diff options
| author | Paul Buetow <paul@buetow.org> | 2024-02-10 18:41:48 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-02-10 18:41:48 +0200 |
| commit | c6200235b553770221e1ca0b25ca46ed6af96803 (patch) | |
| tree | 2835c0e93ffff229f01bbbedb8b9d8c657ca93ae | |
| parent | b124de93c6a8f5ef4ee5f6238e6a998243fc4614 (diff) | |
add open syscall
| -rw-r--r-- | main.bpf.c | 34 | ||||
| -rw-r--r-- | main.go | 13 |
2 files changed, 34 insertions, 13 deletions
@@ -18,6 +18,7 @@ struct { struct openat_event { int fd; + int syscall_id; u32 tid; char filename[256]; char comm[16]; @@ -37,13 +38,13 @@ struct { __uint(max_entries, 128); // Adjust size as needed } temp_events SEC(".maps"); -SEC("tracepoint/syscalls/sys_enter_openat") -int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { +SEC("tracepoint/syscalls/sys_enter_open") +int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { u32 tid = bpf_get_current_pid_tgid(); - struct openat_event event = {}; + struct openat_event event = { .syscall_id = ctx->id }; - // Capture the filename. Note: You need to handle possible user-space pointer issues - bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[1]); + + bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[0]); bpf_get_current_comm(&event.comm, sizeof(event.comm)); event.tid = tid; bpf_map_update_elem(&temp_events, &tid, &event, BPF_ANY); @@ -51,8 +52,8 @@ int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { return 0; } -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_exit_openat(struct trace_event_raw_sys_exit *args) { +SEC("tracepoint/syscalls/sys_exit_open") +int handle_exit_open(struct trace_event_raw_sys_exit *args) { u32 tid = bpf_get_current_pid_tgid(); struct openat_event *eventp = bpf_map_lookup_elem(&temp_events, &tid); if (!eventp) { @@ -65,4 +66,23 @@ int handle_exit_openat(struct trace_event_raw_sys_exit *args) { return 0; } + +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { + u32 tid = bpf_get_current_pid_tgid(); + struct openat_event event = { .syscall_id = ctx->id }; + + bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[1]); + bpf_get_current_comm(&event.comm, sizeof(event.comm)); + event.tid = tid; + bpf_map_update_elem(&temp_events, &tid, &event, BPF_ANY); + + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_exit_openat(struct trace_event_raw_sys_exit *args) { + return handle_exit_open(args); +} + char LICENSE[] SEC("license") = "Dual BSD/GPL"; @@ -15,17 +15,18 @@ import ( ) type openatEvent struct { - FD int32 - TID uint32 - Filename [256]byte - Comm [16]byte + FD int32 + SyscallID int32 + TID uint32 + Filename [256]byte + Comm [16]byte } func (e openatEvent) String() string { filename := e.Filename[:] comm := e.Comm[:] - return fmt.Sprintf("tid:%v fd:%v filename:%s, comm:%s", - e.TID, e.FD, string(filename), string(comm)) + return fmt.Sprintf("syscall:%d tid:%v fd:%v filename:%s, comm:%s", + e.SyscallID, e.TID, e.FD, string(filename), string(comm)) } func resizeMap(module *bpf.Module, name string, size uint32) error { |