print out file (fd and name) for each syscall

author: Paul Buetow <paul@buetow.org> 2024-03-01 01:05:40 +0200
committer: Paul Buetow <paul@buetow.org> 2024-03-01 01:05:40 +0200
commit: dfaa92b076acfc341649888bef10116dc5f3e94e (patch)
tree: f6dccfab72dca4dc0965b50ce0e6a916b3d6b866 /internal/eventloop.go
parent: 5512e4441ba93d1a8d55faf56d66eaf9986551f1 (diff)
1 files changed, 26 insertions, 0 deletions
diff --git a/internal/eventloop.go b/internal/eventloop.go
index 6163ebf..37771ee 100644
--- a/internal/eventloop.go
+++ b/internal/eventloop.go
@@ -21,6 +21,7 @@ func eventLoop(bpfModule *bpf.Module, rawCh <-chan []byte) {
 func events(rawCh <-chan []byte) <-chan enterExitEvent {
 	evCh := make(chan enterExitEvent)
 	enterEvs := make(map[uint32]enterExitEvent)
+	files := make(map[int32]file)
 
 	enter := func(enterEv event) {
 		enterEvs[enterEv.GetTid()] = enterExitEvent{
@@ -36,6 +37,31 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent {
 		}
 		delete(enterEvs, exitEv.GetTid())
 		ev.exitEv = exitEv
+
+		if ev.is(SYS_ENTER_OPENAT, SYS_EXIT_OPENAT) || ev.is(SYS_ENTER_OPEN, SYS_EXIT_OPEN) {
+			openEnterEv := ev.enterEv.(*OpenEnterEvent)
+			fd := ev.exitEv.(*FdEvent).Fd
+			file := file{fd, string(openEnterEv.Filename[:])}
+
+			if fd >= 0 {
+				files[fd] = file
+			}
+			ev.comm = string(openEnterEv.Comm[:])
+			ev.file = file
+			return
+		}
+
+		if fdEvent, ok := ev.enterEv.(*FdEvent); ok {
+			if file_, ok := files[fdEvent.Fd]; ok {
+				ev.file = file_
+			} else {
+				ev.file = file{fdEvent.Fd, "?"}
+			}
+			if ev.is(SYS_ENTER_CLOSE, SYS_EXIT_CLOSE) {
+				delete(files, fdEvent.Fd)
+			}
+		}
+
 		evCh <- ev
 	}
author	Paul Buetow <paul@buetow.org>	2024-03-01 01:05:40 +0200
committer	Paul Buetow <paul@buetow.org>	2024-03-01 01:05:40 +0200
commit	dfaa92b076acfc341649888bef10116dc5f3e94e (patch)
tree	f6dccfab72dca4dc0965b50ce0e6a916b3d6b866 /internal/eventloop.go
parent	5512e4441ba93d1a8d55faf56d66eaf9986551f1 (diff)