This repository was archived by the owner on Nov 19, 2021. It is now read-only.
Releases: criticalstack/swoll
Releases · criticalstack/swoll
v0.1.5
v0.1.4
In-kernel filtering has been reworked!
- Along with a cleaner userland API:
filter := kernel.NewFilter(probe.Module())
if err := filter.AddRule(
kernel.NewFilterRuleN(
kernel.FilterRuleSetModeSyscall(),
kernel.FilterRuleSetSyscall("execve"),
kernel.FilterRuleSetPidNamespace(4026531836),
kernel.FilterRuleSetSampleRate(10),
kernel.FilterRuleSetActionAllow())); err != nil {
log.Fatal(err)
}
if err := filter.Enable(); err != nil {
log.Fatal(err)
}
fmt.Println(filter.GetRunning())- The kernel filtering has been optimized, now with fewer branches!
Changelog
v0.1.3
- Moved the bindata generated
Assetsapi for public (non-lib-internal) use. - event.Trace->Argv is now a
call.Functioninstead of a naked interface{} - Added
call.Function.Arguments()accessor method. - Moved cmd/loadBPFargs helper function into cmd/loader.go
- Removed
event.TraceEvent.WithTopology(now covered byWithContainerLookup event.TraceEvent.WithContainerLookupis now used as a callback for resolving
pid-namespace->container info.- Added
kernel.Probe.DetectAndSetOffsets()helpers for auto-discovering proper struct
member offsets using the running kernel. - kernel.Probe.InitProbe() now has optional configuration options
- WithOffsetDetection() - struct task_struct member offset detection
- WithDefaultFilter() - sets up default kernel filters for the BPF
- Moved
hub.Hubunder the Topology API (pkg/topology) - Moved
hub.Jobunder the Topology API (pkg/topology) - the Hub API no longer uses its own
hub.Observer, this is derived from the
Observerit was created with. - A metric load of documentation additions along with some pretty verbose
examples. Check them out here: https://github.com/criticalstack/swoll/tree/v0.1.3/examples
