kfeatures/format.go at main · leodido/kfeatures · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
package kfeatures

import (
	"fmt"
	"strings"
)

// String returns a human-readable summary of all probe results.
func (sf *SystemFeatures) String() string {
	var b strings.Builder

	fmt.Fprintf(&b, "Kernel: %s\n", sf.KernelVersion)
	b.WriteString("\n")

	b.WriteString("Syscalls:\n")
	writeResult(&b, "  bpf()", sf.BPFSyscall)
	writeResult(&b, "  perf_event_open()", sf.PerfEventOpen)
	b.WriteString("\n")

	b.WriteString("Program Types:\n")
	writeResult(&b, "  LSM", sf.LSMProgramType)
	writeResult(&b, "  kprobe", sf.Kprobe)
	writeResult(&b, "  kprobe.multi", sf.KprobeMulti)
	writeResult(&b, "  tracepoint", sf.Tracepoint)
	writeResult(&b, "  fentry", sf.Fentry)
	b.WriteString("\n")

	b.WriteString("Core:\n")
	writeResult(&b, "  BTF", sf.BTF)
	b.WriteString("\n")

	b.WriteString("Security Subsystems:\n")
	writeResult(&b, "  BPF LSM enabled", sf.BPFLSMEnabled)
	writeResult(&b, "  IMA enabled", sf.IMAEnabled)
	writeResult(&b, "  IMA directory", sf.IMADirectory)
	if len(sf.ActiveLSMs) > 0 {
		fmt.Fprintf(&b, "  Active LSMs: %s\n", strings.Join(sf.ActiveLSMs, ", "))
	}
	b.WriteString("\n")

	b.WriteString("Capabilities:\n")
	writeResult(&b, "  CAP_BPF", sf.HasCapBPF)
	writeResult(&b, "  CAP_SYS_ADMIN", sf.HasCapSysAdmin)
	writeResult(&b, "  CAP_PERFMON", sf.HasCapPerfmon)
	writeResult(&b, "  Unprivileged BPF disabled", sf.UnprivilegedBPFDisabled)
	writeResult(&b, "  BPF stats enabled", sf.BPFStatsEnabled)
	b.WriteString("\n")

	b.WriteString("Filesystems:\n")
	writeResult(&b, "  tracefs", sf.TraceFS)
	writeResult(&b, "  debugfs", sf.DebugFS)
	writeResult(&b, "  securityfs", sf.SecurityFS)
	writeResult(&b, "  bpffs", sf.BPFFS)
	b.WriteString("\n")

	b.WriteString("JIT:\n")
	writeResult(&b, "  Enabled", sf.JITEnabled)
	writeResult(&b, "  Hardened", sf.JITHardened)
	writeResult(&b, "  Kallsyms", sf.JITKallsyms)
	if sf.JITLimit > 0 {
		fmt.Fprintf(&b, "  Memory limit: %d bytes\n", sf.JITLimit)
	} else {
		b.WriteString("  Memory limit: unknown\n")
	}
	b.WriteString("\n")

	b.WriteString("Namespaces:\n")
	writeResult(&b, "  Initial user namespace", sf.InInitUserNS)
	writeResult(&b, "  Initial PID namespace", sf.InInitPIDNS)
	b.WriteString("\n")

	if sf.SpectreV1 != "" || sf.SpectreV2 != "" {
		b.WriteString("CPU Mitigations:\n")
		if sf.SpectreV1 != "" {
			fmt.Fprintf(&b, "  Spectre v1: %s\n", sf.SpectreV1)
		}
		if sf.SpectreV2 != "" {
			fmt.Fprintf(&b, "  Spectre v2: %s\n", sf.SpectreV2)
		}
		b.WriteString("\n")
	}

	if sf.KernelConfig != nil {
		b.WriteString("Kernel Config:\n")
		writeConfig(&b, "  CONFIG_BPF_LSM", sf.KernelConfig.BPFLSM)
		writeConfig(&b, "  CONFIG_IMA", sf.KernelConfig.IMA)
		writeConfig(&b, "  CONFIG_DEBUG_INFO_BTF", sf.KernelConfig.BTF)
		writeConfig(&b, "  CONFIG_FPROBE", sf.KernelConfig.KprobeMulti)
		writeConfig(&b, "  CONFIG_BPF_JIT_ALWAYS_ON", sf.KernelConfig.JITAlwaysOn)
		fmt.Fprintf(&b, "  Preemption model: %s\n", sf.KernelConfig.Preempt)
		fmt.Fprintf(&b, "  Sleepable BPF: %s\n", map[bool]string{true: "yes", false: "no"}[sf.KernelConfig.Preempt.SupportsSleepable()])
	}

	return b.String()
}

func writeResult(b *strings.Builder, name string, r ProbeResult) {
	status := "no"
	if r.Supported {
		status = "yes"
	}
	if r.Error != nil {
		fmt.Fprintf(b, "%s: %s (error: %v)\n", name, status, r.Error)
	} else {
		fmt.Fprintf(b, "%s: %s\n", name, status)
	}
}

func writeConfig(b *strings.Builder, name string, v ConfigValue) {
	fmt.Fprintf(b, "%s: %s\n", name, v)
}