diff options
| author | Paul Buetow <paul@buetow.org> | 2024-02-09 00:32:11 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-02-09 00:32:11 +0200 |
| commit | f1d915931ca1e0f5fb4007c9cab59fd460a25c6c (patch) | |
| tree | fe05c819a315d98bce1073ef6d39736a06352f3f | |
| parent | 05fd16ccde0dea9848e8c0140e14dd1854631fc6 (diff) | |
also catch enter openat syscall
| -rw-r--r-- | internal/tracepoints/syscalls.go | 21 | ||||
| -rw-r--r-- | main.bpf.c | 35 | ||||
| -rw-r--r-- | main.go | 17 |
3 files changed, 57 insertions, 16 deletions
diff --git a/internal/tracepoints/syscalls.go b/internal/tracepoints/syscalls.go new file mode 100644 index 0000000..ebc46af --- /dev/null +++ b/internal/tracepoints/syscalls.go @@ -0,0 +1,21 @@ +package tracepoints + +import ( + "fmt" + + bpf "github.com/aquasecurity/libbpfgo" +) + +func AttachSyscalls(bpfModule *bpf.Module, names ...string) error { + for _, name := range names { + // Attach to tracepoint + prog, err := bpfModule.GetProgram(fmt.Sprintf("handle_%s", name)) + if err != nil { + return fmt.Errorf("Failed to get BPF program handle_%s: %v", name, err) + } + if _, err = prog.AttachTracepoint("syscalls", fmt.Sprintf("sys_%s", name)); err != nil { + return fmt.Errorf("Failed to attach to sys_%s tracepoint: %v", name, err) + } + } + return nil +} @@ -29,14 +29,39 @@ struct { __uint(value_size, sizeof(u32)); } events SEC(".maps"); -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_openat(struct trace_event_raw_sys_exit *args) { +// Map to temporarily store the filename from sys_enter_openat +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(key_size, sizeof(u32)); + __uint(value_size, sizeof(struct openat_event)); + __uint(max_entries, 128); // Adjust size as needed +} temp_events SEC(".maps"); + +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { + u32 tid = bpf_get_current_pid_tgid(); struct openat_event event = {}; - event.fd = args->ret; - event.tid = bpf_get_current_pid_tgid(); + + // Capture the filename. Note: You need to handle possible user-space pointer issues + bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[1]); bpf_get_current_comm(&event.comm, sizeof(event.comm)); + event.tid = tid; + bpf_map_update_elem(&temp_events, &tid, &event, BPF_ANY); + + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_exit_openat(struct trace_event_raw_sys_exit *args) { + u32 tid = bpf_get_current_pid_tgid(); + struct openat_event *eventp = bpf_map_lookup_elem(&temp_events, &tid); + if (!eventp) { + return 0; + } + eventp->fd = args->ret; + bpf_perf_event_output(args, &events, BPF_F_CURRENT_CPU, eventp, sizeof(struct openat_event)); + bpf_map_delete_elem(&temp_events, &tid); - bpf_perf_event_output(args, &events, BPF_F_CURRENT_CPU, &event, sizeof(event)); return 0; } @@ -9,6 +9,8 @@ import ( "os" "runtime" + "ioriotng/internal/tracepoints" + bpf "github.com/aquasecurity/libbpfgo" ) @@ -59,19 +61,12 @@ func main() { err = bpfModule.BPFLoadObject() if err != nil { fmt.Fprintf(os.Stderr, "Failed to load BPF object: %v\n", err) - return + os.Exit(-1) } - // Attach to tracepoint - prog, err := bpfModule.GetProgram("handle_openat") - if err != nil { - fmt.Fprintf(os.Stderr, "Failed to get BPF program: %v\n", err) - os.Exit(1) - } - _, err = prog.AttachTracepoint("syscalls", "sys_exit_openat") - if err != nil { - fmt.Fprintf(os.Stderr, "Failed to attach to sys_exit_openat tracepoint: %v\n", err) - return + if err := tracepoints.AttachSyscalls(bpfModule, "enter_openat", "exit_openat"); err != nil { + fmt.Fprintf(os.Stderr, err.Error()) + os.Exit(-1) } testerMap, err := bpfModule.GetMap("tester") |