file events: add creds info

elastic · Mar 1, 2024 · 52a87e3 · 52a87e3
1 parent 911d60c
commit 52a87e3
Show file tree

Hide file tree

Showing 8 changed files with 40 additions and 11 deletions.
diff --git a/bpf_bpfel_x86.o b/bpf_bpfel_x86.o
diff --git a/bpf_bpfel_x86.go → bpf_x86_bpfel.go b/bpf_bpfel_x86.go → bpf_x86_bpfel.go
diff --git a/bpf_x86_bpfel.o b/bpf_x86_bpfel.o
diff --git a/ebpf b/ebpf
diff --git a/event.go b/event.go
@@ -354,6 +354,7 @@ type FileInfo struct {
 
 type FileCreate struct {
 	Pids              PidInfo  `json:"pids"`
+	Creds             CredInfo `json:"creds"`
 	Finfo             FileInfo `json:"file_info"`
 	MountNs           uint32   `json:"mount_ns"`
 	Comm              string   `json:"comm"`
@@ -366,6 +367,10 @@ func (e *FileCreate) Unmarshal(r *bytes.Reader) error {
 		return fmt.Errorf("read pids: %v", err)
 	}
 
+	if err := binary.Read(r, endian.Native, &e.Creds); err != nil {
+		return fmt.Errorf("read creds: %v", err)
+	}
+
 	fi, err := readFileInfo(r)
 	if err != nil {
 		return fmt.Errorf("read file info: %v", err)
@@ -398,6 +403,7 @@ func (e *FileCreate) Unmarshal(r *bytes.Reader) error {
 
 type FileDelete struct {
 	Pids              PidInfo  `json:"pids"`
+	Creds             CredInfo `json:"creds"`
 	Finfo             FileInfo `json:"file_info"`
 	MountNs           uint32   `json:"mount_ns"`
 	Comm              string   `json:"comm"`
@@ -410,6 +416,10 @@ func (e *FileDelete) Unmarshal(r *bytes.Reader) error {
 		return fmt.Errorf("read pids: %v", err)
 	}
 
+	if err := binary.Read(r, endian.Native, &e.Creds); err != nil {
+		return fmt.Errorf("read creds: %v", err)
+	}
+
 	fi, err := readFileInfo(r)
 	if err != nil {
 		return fmt.Errorf("read file info: %v", err)
@@ -442,6 +452,7 @@ func (e *FileDelete) Unmarshal(r *bytes.Reader) error {
 
 type FileRename struct {
 	Pids              PidInfo  `json:"pids"`
+	Creds             CredInfo `json:"creds"`
 	Finfo             FileInfo `json:"file_info"`
 	MountNs           uint32   `json:"mount_ns"`
 	Comm              string   `json:"comm"`
@@ -455,6 +466,10 @@ func (e *FileRename) Unmarshal(r *bytes.Reader) error {
 		return fmt.Errorf("read pids: %v", err)
 	}
 
+	if err := binary.Read(r, endian.Native, &e.Creds); err != nil {
+		return fmt.Errorf("read creds: %v", err)
+	}
+
 	fi, err := readFileInfo(r)
 	if err != nil {
 		return fmt.Errorf("read file info: %v", err)
@@ -504,6 +519,7 @@ func (ft FileChangeType) MarshalJSON() ([]byte, error) {
 
 type FileModify struct {
 	Pids              PidInfo        `json:"pids"`
+	Creds             CredInfo       `json:"creds"`
 	Finfo             FileInfo       `json:"file_info"`
 	ChangeType        FileChangeType `json:"change_type"`
 	MountNs           uint32         `json:"mount_ns"`
@@ -517,6 +533,10 @@ func (e *FileModify) Unmarshal(r *bytes.Reader) error {
 		return fmt.Errorf("read pids: %v", err)
 	}
 
+	if err := binary.Read(r, endian.Native, &e.Creds); err != nil {
+		return fmt.Errorf("read creds: %v", err)
+	}
+
 	fi, err := readFileInfo(r)
 	if err != nil {
 		return fmt.Errorf("read file info: %v", err)

diff --git a/event_test.go b/event_test.go
@@ -237,6 +237,7 @@ func writeFileCreate(t *testing.T, w *bufio.Writer, ev ebpfevents.FileCreate) {
 	t.Helper()
 
 	assert.Nil(t, binary.Write(w, endian.Native, ev.Pids))
+	assert.Nil(t, binary.Write(w, endian.Native, ev.Creds))
 	writeFileInfo(t, w, ev.Finfo)
 	assert.Nil(t, binary.Write(w, endian.Native, ev.MountNs))
 	_, err := w.WriteString(ev.Comm)
@@ -271,6 +272,7 @@ func writeFileRename(t *testing.T, w *bufio.Writer, ev ebpfevents.FileRename) {
 	t.Helper()
 
 	assert.Nil(t, binary.Write(w, endian.Native, ev.Pids))
+	assert.Nil(t, binary.Write(w, endian.Native, ev.Creds))
 	writeFileInfo(t, w, ev.Finfo)
 	assert.Nil(t, binary.Write(w, endian.Native, ev.MountNs))
 	_, err := w.WriteString(ev.Comm)
@@ -306,6 +308,7 @@ func writeFileDelete(t *testing.T, w *bufio.Writer, ev ebpfevents.FileDelete) {
 	t.Helper()
 
 	assert.Nil(t, binary.Write(w, endian.Native, ev.Pids))
+	assert.Nil(t, binary.Write(w, endian.Native, ev.Creds))
 	writeFileInfo(t, w, ev.Finfo)
 	assert.Nil(t, binary.Write(w, endian.Native, ev.MountNs))
 	_, err := w.WriteString(ev.Comm)
@@ -340,6 +343,7 @@ func writeFileModify(t *testing.T, w *bufio.Writer, ev ebpfevents.FileModify) {
 	t.Helper()
 
 	assert.Nil(t, binary.Write(w, endian.Native, ev.Pids))
+	assert.Nil(t, binary.Write(w, endian.Native, ev.Creds))
 	writeFileInfo(t, w, ev.Finfo)
 	assert.Nil(t, binary.Write(w, endian.Native, ev.ChangeType))
 	assert.Nil(t, binary.Write(w, endian.Native, ev.MountNs))

diff --git a/go.mod b/go.mod
@@ -1,14 +1,14 @@
 module github.com/elastic/ebpfevents
 
