorkloadEvent struct {
	Type     WorkloadEventType
	Workload *tags.Workload
}

WorkloadEvent represents an ordered workload event

type WorkloadEventType 

type WorkloadEventType int

WorkloadEventType represents the type of workload event 

const (
	// WorkloadEventResolved indicates a workload selector was resolved
	WorkloadEventResolved WorkloadEventType = iota
	// WorkloadEventDeleted indicates a workload was deleted
	WorkloadEventDeleted
)

Source Files

View all Source files

Directories

Path Synopsis
Package activitytree holds activitytree related files
 Package activitytree holds activitytree related files
metadata
Package metadata holds metadata related files
 Package metadata holds metadata related files
Package dump holds activity dump related files
 Package dump holds activity dump related files
Package profile holds profile related files
 Package profile holds profile related files
Package storage holds files related to storages for security profiles
 Package storage holds files related to storages for security profiles
backend
Package backend holds files related to forwarder backends for security profiles
 Package backend holds files related to forwarder backends for security profiles

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.