sentinel-stack/sentinel-vmi/src/task_walker.c
sentinel-stack/sentinel-vmi/src/task_walker.c
Section titled “sentinel-stack/sentinel-vmi/src/task_walker.c”Classes
Section titled “Classes”| Name | |
|---|---|
| struct | privilege_baseline_entry |
Functions
Section titled “Functions”| Name | |
|---|---|
| int | string_in_list(const char * value, const char *const * list) |
| int | parse_btf_member_line(const char * line, char * member, size_t member_sz, uint64_t * byte_offset) |
| int | try_load_offsets_from_btf(struct task_offsets * out) |
| const struct task_offsets * | select_offsets_profile(const char * kernel_version) |
| int | task_walker_set_offsets_profile(const char * kernel_version) |
| const char * | task_walker_get_offsets_profile(void ) |
| void | ensure_offsets_profile_selected(void ) |
| int | read_task_field(struct vmi_session * s, uint64_t task_gva, uint64_t offset, void * buf, size_t size) |
| int | read_tasks_next(struct vmi_session * s, uint64_t task_gva, uint64_t * next_task_gva) |
| int | snapshot_processes(struct vmi_session * s, struct vmi_process * out, int max_tasks) |
| int | pid_exists(const struct vmi_process * procs, int nr, uint32_t pid) |
| struct vmi_process * | find_process_by_pid(struct vmi_process * procs, int nr, uint32_t pid) |
| struct privilege_baseline_entry * | find_baseline(uint32_t pid) |
| struct privilege_baseline_entry * | alloc_baseline(uint32_t pid) |
| int | is_legitimate_priv_transition(const struct vmi_process * proc) |
| int | task_walker_read_process(struct vmi_session * s, uint64_t task_gva, struct vmi_process * out) |
| void | task_walker_dump(struct vmi_session * s) |
| int | task_walker_find_pid(struct vmi_session * s, uint32_t pid, uint64_t * task_addr) |
| int | task_walker_detect_privilege_escalation(struct vmi_session * s) |
| int | task_walker_detect_orphans(struct vmi_session * s) |
| int | task_walker_detect_fork_bomb(struct vmi_session * s, uint32_t threshold) |
| int | task_walker_detect_suspicious_ancestry(struct vmi_session * s) |
Attributes
Section titled “Attributes”| Name | |
|---|---|
| const struct task_offsets * | active_offsets |
| int | offsets_initialized |
| struct task_offsets | btf_offsets |
| int | btf_offsets_valid |
| struct privilege_baseline_entry[8192] | privilege_baseline |
| unsigned int | privilege_generation |
| const char *const[] | legitimate_transition_names |
| const char *const[] | web_tier_names |
| const char *const[] | shell_names |
Defines
Section titled “Defines”| Name | |
|---|---|
| MAX_TASK_SNAPSHOT | |
| MAX_PRIV_BASELINE | |
| DEFAULT_FORK_BOMB_THRESHOLD |
Functions Documentation
Section titled “Functions Documentation”function string_in_list
Section titled “function string_in_list”static int string_in_list( const char * value, const char *const * list)function parse_btf_member_line
Section titled “function parse_btf_member_line”static int parse_btf_member_line( const char * line, char * member, size_t member_sz, uint64_t * byte_offset)function try_load_offsets_from_btf
Section titled “function try_load_offsets_from_btf”static int try_load_offsets_from_btf( struct task_offsets * out)function select_offsets_profile
Section titled “function select_offsets_profile”static const struct task_offsets * select_offsets_profile( const char * kernel_version)function task_walker_set_offsets_profile
Section titled “function task_walker_set_offsets_profile”int task_walker_set_offsets_profile( const char * kernel_version)function task_walker_get_offsets_profile
Section titled “function task_walker_get_offsets_profile”const char * task_walker_get_offsets_profile( void)function ensure_offsets_profile_selected
Section titled “function ensure_offsets_profile_selected”static void ensure_offsets_profile_selected( void)function read_task_field
Section titled “function read_task_field”static int read_task_field( struct vmi_session * s, uint64_t task_gva, uint64_t offset, void * buf, size_t size)function read_tasks_next