-go 1.20
+go 1.21.0
 
 require (
-	github.com/cilium/ebpf v0.12.3
+	github.com/cilium/ebpf v0.13.2
 	github.com/elastic/go-licenser v0.4.1
 	github.com/go-faker/faker/v4 v4.2.0
 	github.com/stretchr/testify v1.6.1
 	go.elastic.co/go-licence-detector v0.6.0
-	golang.org/x/sys v0.14.1-0.20231108175955-e4099bfacb8c
+	golang.org/x/sys v0.15.0
 )
 
 require (

diff --git a/go.sum b/go.sum
@@ -1,35 +1,40 @@
-github.com/cilium/ebpf v0.12.3 h1:8ht6F9MquybnY97at+VDZb3eQQr8ev79RueWeVaEcG4=
-github.com/cilium/ebpf v0.12.3/go.mod h1:TctK1ivibvI3znr66ljgi4hqOT8EYQjz1KWBfb1UVgM=
+github.com/cilium/ebpf v0.13.2 h1:uhLimLX+jF9BTPPvoCUYh/mBeoONkjgaJ9w9fn0mRj4=
+github.com/cilium/ebpf v0.13.2/go.mod h1:DHp1WyrLeiBh19Cf/tfiSMhqheEiK8fXFZ4No0P1Hso=
 github.com/cyphar/filepath-securejoin v0.2.2 h1:jCwT2GTP+PY5nBz3c/YL5PAIbusElVrPujOBSCj8xRg=
 github.com/cyphar/filepath-securejoin v0.2.2/go.mod h1:FpkQEhXnPnOthhzymB7CGsFk2G9VLXONKD9G7QGMM+4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/elastic/go-licenser v0.4.1 h1:1xDURsc8pL5zYT9R29425J3vkHdt4RT5TNEMeRN48x4=
 github.com/elastic/go-licenser v0.4.1/go.mod h1:V56wHMpmdURfibNBggaSBfqgPxyT1Tldns1i87iTEvU=
-github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
 github.com/go-faker/faker/v4 v4.2.0 h1:dGebOupKwssrODV51E0zbMrv5e2gO9VWSLNC1WDCpWg=
 github.com/go-faker/faker/v4 v4.2.0/go.mod h1:F/bBy8GH9NxOxMInug5Gx4WYeG6fHJZ8Ol/dhcpRub4=
+github.com/go-quicktest/qt v1.101.0 h1:O1K29Txy5P2OK0dGo59b7b0LR6wKfIhttaAhHUyn7eI=
+github.com/go-quicktest/qt v1.101.0/go.mod h1:14Bz/f7NwaXPtdYEgzsx46kqSxVwTbzVZsDC26tQJow=
 github.com/gobuffalo/here v0.6.0 h1:hYrd0a6gDmWxBM4TnrGw8mQg24iSVoIkHEk7FodQcBI=
 github.com/gobuffalo/here v0.6.0/go.mod h1:wAG085dHOYqUpf+Ap+WOdrPTp5IYcDAs/x7PLa8Y5fM=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
 github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0 h1:OggOMmdI0JLwg1FkOKH9S7fVHF0oEm8PX6S8kAdpOps=
 github.com/google/licenseclassifier v0.0.0-20200402202327-879cb1424de0/go.mod h1:qsqn2hxC+vURpyBRygGUuinTO42MFRLcsmQ/P8v94+M=
 github.com/karrick/godirwalk v1.15.6 h1:Yf2mmR8TJy+8Fa0SuQVto5SYap6IF7lNVX4Jdl8G1qA=
 github.com/karrick/godirwalk v1.15.6/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/markbates/pkger v0.17.0 h1:RFfyBPufP2V6cddUyyEVSHBpaAnM1WzaMNyqomeT+iY=
 github.com/markbates/pkger v0.17.0/go.mod h1:0JoVlrol20BSywW79rN3kdFFsE5xYM+rSCQDXbLhiuI=
 github.com/pkg/errors v0.8.1 h1:iURUrRGxPUNPdy5/HRSm+Yj6okJ6UtLINN0Q9M4+h3I=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
+github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sergi/go-diff v1.1.0 h1:we8PVUC3FE2uYfodKH/nBHMSetSfHDR6scGdBi+erh0=
 github.com/sergi/go-diff v1.1.0/go.mod h1:STckp+ISIX8hZLjrqAeVduY0gWCT9IjLuqbuNXdaHfM=
@@ -65,8 +70,8 @@ golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210809222454-d867a43fc93e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20211102192858-4dd72447c267/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.14.1-0.20231108175955-e4099bfacb8c h1:3kC/TjQ+xzIblQv39bCOyRk8fbEeJcDHwbyxPUU2BpA=
-golang.org/x/sys v0.14.1-0.20231108175955-e4099bfacb8c/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
+golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
+golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+4 −0		GPL/Events/EbpfEventProto.h
+4 −0		GPL/Events/File/Probe.bpf.c
+3 −3		LICENSE.txt
+12 −0		non-GPL/Events/EventsTrace/EventsTrace.c