-
Notifications
You must be signed in to change notification settings - Fork 163
/
extras_cgroups.go
53 lines (45 loc) · 1.07 KB
/
extras_cgroups.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
package main
import (
"github.com/spf13/viper"
)
func init() {
RegisterExtraParser(func(config *viper.Viper) (ExtraParser, error) {
if config.GetBool("extras.cgroups.enabled") {
l.Printf("cgroup parser enabled")
return &CgroupParser{}, nil
}
return nil, nil
})
}
type CgroupParser struct {
}
func (p *CgroupParser) Parse(am *AuditMessage) {
switch am.Type {
case 1300, 1302, 1309, 1326: // AUDIT_SYSCALL, AUDIT_PATH, AUDIT_EXECVE, AUDIT_SECCOMP
pid, _ := getPid(am.Data)
cgroup := p.getCgroupRootForPid(pid)
if cgroup != "" {
am.Extras = &AuditExtras{CgroupRoot: cgroup}
}
}
}
func (p *CgroupParser) getCgroupRootForPid(pid int) string {
if pid == 0 {
return ""
}
var v1PidPath string
cgroups, err := taskControlGroups(pid, pid)
if err != nil {
return ""
}
for _, cgroup := range cgroups {
if cgroup.ID == 0 {
// v2 path
return cgroup.Path
} else if len(cgroup.Controllers) > 0 && cgroup.Controllers[0] == "pids" {
// fall back to cgroup v1 pid path if we don't have cgroups v2
v1PidPath = cgroup.Path
}
}
return v1PidPath
}