move all C code to internal/c

5 files changed, 201 insertions, 0 deletions

diff --git a/internal/c/Makefile b/internal/c/Makefile
new file mode 100644
index 0000000..196b2d3
--- /dev/null
+++ b/internal/c/Makefile
@@ -0,0 +1,14 @@
+export LIBBPFGO = $(CURDIR)/../../../libbpfgo
+export CC = clang
+
+all: bpfbuild
+
+.PHONY: bpfbuild
+bpfbuild:
+	bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+	$(CC) -g -O2 -Wall -fpie -target bpf -D__TARGET_ARCH_amd64 -I$(LIBBPFGO)/output -c ioriotng.bpf.c -o ioriotng.bpf.o
+
+.PHONY: clean
+clean:
+	find . -name \*.o -delete
+	find . -name vmlinux.h -delete
diff --git a/internal/c/flags.h b/internal/c/flags.h
new file mode 100644
index 0000000..53b9492
--- /dev/null
+++ b/internal/c/flags.h
@@ -0,0 +1,4 @@
+//+build ignore
+
+const volatile u32 UID_FILTER = 0;
+volatile u32 DYNAMIC_UID_FILTER = 0;
diff --git a/internal/c/ioriotng.bpf.c b/internal/c/ioriotng.bpf.c
new file mode 100644
index 0000000..c9c9c88
--- /dev/null
+++ b/internal/c/ioriotng.bpf.c
@@ -0,0 +1,136 @@
+//+build ignore
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include "types.h"
+#include "maps.h"
+#include "flags.h"
+
+static __always_inline int filter() {
+    return (bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER;
+}
+
+SEC("tracepoint/syscalls/sys_enter_openat")
+int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = OPENAT_ENTER_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+
+    __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm));
+    bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]);
+    bpf_get_current_comm(&ev->comm, sizeof(ev->comm));
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_openat")
+int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) {
+    if (filter())
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = OPENAT_EXIT_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+    ev->fd = ctx->ret;
+
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_open")
+int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
+    return handle_enter_openat(ctx);
+}
+
+SEC("tracepoint/syscalls/sys_exit_open")
+int handle_exit_open(struct trace_event_raw_sys_exit *ctx) {
+    return handle_exit_openat(ctx);
+}
+
+SEC("tracepoint/syscalls/sys_enter_close")
+int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = CLOSE_ENTER_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+    ev->fd = (int)ctx->args[0];
+
+    bpf_ringbuf_submit(ev, 0);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_close")
+int handle_exit_close(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = CLOSE_EXIT_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_write")
+int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = WRITE_ENTER_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+    ev->fd = (int)ctx->args[0];
+
+    bpf_ringbuf_submit(ev, 0);
+    return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_write")
+int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
+    if (filter())
+        return 0;
+
+    struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+    if (!ev)
+        return 0;
+
+    ev->op_id = WRITE_EXIT_OP_ID;
+    ev->pid_tgid = bpf_get_current_pid_tgid();
+    ev->time = bpf_ktime_get_ns();
+
+    bpf_ringbuf_submit(ev, 0);
+
+    return 0;
+}
+
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
diff --git a/internal/c/maps.h b/internal/c/maps.h
new file mode 100644
index 0000000..7ec871c
--- /dev/null
+++ b/internal/c/maps.h
@@ -0,0 +1,6 @@
+//+build ignore
+
+struct {
+    __uint(type, BPF_MAP_TYPE_RINGBUF);
+    __uint(max_entries, 1 << 24);
+} event_map SEC(".maps");
diff --git a/internal/c/types.h b/internal/c/types.h
new file mode 100644
index 0000000..25cfcd8
--- /dev/null
+++ b/internal/c/types.h
@@ -0,0 +1,41 @@
+//+build ignore
+
+// These types mirror the Go types from internal/types/types.go
+//
+#define MAX_FILENAME_LENGTH 256
+#define MAX_PROGNAME_LENGTH 16
+
+#define OPENAT_ENTER_OP_ID 1
+#define OPENAT_EXIT_OP_ID 2
+#define CLOSE_ENTER_OP_ID 3
+#define CLOSE_EXIT_OP_ID 4
+#define WRITE_ENTER_OP_ID 5
+#define WRITE_EXIT_OP_ID 6
+#define WRITEV_ENTER_OP_ID 7
+#define WRITEV_EXIT_OP_ID 8
+
+struct null_event {
+    __u32 op_id;
+    __u32 pid_tgid;
+    __u64 time;
+};
+
+struct fd_event {
+    __u32 op_id;
+    __u32 pid_tgid;
+    __u64 time;
+    __s32 fd;
+};
+
+struct openat_enter_event {
+    __u32 op_id; 
+    __u32 pid_tgid;
+    __u64 time;
+    char filename[MAX_FILENAME_LENGTH];
+    char comm[MAX_PROGNAME_LENGTH];
+};
+
+struct flags {
+   __u32 uid_filter;
+};
+