bpf/bpf_helper_defs.hlinguist-generated=true

bpf/bpf_helpers.hlinguist-generated=true

bpf/bpf_core_read.hlinguist-vendored

bpf/bpf_helper_defs.hlinguist-vendored

bpf/bpf_helpers.hlinguist-vendored

bpf/handler-bpfeb.olinguist-generated

bpf/handler-bpfel.olinguist-generated

bpf/vmlinux.hlinguist-vendored

Copyright (C)2021 Coder Technologies, Inc.

Copyright (C)2022 Coder Technologies, Inc.

This program is free software; you can redistribute it and/or modify

it under the terms of the GNU General Public License as published by

MIT License

Copyright (C)2021 Coder Technologies, Inc.

Copyright (C)2022 Coder Technologies, Inc.

Permission is hereby granted, free of charge, to any person obtaining a copy

of this software and associated documentation files (the "Software"), to deal

Simple[eBPF](https://ebpf.io/)-based exec snooping on Linux, packaged as a Go

Simple[eBPF](https://ebpf.io/)-based exec snooping on Linux packaged as a Go

library.

exectrace loads aprecompiled[eBPF program](./bpf/handler.c) into the running

exectrace loads apre-compiled[eBPF program](./bpf/handler.c) into the running

kernel to receive details about the`exec` family of syscalls.

exectrace onlysupport Go 1.16+ and Linux kernel 5.8+ (due to use of

exectrace onlysupports Go 1.16+ and Linux kernel 5.8+ (due to the use of

`BPF_MAP_TYPE_RINGBUF`).

$go get -u github.com/coder/exectrace

You will need root access,`CAP_SYS_ADMIN` or`CAP_BPF` to run eBPF programs on

You will need root access,`CAP_SYS_ADMIN` or`CAP_BPF`, to run eBPF programs on

your system.

$go install -ugithub.com/coder/exectrace/cmd/exectrace

$exectrace --help

$sudo exectrace

You can look at the example program[exectrace](./cmd/exectrace/main.go) for a

comprehensive program using this library.

exectrace exposes a minimal API surface. Call`exectrace.New(nil)` and then

you can start reading events from the returned`Tracer`.

It is important that you close the tracer to avoid leaking kernel resources,

so we recommend implementing a simple signal handler like the one in this

example:

package main

import (

)

funcmain() {

tracer,err:= exectrace.New(nil)

if err !=nil {

panic(err)

}

defer tracer.Close()

gofunc() {

sigs:=make(chan os.Signal,1)

signal.Notify(sigs, syscall.SIGINT, syscall.SIGTERM)

<-sigs

tracer.Close()

}()

for {

event,err:= tracer.Read()

if err !=nil {

panic(err)

}

fmt.Printf("%+v\n", event)

}

}

Since the eBPF program is packaged as a Go library, the program needs to be

compiled and included in the repo. If you make changes to files under the`bpf`

directory, you should run`make` and include the`.o` files in that directory in

your commit if they changed. CI will ensure that this is done correctly.

You willprobablyneed the following tools:

You will need the following:

- Docker (clang is run within a Docker container for reproducibility)

- Docker (the Makefile runs clang within a Docker container for reproducibility)

Since the eBPF program is packaged as a Go library, you need to compile the

program and include it in the repo.

If you change the files in the`bpf` directory, run`make` and ensure that you

include the`.o` files you changed in your commit (CI will verify that you've

done this correctly).

The library iscurrently under heavy development as we developitout to suit

the needs of Coder's enterprise[product](https://coder.com).

This library isready to use as-is, thoughitis under active development as we

modify it to suitthe needs of Coder's[enterprise product](https://coder.com).

We plan onchanging the API to addmore features and fields that can be read

from, and potentially addingeasier methods for filtering eventsrather than

implementingfiltering yourself.

We plan onaddingmore features and fields that can be read from the API, as

well aseasier-to-use methods for filtering events(currently, you must

implement additionalfiltering yourself).

-[`canonical/etrace`](https://github.com/canonical/etrace) - Go binary that

uses ptrace and tracks the processes that a command launches for debugging and

Dual licensed under the MIT and GPL-2.0 licenses. See[LICENSE](LICENSE).

Dual licensed under the MIT and GPL2.0 licenses. See[LICENSE](LICENSE).

u64uidgid=bpf_get_current_uid_gid();

u64pidtgid=bpf_get_current_pid_tgid();

event->uid=uidgid;// uid is the first 32 bits

event->gid=uidgid<<32;// gid is the last 32 bits NOLINT(readability-magic-numbers)

event->gid=uidgid>>32;// gid is the last 32 bits NOLINT(readability-magic-numbers)

event->pid=pidtgid;// pid is the first 32 bits

ret=bpf_get_current_comm(&event->comm,sizeof(event->comm));

if (ret) {

)

funcmain() {

}

_,_=fmt.Printf("[%v, comm=%q] %v%v\n",event.PID,event.Comm,shellquote.Join(event.Argv...),ellipsis)

_,_=fmt.Printf(

"[%v, comm=%q, uid=%v, gid=%v] %v%v\n",

event.PID,event.Comm,event.UID,event.GID,

shellquote.Join(event.Argv...),ellipsis,

)

}

err=enc.Encode(event)