diff options
| author | Paul Buetow <paul@buetow.org> | 2024-02-10 18:54:04 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-02-10 18:54:04 +0200 |
| commit | 465c686b125bd287db25efb26625c946ab6a4771 (patch) | |
| tree | 8d2456b605c37b583788ccb957444384feb19dc9 | |
| parent | 25d56de3712412bfb5b271ff9fbad7bf8d75288e (diff) | |
refactor
| -rw-r--r-- | main.bpf.c | 22 | ||||
| -rw-r--r-- | main.go | 6 |
2 files changed, 14 insertions, 14 deletions
@@ -8,7 +8,7 @@ // For now, this is set to my own user for development purposes. #define UID_FILTER 1001 -struct openat_event { +struct open_event { int fd; int syscall_id; u32 tid; @@ -20,15 +20,15 @@ struct { __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); __uint(key_size, sizeof(u32)); __uint(value_size, sizeof(u32)); -} events SEC(".maps"); +} open_event_map SEC(".maps"); // Map to temporarily store the filename from sys_enter_openat struct { __uint(type, BPF_MAP_TYPE_HASH); __uint(key_size, sizeof(u32)); - __uint(value_size, sizeof(struct openat_event)); + __uint(value_size, sizeof(struct open_event)); __uint(max_entries, 128); // Adjust size as needed -} temp_events SEC(".maps"); +} open_event_temp_map SEC(".maps"); SEC("tracepoint/syscalls/sys_enter_open") int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { @@ -36,12 +36,12 @@ int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { return 0; u32 tid = bpf_get_current_pid_tgid(); - struct openat_event event = { .syscall_id = ctx->id }; + struct open_event event = { .syscall_id = ctx->id }; bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[0]); bpf_get_current_comm(&event.comm, sizeof(event.comm)); event.tid = tid; - bpf_map_update_elem(&temp_events, &tid, &event, BPF_ANY); + bpf_map_update_elem(&open_event_temp_map, &tid, &event, BPF_ANY); return 0; } @@ -52,13 +52,13 @@ int handle_exit_open(struct trace_event_raw_sys_exit *args) { return 0; u32 tid = bpf_get_current_pid_tgid(); - struct openat_event *eventp = bpf_map_lookup_elem(&temp_events, &tid); + struct open_event *eventp = bpf_map_lookup_elem(&open_event_temp_map, &tid); if (!eventp) { return 0; } eventp->fd = args->ret; - bpf_perf_event_output(args, &events, BPF_F_CURRENT_CPU, eventp, sizeof(struct openat_event)); - bpf_map_delete_elem(&temp_events, &tid); + bpf_perf_event_output(args, &open_event_map, BPF_F_CURRENT_CPU, eventp, sizeof(struct open_event)); + bpf_map_delete_elem(&open_event_temp_map, &tid); return 0; } @@ -70,12 +70,12 @@ int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { return 0; u32 tid = bpf_get_current_pid_tgid(); - struct openat_event event = { .syscall_id = ctx->id }; + struct open_event event = { .syscall_id = ctx->id }; bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[1]); bpf_get_current_comm(&event.comm, sizeof(event.comm)); event.tid = tid; - bpf_map_update_elem(&temp_events, &tid, &event, BPF_ANY); + bpf_map_update_elem(&open_event_temp_map, &tid, &event, BPF_ANY); return 0; } @@ -30,7 +30,7 @@ func (e openatEvent) String() string { } func resizeMap(module *bpf.Module, name string, size uint32) error { - m, err := module.GetMap("events") + m, err := module.GetMap("open_event_map") if err != nil { return err } @@ -53,7 +53,7 @@ func main() { } defer bpfModule.Close() - if err = resizeMap(bpfModule, "events", 8192); err != nil { + if err = resizeMap(bpfModule, "open_event_map", 8192); err != nil { log.Fatal(err) } @@ -68,7 +68,7 @@ func main() { eventsChannel := make(chan []byte) lostChannel := make(chan uint64) - pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1) + pb, err := bpfModule.InitPerfBuf("open_event_map", eventsChannel, lostChannel, 1) if err != nil { log.Fatal(err) } |