feat: add object to describe eBPF program

secDre4mer · secDre4mer · commit a55f96fe720d · 2025-11-10T11:05:56.000+01:00
diff --git a/thorlog/v3/ebpf.go b/thorlog/v3/ebpf.go
@@ -0,0 +1,84 @@
+package thorlog
+
+import (
+	"time"
+)
+
+// EbpfProgram describes an eBPF program attached to a specific endpoint in the kernel.
+//
+// To use eBPF nomenclature: This struct describes an eBPF link and its corresponding program.
+//
+// eBPF programs can be attached to a wide range of things; the LinkType contains what sort of object
+// the program is attached to, and AttachedTo contains what specific object it is attached to.
+//
+// EbpfProgram has an attached content that contains the (kernel translated) instructions,
+// provided that the kernel does not hide them due to the kernel.kptr_restrict sysctl.
+type EbpfProgram struct {
+	LogObjectHeader
+
+	// Tag is a hash calculated from the program instructions
+	// TODO: discuss: Should this be something like "bytecode_checksum"? It's possibly more understandable for users; on the other hand, "tag" is the kernel name for this.
+	Tag string `textlog:"tag" json:"tag"`
+	// User that loaded the EBPF program
+	User string `textlog:"user" json:"user"`
+	// Program name
+	Name string `textlog:"name" json:"name"`
+	// Size of the loaded program.
+	//
+	// This relates to instructions that have already been rewritten by the kernel;
+	// as such, it does not have to be the exact size of the instructions that were passed
+	// when the program was loaded.
+	Size uint64 `textlog:"size" json:"size"`
+	// Maps used by this program
+	Maps []string `json:"maps"`
+	// Functions declared by this program
+	Functions []string `json:"functions"`
+	// Timestamp when this program was loaded
+	LoadTime time.Time `textlog:"load_time" json:"load_time"`
+	// RAM locked by this EBPF program
+	MemoryLocked uint64 `json:"memory_locked"`
+	// Attached to what sort of object (kprobe, syscall, tracepoint, ...)
+	LinkType string `textlog:"link_type" json:"link_type"`
+	// EBPF program type, whether this is a program for packet inspection / kprobe / tracepoint / ...
+	ProgramType string `json:"program_type"`
+	// Attached to which object
+	AttachedTo AttachTarget `textlog:",expand" json:"attached_to"`
+	// Content contains extracts from the kernel translated instructions that are
+	// relevant for matches on this program.
+	Content *SparseData `json:"content,omitempty"`
+}
+
+// AttachTarget describes the target that a BPF program is attached to.
+// This is highly dependent on EbpfProgram.LinkType.
+type AttachTarget struct {
+	// uprobe / tracepoint / cgroup specific; the path of the hooked ELF / tracepoint / cgroup
+	Path string `textlog:"path,omitempty" json:"path,omitempty"`
+	// uprobe specific; the PID of the hooked process, or nothing if the probe is for all processes
+	Pid uint32 `textlog:"pid,omitempty" json:"pid,omitempty"`
+	// uprobe / kprobe specific; the symbols that are hooked
+	Symbols StringList `textlog:"symbol,omitempty" json:"symbols,omitempty"`
+	// netkit / TCX / XDP specific; Network interface that the eBPF is attached to
+	Interface string `textlog:"interface,omitempty" json:"interface,omitempty"`
+	// netns / tracing / perf event specific; ID of the object attached to
+	ObjectId int64 `textlog:"object_id,omitempty" json:"object_id,omitempty"`
+	// netfilter specific; Protocol family (IPv4 or IPv6)
+	Protocol string `textlog:"protocol,omitempty" json:"protocol,omitempty"`
+	// netfilter specific; Hook (prerouting, postrouting, forward, local in, or local out)
+	Hook string `textlog:"hook,omitempty" json:"hook,omitempty"`
+	// netfilter specific; Priority (lower is executed earlier)
+	Priority int `textlog:"priority,omitempty" json:"priority,omitempty"`
+}
+
+func (EbpfProgram) reportable() {}
+
+const typeEbpfProgram = "eBPF program"
+
+func init() { AddLogObjectType(typeEbpfProgram, &EbpfProgram{}) }
+
+func NewEbpfProgram() *EbpfProgram {
+	return &EbpfProgram{
+		LogObjectHeader: LogObjectHeader{
+			Type: typeEbpfProgram,
+		},
+	}
+}
