restructure

author: Paul Buetow <paul@buetow.org> 2024-02-19 11:27:00 +0200
committer: Paul Buetow <paul@buetow.org> 2024-02-19 11:27:00 +0200
commit: 954197aa34ebc59becd56f093d3690ab65f1d8a4 (patch)
tree: b61af32f8aab1e99b06fb4144eec0682839bf3f0
parent: 72185eae0eefed8f6d5a899c10dfea1d41e57690 (diff)
8 files changed, 151 insertions, 135 deletions
diff --git a/Makefile b/Makefile
index 68e70a2..f1ecd1a 100644
--- a/Makefile
+++ b/Makefile
@@ -11,8 +11,7 @@ build: bpfbuild gobuild
 
 .PHONY: bpfbuild
 bpfbuild:
-	make -C ./internal/c
-	if [ ! -e ioriotng.bpf.c ]; then ln -s ./internal/c/ioriotng.bpf.c .; fi
+	make -C ./internal/c redo
 	if [ ! -e ioriotng.bpf.o ]; then ln -s ./internal/c/ioriotng.bpf.o .; fi
 
 .PHONY: gobuild
@@ -22,7 +21,6 @@ gobuild:
 .PHONY: clean
 clean:
 	find . -type f -name ioriotng -delete
-	if [ -e ioriotng.bpf.c ]; then rm ioriotng.bpf.c; fi
 	if [ -e ioriotng.bpf.o ]; then rm ioriotng.bpf.o; fi
 	make -C ./internal/c clean
 
diff --git a/internal/c/Makefile b/internal/c/Makefile
index 03181b8..81f2e4b 100644
--- a/internal/c/Makefile
+++ b/internal/c/Makefile
@@ -5,8 +5,8 @@ SOURCES := $(wildcard *.bpf.c)
 TARGETS := $(SOURCES:.bpf.c=.bpf.o)
 
 all: $(TARGETS)
-	# Only required when linking multiple .o into a single .o (not doing that atm)
-	# bpftool gen object ioriotng.bpf.o $(TARGETS)
+
+redo: clean all
 
 %.bpf.o: %.bpf.c vmlinux.h
 	$(CC) -g -O2 -Wall -fpie -target bpf -D__TARGET_ARCH_amd64 \
diff --git a/internal/c/filter.c b/internal/c/filter.c
new file mode 100644
index 0000000..a91eb84
--- /dev/null
+++ b/internal/c/filter.c
@@ -0,0 +1,5 @@
+//+build ignore
+
+static __always_inline int filter() {
+    return (bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER;
+}
diff --git a/internal/c/ioriotng.bpf.c b/internal/c/ioriotng.bpf.c
index 2247daa..a48c944 100644
--- a/internal/c/ioriotng.bpf.c
+++ b/internal/c/ioriotng.bpf.c
@@ -6,130 +6,15 @@
 #include "maps.h"
 #include "flags.h"
 
-static __always_inline int filter() {
-    return (bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER;
-}
-
-SEC("tracepoint/syscalls/sys_enter_openat")
-int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
-    if (filter())
-        return 0;
-
-    struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0);
-    if (!ev)
-        return 0;
-
-    ev->op_id = OPENAT_ENTER_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
-    ev->time = bpf_ktime_get_ns();
-
-    __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm));
-    bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]);
-    bpf_get_current_comm(&ev->comm, sizeof(ev->comm));
-    bpf_ringbuf_submit(ev, 0);
-
-    return 0;
-}
-
-SEC("tracepoint/syscalls/sys_exit_openat")
-int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) {
-    if (filter())
-        return 0;
-
-    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
-    if (!ev)
-        return 0;
-
-    ev->op_id = OPENAT_EXIT_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
-    ev->time = bpf_ktime_get_ns();
-    ev->fd = ctx->ret;
-
-    bpf_ringbuf_submit(ev, 0);
-
-    return 0;
-}
-
-SEC("tracepoint/syscalls/sys_enter_open")
-int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
-    return handle_enter_openat(ctx);
-}
-
-SEC("tracepoint/syscalls/sys_exit_open")
-int handle_exit_open(struct trace_event_raw_sys_exit *ctx) {
-    return handle_exit_openat(ctx);
-}
-
-SEC("tracepoint/syscalls/sys_enter_close")
-int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
-    if (filter())
-        return 0;
-
-    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
-    if (!ev)
-        return 0;
-
-    ev->op_id = CLOSE_ENTER_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
-    ev->time = bpf_ktime_get_ns();
-    ev->fd = (int)ctx->args[0];
-
-    bpf_ringbuf_submit(ev, 0);
-    return 0;
-}
-
-SEC("tracepoint/syscalls/sys_exit_close")
-int handle_exit_close(struct trace_event_raw_sys_enter *ctx) {
-    if (filter())
-        return 0;
-
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
-    if (!ev)
-        return 0;
-
-    ev->op_id = CLOSE_EXIT_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
-    ev->time = bpf_ktime_get_ns();
-
-    bpf_ringbuf_submit(ev, 0);
-
-    return 0;
-}
-
-SEC("tracepoint/syscalls/sys_enter_write")
-int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
-    if (filter())
-        return 0;
-
-    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
-    if (!ev)
-        return 0;
-
-    ev->op_id = WRITE_ENTER_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
-    ev->time = bpf_ktime_get_ns();
-    ev->fd = (int)ctx->args[0];
-
-    bpf_ringbuf_submit(ev, 0);
-    return 0;
-}
-
-SEC("tracepoint/syscalls/sys_exit_write")
-int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
-    if (filter())
-        return 0;
-
-    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
-    if (!ev)
-        return 0;
-
-    ev->op_id = WRITE_EXIT_OP_ID;
-    ev->pid_tgid = bpf_get_current_pid_tgid();
-    ev->time = bpf_ktime_get_ns();
-
-    bpf_ringbuf_submit(ev, 0);
-
-    return 0;
-}
+/**
+ * Including .c files, as linking several .o files into one single .o file doesn't work
+ * with shared BPF state such as ring buffers, maps and globals so well. Other BPF projects
+ * come along with one huuuuughe .c file with all the BPF code in it. I am rather 
+ * splitting the code up into several smaller files.
+ */
+#include "filter.c"
+#include "tracepoints/open.c"
+#include "tracepoints/close.c"
+#include "tracepoints/write.c"
 
