This repository has been archived by the owner on Nov 19, 2021. It is now read-only.
Releases: criticalstack/swoll
Releases · criticalstack/swoll
v0.1.5
v0.1.4
In-kernel filtering has been reworked!
- Along with a cleaner userland API:
filter := kernel.NewFilter(probe.Module())
if err := filter.AddRule(
kernel.NewFilterRuleN(
kernel.FilterRuleSetModeSyscall(),
kernel.FilterRuleSetSyscall("execve"),
kernel.FilterRuleSetPidNamespace(4026531836),
kernel.FilterRuleSetSampleRate(10),
kernel.FilterRuleSetActionAllow())); err != nil {
log.Fatal(err)
}
if err := filter.Enable(); err != nil {
log.Fatal(err)
}
fmt.Println(filter.GetRunning())
- The kernel filtering has been optimized, now with fewer branches!
Changelog
v0.1.3
- Moved the bindata generated
Assets
api for public (non-lib-internal) use. - event.Trace->Argv is now a
call.Function
instead of a naked interface{} - Added
call.Function.Arguments()
accessor method. - Moved cmd/loadBPFargs helper function into cmd/loader.go
- Removed
event.TraceEvent.WithTopology
(now covered byWithContainerLookup
event.TraceEvent.WithContainerLookup
is now used as a callback for resolving
pid-namespace->container info.- Added
kernel.Probe.DetectAndSetOffsets()
helpers for auto-discovering proper struct
member offsets using the running kernel. - kernel.Probe.InitProbe() now has optional configuration options
- WithOffsetDetection() - struct task_struct member offset detection
- WithDefaultFilter() - sets up default kernel filters for the BPF
- Moved
hub.Hub
under the Topology API (pkg/topology) - Moved
hub.Job
under the Topology API (pkg/topology) - the Hub API no longer uses its own
hub.Observer
, this is derived from the
Observer
it was created with. - A metric load of documentation additions along with some pretty verbose
examples. Check them out here: https://github.com/criticalstack/swoll/tree/v0.1.3/examples