restructure

3 files changed, 127 insertions, 0 deletions

diff --git a/internal/c/tracepoints/close.c b/internal/c/tracepoints/close.c
new file mode 100644
index 0000000..5e9504b
--- /dev/null
+++ b/internal/c/tracepoints/close.c
@@ -0,0 +1,38 @@
+//+build ignore
+
+SEC("tracepoint/syscalls/sys_enter_close")
+int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = CLOSE_ENTER_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+    ev->fd = (int)ctx->args[0];
+
+    bpf_ringbuf_submit(ev, 0);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_close")
+int handle_exit_close(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = CLOSE_EXIT_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
diff --git a/internal/c/tracepoints/open.c b/internal/c/tracepoints/open.c
new file mode 100644
index 0000000..b405c0e
--- /dev/null
+++ b/internal/c/tracepoints/open.c
@@ -0,0 +1,52 @@
+//+build ignore
+
+SEC("tracepoint/syscalls/sys_enter_openat")
+int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = OPENAT_ENTER_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+
+    __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm));
+    bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]);
+    bpf_get_current_comm(&ev->comm, sizeof(ev->comm));
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_openat")
+int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) {
+    if (filter())
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = OPENAT_EXIT_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+    ev->fd = ctx->ret;
+
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_open")
+int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
+    return handle_enter_openat(ctx);
+}
+
+SEC("tracepoint/syscalls/sys_exit_open")
+int handle_exit_open(struct trace_event_raw_sys_exit *ctx) {
+    return handle_exit_openat(ctx);
+}
+
diff --git a/internal/c/tracepoints/write.c b/internal/c/tracepoints/write.c
new file mode 100644
index 0000000..262cb48
--- /dev/null
+++ b/internal/c/tracepoints/write.c
@@ -0,0 +1,37 @@
+//+build ignore
+
+SEC("tracepoint/syscalls/sys_enter_write")
+int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = WRITE_ENTER_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+    ev->fd = (int)ctx->args[0];
+
+    bpf_ringbuf_submit(ev, 0);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_write")
+int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = WRITE_EXIT_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}