filter/global.go


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140

package main

import (
	"encoding/json"
	"fmt"
	"time"
)

type Exec struct {
	Timestamp time.Time `bson:"timestamp" json:"timestamp"`
	ExecArgs  []string  `bson:"execArgs" json:"execArgs"`
}

type Process struct {
	Star           bool      `bson:"star" json:"star"`
	StartTimestamp time.Time `bson:"start_timestamp" json:"start_timestamp"`
	Ppid           int       `bson:"ppid" json:"ppid"`
	ParentTgid     int       `bson:"parentTgid" json:"parentTgid"`
	Pid            int       `bson:"pid" json:"pid"`
	Tgid           int       `bson:"tgid" json:"tgid"`
	Args           []string  `bson:"args" json:"args"`
	Comm           string    `bson:"comm" json:"comm"`
	RootFS         string    `bson:"rootfs" json:"rootfs"`
	Cwd            string    `bson:"cwd" json:"cwd"`
	Children       []int     `bson:"children" json:"children"`
	DockerId       string    `bson:"docker_id" json:"docker_id"`
	Execve         []Exec    `bson:"execve" json:"execve"`
	ExitCode       int       `bson:"exit_code" json:"exit_code"`
	ExitSignal     int       `bson:"exit_signal" json:"exit_signal"`
	ExitTimestamp  time.Time `bson:"exit_timestamp" json:"exit_timestamp"`
}

type tgidNode struct {
	Tgid      int         `bson:"tgid" json:"tgid"`
	FindPid   map[int]int `bson:"findPid" json:"findPid"`
	Threads   []Process   `bson:"threads" json:"threads"`
	ChildTgid []int       `bson:"child_tgid" json:"child_tgid"`
}

func (p Process) String() string {
	var res string
	res = "---------------------\n"
	res += fmt.Sprintf("timestamp\t%v\n", p.StartTimestamp)
	res += fmt.Sprintf("ppid\t%d\nparentTgid\t%d\n", p.Ppid, p.ParentTgid)
	res += fmt.Sprintf("pid\t%d\ntgid\t%d\nargs: ", p.Pid, p.Tgid)
	for i := 0; i < len(p.Args); i++ {
		res += fmt.Sprintf("%s ", p.Args[i])
	}
	res += fmt.Sprintf("\ncomm\t%s\ncwd\t%s\nrootfs\t%s\ndocker_id\t%s\n", p.Comm, p.Cwd, p.RootFS, p.DockerId)
	if len(p.Execve) != 0 {
		res += "exec:\n"
		for i := 0; i < len(p.Execve); i++ {
			res += fmt.Sprintf("\ttimestamp: %v\n\texecArgs:\t", p.Execve[i].Timestamp)
			for j := 0; j < len(p.Execve[i].ExecArgs); j++ {
				res += fmt.Sprintf("%s ", p.Execve[i].ExecArgs[j])
			}
			res += "\n"
		}
	}
	res += "children: "
	for i := 0; i < len(p.Children); i++ {
		res += fmt.Sprintf("%d ", p.Children[i])
	}
	res += "\n"
	res += fmt.Sprintf("exit_timestamp:\t%v\nexit_code:\t%d\nexit_signal:\t%d\n", p.ExitTimestamp, p.ExitCode, p.ExitSignal)
	return res
}

func (node tgidNode) String() string {
	var res string
	res += fmt.Sprintf("==============================\ntgid: %6d, size: %6d, children: ", node.Tgid, len(node.Threads))
	for _, child := range node.ChildTgid {
		res += fmt.Sprintf("%7d", child)
	}
	res += "\n"
	for _, process := range node.Threads {
		res += fmt.Sprintf("%v\n", process)
	}
	res += "\n"
	return res
}

type File struct {
	OpenTimestamp  time.Time   `bson:"timestamp" json:"timestamp"`
	FileName       string      `bson:"fileName" json:"fileName"`
	Pid            int         `bson:"pid" json:"pid"`
	Fd             int         `bson:"fd" json:"fd"`
	Flags          [4]uint64   `bson:"flags" json:"flags"`
	Written        []time.Time `bson:"written" json:"written"`
	CloseTimestamp time.Time   `bson:"close_timestamp" json:"close_timestamp"`
}

func (f File) MarshalJSON() ([]byte, error) {
	type Alias File // 使用别名避免递归调用

	return json.Marshal(&struct {
		Alias
		Flags0 string `json:"FileNamePointer"`
		Flags1 string `json:"FileFlags"`
	}{
		Alias:  Alias(f),
		Flags0: fmt.Sprintf("%#012x", f.Flags[0]), // flags[0] 转换为小写16进制
		Flags1: parseFlags(f.Flags[1]),            // flags[1] 解析为字符串
	})
}

// Queue 定义一个队列结构体
type Queue struct {
	items []interface{}
}

// NewQueue 创建一个新的队列
func NewQueue() *Queue {
	return &Queue{items: make([]interface{}, 0)}
}

// Enqueue 向队列中添加一个元素
func (q *Queue) Enqueue(item interface{}) {
	q.items = append(q.items, item)
}

// Dequeue 从队列中移除并返回队列前面的元素
func (q *Queue) Dequeue() (interface{}, bool) {
	if len(q.items) == 0 {
		return nil, false
	}
	item := q.items[0]
	q.items = q.items[1:]
	return item, true
}

// Size 返回队列中的元素数量
func (q *Queue) Size() int {
	return len(q.items)
}

// IsEmpty 检查队列是否为空
func (q *Queue) IsEmpty() bool {
	return len(q.items) == 0
}