diff options
| author | Paul Buetow <paul@buetow.org> | 2024-02-23 00:32:08 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-02-23 00:34:57 +0200 |
| commit | aa3b3a508cd9ca6717245376bc01b1a89bfbef91 (patch) | |
| tree | 79fcf4018e69acc3614801510e3df64cdd63fbd5 | |
| parent | 1621b01ae9a47ab27c5b83237d37595695d32cbb (diff) | |
various things
| -rw-r--r-- | internal/c/filter.c | 2 | ||||
| -rw-r--r-- | internal/c/flags.h | 2 | ||||
| -rw-r--r-- | internal/c/types.h | 4 | ||||
| -rw-r--r-- | internal/eventloop.go | 71 | ||||
| -rw-r--r-- | internal/flags/flags.go | 10 | ||||
| -rw-r--r-- | internal/generated/types/types.go | 6 |
6 files changed, 68 insertions, 27 deletions
diff --git a/internal/c/filter.c b/internal/c/filter.c index f30611a..ca8374a 100644 --- a/internal/c/filter.c +++ b/internal/c/filter.c @@ -11,10 +11,8 @@ static __always_inline int filter(__u32 *pid, __u32 *tid) { if (*pid == PID_FILTER) return ACCEPT; - /* if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) == UID_FILTER) return 0; - */ return FILTER; } diff --git a/internal/c/flags.h b/internal/c/flags.h index eb7ec83..c123fa4 100644 --- a/internal/c/flags.h +++ b/internal/c/flags.h @@ -1,4 +1,4 @@ //+build ignore -// const volatile u32 UID_FILTER = -1; +const volatile u32 UID_FILTER = -1; const volatile u32 PID_FILTER = -1; diff --git a/internal/c/types.h b/internal/c/types.h index 509610e..a2d3b4b 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -33,9 +33,9 @@ struct fd_event { struct open_enter_event { __u32 op_id; + char filename[MAX_FILENAME_LENGTH]; + char comm[MAX_PROGNAME_LENGTH]; __u32 pid; __u32 tid; __u64 time; - char filename[MAX_FILENAME_LENGTH]; - char comm[MAX_PROGNAME_LENGTH]; }; diff --git a/internal/eventloop.go b/internal/eventloop.go index d5ac4a9..a754897 100644 --- a/internal/eventloop.go +++ b/internal/eventloop.go @@ -3,6 +3,8 @@ package internal import "C" import ( + "bytes" + "encoding/binary" "fmt" . "ioriotng/internal/generated/types" @@ -10,11 +12,30 @@ import ( bpf "github.com/aquasecurity/libbpfgo" ) +type openFile struct { + fd int32 + path string +} + +func (o openFile) String() string { + return fmt.Sprintf("(%d) %s", o.fd, o.path) +} + +func binaryCompare(ev *OpenEnterEvent, raw []byte) { + buf := new(bytes.Buffer) + if err := binary.Write(buf, binary.LittleEndian, *ev); err != nil { + panic(err) + } + bytes := buf.Bytes() + fmt.Println("bytes", bytes) + fmt.Println("raw ", raw) +} + func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) { enterOpen := make(map[uint32]*OpenEnterEvent) enterFd := make(map[uint32]*FdEvent) - // To do this, extract the PID from the TID (pid_tid >> 32) - // openFiles := make(map[ + + openFdMap := make(map[int32]openFile) for raw := range ch { switch OpId(raw[0]) { @@ -22,22 +43,26 @@ func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) { fallthrough case OPEN_ENTER_OP_ID: ev := NewOpenEnterEvent(raw) - enterOpen[ev.Pid] = ev + enterOpen[ev.Tid] = ev case OPENAT_EXIT_OP_ID: fallthrough case OPEN_EXIT_OP_ID: ev := NewFdEvent(raw) - enterEv, ok := enterOpen[ev.Pid] + enterEv, ok := enterOpen[ev.Tid] if !ok { - fmt.Println("Dropping", ev) ev.Recycle() continue } + file := openFile{ + fd: ev.Fd, + path: string(enterEv.Filename[:]), + } + openFdMap[ev.Fd] = file duration := float64(ev.Time-enterEv.Time) / float64(1_000_000) - fmt.Println(duration, "ms", enterEv, ev) + fmt.Println(duration, "ms", "opened", file) - delete(enterOpen, ev.Pid) + delete(enterOpen, ev.Tid) ev.Recycle() enterEv.Recycle() @@ -47,24 +72,44 @@ func eventLoop(bpfModule *bpf.Module, ch <-chan []byte) { fallthrough case WRITEV_ENTER_OP_ID: ev := NewFdEvent(raw) - enterFd[ev.Pid] = ev + if _, ok := openFdMap[ev.Fd]; !ok { + // File open not traced (todo: read from procfs?) + ev.Recycle() + continue + } + enterFd[ev.Tid] = ev case CLOSE_EXIT_OP_ID: - fallthrough + ev := NewNullEvent(raw) + enterEv, ok := enterFd[ev.Tid] + if !ok { + ev.Recycle() + continue + } + duration := float64(ev.Time-enterEv.Time) / float64(1_000_000) + file, _ := openFdMap[enterEv.Fd] + fmt.Println(duration, "ms", "closed", file) + + delete(openFdMap, enterEv.Fd) + delete(enterFd, ev.Tid) + ev.Recycle() + enterEv.Recycle() + case WRITE_EXIT_OP_ID: fallthrough case WRITEV_EXIT_OP_ID: ev := NewNullEvent(raw) - enterEv, ok := enterFd[ev.Pid] + enterEv, ok := enterFd[ev.Tid] if !ok { - fmt.Println("Dropping", ev) ev.Recycle() continue } duration := float64(ev.Time-enterEv.Time) / float64(1_000_000) - fmt.Println(duration, "ms", enterEv, ev) + if file, ok := openFdMap[enterEv.Fd]; ok { + fmt.Println(duration, "ms", "wrote", file) + } - delete(enterFd, ev.Pid) + delete(enterFd, ev.Tid) ev.Recycle() enterEv.Recycle() diff --git a/internal/flags/flags.go b/internal/flags/flags.go index fbb0569..37797a4 100644 --- a/internal/flags/flags.go +++ b/internal/flags/flags.go @@ -14,7 +14,7 @@ type Flags struct { } func New() (flags Flags) { - // flag.IntVar(&flags.UidFilter, "uid", 0, "Filter for user ID") + flag.IntVar(&flags.UidFilter, "uid", 0, "Filter for user ID") flag.IntVar(&flags.PidFilter, "pid", 0, "Filter for processes ID") flag.IntVar(&flags.EventMapSize, "mapSize", 4096*16, "BPF FD event ring buffer map size") flag.Parse() @@ -23,11 +23,9 @@ func New() (flags Flags) { } func (flags Flags) SetBPF(bpfModule *bpf.Module) error { - /* - if err := bpfModule.InitGlobalVariable("UID_FILTER", uint32(flags.UidFilter)); err != nil { - return fmt.Errorf("unable to set up UID_FILTER global variable: %w", err) - } - */ + if err := bpfModule.InitGlobalVariable("UID_FILTER", uint32(flags.UidFilter)); err != nil { + return fmt.Errorf("unable to set up UID_FILTER global variable: %w", err) + } if err := bpfModule.InitGlobalVariable("PID_FILTER", uint32(flags.PidFilter)); err != nil { return fmt.Errorf("unable to set up PID_FILTER global variable: %w", err) } diff --git a/internal/generated/types/types.go b/internal/generated/types/types.go index 329e07a..d93a8c0 100644 --- a/internal/generated/types/types.go +++ b/internal/generated/types/types.go @@ -109,15 +109,15 @@ func (f *FdEvent) Recycle() { type OpenEnterEvent struct { OpId OpId + Filename [MAX_FILENAME_LENGTH]byte + Comm [MAX_PROGNAME_LENGTH]byte Pid uint32 Tid uint32 Time uint64 - Filename [MAX_FILENAME_LENGTH]byte - Comm [MAX_PROGNAME_LENGTH]byte } func (o OpenEnterEvent) String() string { - return fmt.Sprintf("OpId:%v Pid:%v Tid:%v Time:%v Filename:%v Comm:%v", o.OpId, o.Pid, o.Tid, o.Time, string(o.Filename[:]), string(o.Comm[:])) + return fmt.Sprintf("OpId:%v Filename:%v Comm:%v Pid:%v Tid:%v Time:%v", o.OpId, string(o.Filename[:]), string(o.Comm[:]), o.Pid, o.Tid, o.Time) } var poolOfOpenEnterEvents = sync.Pool{ |