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
diff --git a/internal/c/tracepoints/close.c b/internal/c/tracepoints/close.c
new file mode 100644
index 0000000..5e9504b
--- /dev/null
+++ b/internal/c/tracepoints/close.c
@@ -0,0 +1,38 @@
+//+build ignore
+
+SEC("tracepoint/syscalls/sys_enter_close")
+int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = CLOSE_ENTER_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+    ev->fd = (int)ctx->args[0];
+
+    bpf_ringbuf_submit(ev, 0);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_close")
+int handle_exit_close(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = CLOSE_EXIT_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
diff --git a/internal/c/tracepoints/open.c b/internal/c/tracepoints/open.c
new file mode 100644
index 0000000..b405c0e
--- /dev/null
+++ b/internal/c/tracepoints/open.c
@@ -0,0 +1,52 @@
+//+build ignore
+
+SEC("tracepoint/syscalls/sys_enter_openat")
+int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = OPENAT_ENTER_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+
+    __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm));
+    bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]);
+    bpf_get_current_comm(&ev->comm, sizeof(ev->comm));
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_openat")
+int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) {
+    if (filter())
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = OPENAT_EXIT_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+    ev->fd = ctx->ret;
+
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_open")
+int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
+    return handle_enter_openat(ctx);
+}
+
+SEC("tracepoint/syscalls/sys_exit_open")
+int handle_exit_open(struct trace_event_raw_sys_exit *ctx) {
+    return handle_exit_openat(ctx);
+}
+
diff --git a/internal/c/tracepoints/write.c b/internal/c/tracepoints/write.c
new file mode 100644
index 0000000..262cb48
--- /dev/null
+++ b/internal/c/tracepoints/write.c
@@ -0,0 +1,37 @@
+//+build ignore
+
+SEC("tracepoint/syscalls/sys_enter_write")
+int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = WRITE_ENTER_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+    ev->fd = (int)ctx->args[0];
+
+    bpf_ringbuf_submit(ev, 0);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_write")
+int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = WRITE_EXIT_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
diff --git a/internal/tracepoints/syscalls.go b/internal/tracepoints/syscalls.go
index c5bdabf..ccc4f58 100644
--- a/internal/tracepoints/syscalls.go
+++ b/internal/tracepoints/syscalls.go
@@ -27,20 +27,21 @@ func filterLines(lines []string) ([]string, error) {
 }
 
 // Filter out all used syscall tracepoints from *.bpf.c
-func usedSyscalls() ([]string, error) {
+func tracedSyscalls() ([]string, error) {
 	var syscalls []string
+	const syscallDir = "internal/c/tracepoints"
 
-	files, err := os.ReadDir(".")
+	files, err := os.ReadDir(syscallDir)
 	if err != nil {
 		return syscalls, err
 	}
 
 	for _, file := range files {
 		fileName := file.Name()
-		if !strings.HasSuffix(fileName, ".bpf.c") {
+		if !strings.HasSuffix(fileName, ".c") {
 			continue
 		}
-		content, err := os.ReadFile(fileName)
+		content, err := os.ReadFile(fmt.Sprintf("%s/%s", syscallDir, fileName))
 		if err != nil {
 			return syscalls, err
 		}
@@ -55,7 +56,7 @@ func usedSyscalls() ([]string, error) {
 }
 
 func AttachSyscalls(bpfModule *bpf.Module) error {
-	syscalls, err := usedSyscalls()
+	syscalls, err := tracedSyscalls()
 	if err != nil {
 		return err
 	}
author	Paul Buetow <paul@buetow.org>	2024-02-19 11:27:00 +0200
committer	Paul Buetow <paul@buetow.org>	2024-02-19 11:27:00 +0200
commit	954197aa34ebc59becd56f093d3690ab65f1d8a4 (patch)
tree	b61af32f8aab1e99b06fb4144eec0682839bf3f0
parent	72185eae0eefed8f6d5a899c10dfea1d41e57690 (diff)