Section titled “function read_tasks_next”static int read_tasks_next( struct vmi_session * s, uint64_t task_gva, uint64_t * next_task_gva)function snapshot_processes
Section titled “function snapshot_processes”static int snapshot_processes( struct vmi_session * s, struct vmi_process * out, int max_tasks)function pid_exists
Section titled “function pid_exists”static int pid_exists( const struct vmi_process * procs, int nr, uint32_t pid)function find_process_by_pid
Section titled “function find_process_by_pid”static struct vmi_process * find_process_by_pid( struct vmi_process * procs, int nr, uint32_t pid)function find_baseline
Section titled “function find_baseline”static struct privilege_baseline_entry * find_baseline( uint32_t pid)function alloc_baseline
Section titled “function alloc_baseline”static struct privilege_baseline_entry * alloc_baseline( uint32_t pid)function is_legitimate_priv_transition
Section titled “function is_legitimate_priv_transition”static int is_legitimate_priv_transition( const struct vmi_process * proc)function task_walker_read_process
Section titled “function task_walker_read_process”int task_walker_read_process( struct vmi_session * s, uint64_t task_gva, struct vmi_process * out)function task_walker_dump
Section titled “function task_walker_dump”void task_walker_dump( struct vmi_session * s)function task_walker_find_pid
Section titled “function task_walker_find_pid”int task_walker_find_pid( struct vmi_session * s, uint32_t pid, uint64_t * task_addr)function task_walker_detect_privilege_escalation
Section titled “function task_walker_detect_privilege_escalation”int task_walker_detect_privilege_escalation( struct vmi_session * s)function task_walker_detect_orphans
Section titled “function task_walker_detect_orphans”int task_walker_detect_orphans( struct vmi_session * s)function task_walker_detect_fork_bomb
Section titled “function task_walker_detect_fork_bomb”int task_walker_detect_fork_bomb( struct vmi_session * s, uint32_t threshold)function task_walker_detect_suspicious_ancestry
Section titled “function task_walker_detect_suspicious_ancestry”int task_walker_detect_suspicious_ancestry( struct vmi_session * s)Attributes Documentation
Section titled “Attributes Documentation”variable active_offsets
Section titled “variable active_offsets”const struct task_offsets * active_offsets = &OFFSETS_6_6;variable offsets_initialized
Section titled “variable offsets_initialized”static int offsets_initialized = 0;variable btf_offsets
Section titled “variable btf_offsets”static struct task_offsets btf_offsets;variable btf_offsets_valid
Section titled “variable btf_offsets_valid”static int btf_offsets_valid = 0;variable privilege_baseline
Section titled “variable privilege_baseline”static struct privilege_baseline_entry[8192] privilege_baseline;variable privilege_generation
Section titled “variable privilege_generation”static unsigned int privilege_generation = 0;variable legitimate_transition_names
Section titled “variable legitimate_transition_names”static const char *const[] legitimate_transition_names = { "sudo", "su", "sshd", "login", "systemd", NULL,};variable web_tier_names
Section titled “variable web_tier_names”static const char *const[] web_tier_names = { "nginx", "apache2", "httpd", "php-fpm", NULL,};variable shell_names
Section titled “variable shell_names”static const char *const[] shell_names = { "sh", "bash", "dash", "zsh", NULL,};Macros Documentation
Section titled “Macros Documentation”define MAX_TASK_SNAPSHOT
Section titled “define MAX_TASK_SNAPSHOT”#define MAX_TASK_SNAPSHOT 4096define MAX_PRIV_BASELINE
Section titled “define MAX_PRIV_BASELINE”#define MAX_PRIV_BASELINE 8192define DEFAULT_FORK_BOMB_THRESHOLD
Section titled “define DEFAULT_FORK_BOMB_THRESHOLD”#define DEFAULT_FORK_BOMB_THRESHOLD 256Updated on 2026-05-26 at 13:25:29 +0000