-
Notifications
You must be signed in to change notification settings - Fork 0
/
sdk.go
118 lines (107 loc) · 5.91 KB
/
sdk.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
/*
Copyright (C) 2021 The Falco Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package sdk
// Functions that return or update a rc (e.g. plugin_init,
// plugin_open) should return one of these values.
const (
SSPluginSuccess int32 = 0
SSPluginFailure int32 = 1
SSPluginTimeout int32 = -1
SSPluginIllegalInput int32 = 3
SSPluginNotFound int32 = 4
SSPluginInputTooSmall int32 = 5
SSPluginEOF int32 = 6
SSPluginUnexpectedBlock int32 = 7
SSPluginVersionMismatch int32 = 8
SSPluginNotSupported int32 = 9
)
// One of these values should be returned by plugin_get_type().
const (
TypeSourcePlugin uint32 = 1
TypeExtractorPlugin uint32 = 2
)
// The data payload allocated and returned in a call to
// plugin_next/plugin_next_batch() should not be larger than this.
const MaxEvtSize uint32 = 65635
// The maximum number of events to return from a call to
// plugin_next_batch when using the wrapper function NextBatch().
const MaxNextBatchEvents = 512
// The full set of values that someday might be returned in the ftype
// member of ss_plugin_extract_field structs. For now, only
// ParamTypeUint64/ParamTypeCharBuf are used.
const (
ParamTypeNone uint32 = 0
ParamTypeInt8 uint32 = 1
ParamTypeInt16 uint32 = 2
ParamTypeInt32 uint32 = 3
ParamTypeInt64 uint32 = 4
ParamTypeUintT8 uint32 = 5
ParamTypeUint16 uint32 = 6
ParamTypeUint32 uint32 = 7
ParamTypeUint64 uint32 = 8
ParamTypeCharBuf uint32 = 9 // A printable buffer of bytes, NULL terminated
ParamTypeByteBuf uint32 = 10 // A raw buffer of bytes not suitable for printing
ParamTypeErrno uint32 = 11 // this is an INT64, but will be interpreted as an error code
ParamTypeSockaddr uint32 = 12 // A sockaddr structure, 1byte family + data
ParamTypeSocktuple uint32 = 13 // A sockaddr tuple,1byte family + 12byte data + 12byte data
ParamTypeFd uint32 = 14 // An fd, 64bit
ParamTypePid uint32 = 15 // A pid/tid, 64bit
ParamTypeFdlist uint32 = 16 // A list of fds, 16bit count + count * (64bit fd + 16bit flags)
ParamTypeFspath uint32 = 17 // A string containing a relative or absolute file system path, null terminated
ParamTypeSyscallId uint32 = 18 // A 16bit system call ID. Can be used as a key for the g_syscall_info_table table.
ParamTypeSigYype uint32 = 19 // An 8bit signal number
ParamTypeRelTime uint32 = 20 // A relative time. Seconds * 10^9 + nanoseconds. 64bit.
ParamTypeAbsTime uint32 = 21 // An absolute time interval. Seconds from epoch * 10^9 + nanoseconds. 64bit.
ParamTypePort uint32 = 22 // A TCP/UDP prt. 2 bytes.
ParamTypeL4Proto uint32 = 23 // A 1 byte IP protocol type.
ParamTypeSockfamily uint32 = 24 // A 1 byte socket family.
ParamTypeBool uint32 = 25 // A boolean value, 4 bytes.
ParamTypeIpv4Addr uint32 = 26 // A 4 byte raw IPv4 address.
ParamTypeDyn uint32 = 27 // Type can vary depending on the context. Used for filter fields like evt.rawarg.
ParamTypeFlags8 uint32 = 28 // this is an UINT8, but will be interpreted as 8 bit flags.
ParamTypeFlags16 uint32 = 29 // this is an UINT16, but will be interpreted as 16 bit flags.
ParamTypeFlags32 uint32 = 30 // this is an UINT32, but will be interpreted as 32 bit flags.
ParamTypeUid uint32 = 31 // this is an UINT32, MAX_UINT32 will be interpreted as no value.
ParamTypeGid uint32 = 32 // this is an UINT32, MAX_UINT32 will be interpreted as no value.
ParamTypeDouble uint32 = 33 // this is a double precision floating point number.
ParamTypeSigSet uint32 = 34 // sigset_t. I only store the lower UINT32 of it
ParamTypeCharBufArray uint32 = 35 // Pointer to an array of strings, exported by the user events decoder. 64bit. For internal use only.
ParamTypeCharBufPairArray uint32 = 36 // Pointer to an array of string pairs, exported by the user events decoder. 64bit. For internal use only.
ParamTypeIpv4Net uint32 = 37 // An IPv4 network.
ParamTypeIpv6Addr uint32 = 38 // A 16 byte raw IPv6 address.
ParamTypeIpv6Net uint32 = 39 // An IPv6 network.
ParamTypeIpAddr uint32 = 40 // Either an IPv4 or IPv6 address. The length indicates which one it is.
ParamTypeIpNet uint32 = 41 // Either an IPv4 or IPv6 network. The length indicates which one it is.
ParamTypeMode uint32 = 42 // a 32 bit bitmask to represent file modes.
ParamTypeFsRelPath uint32 = 43 // A path relative to a dirfd.
ParamTypeMax uint32 = 44 // array size
)
// PluginEvent can be used to represent a single plugin event using go
// types. It is used by the wrapper functions in the wrappers
// sub-package to simplify the implementation of functions like
// plugin_next/plugin_next_batch.
type PluginEvent struct {
Evtnum uint64
Data []byte
Timestamp uint64
}
// FieldEntry represents a single field entry that an extractor plugin can expose.
// Should be used when implementing plugin_get_fields().
type FieldEntry struct {
Type string `json:"type"`
Name string `json:"name"`
ArgRequired bool `json:"argRequired"`
Display string `json:"display"`
Desc string `json:"desc"`
Properties string `json:"properties"`
}