diff options
| author | Paul Buetow <paul@buetow.org> | 2024-02-13 10:26:47 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-02-13 10:26:47 +0200 |
| commit | a1b917899d564d681f0dce682583d951e0c8a3ae (patch) | |
| tree | fa7a7594a5a855d4f5019543827f7a4e783e2d56 /ioriotng.bpf.c | |
| parent | e43fba8ef47a7a435809ebc09c799254c1c1fcf7 (diff) | |
collect enter and exit times of the syscall tracepoints
Diffstat (limited to 'ioriotng.bpf.c')
| -rw-r--r-- | ioriotng.bpf.c | 30 |
1 files changed, 26 insertions, 4 deletions
diff --git a/ioriotng.bpf.c b/ioriotng.bpf.c index d9b0f5a..8f39573 100644 --- a/ioriotng.bpf.c +++ b/ioriotng.bpf.c @@ -5,8 +5,6 @@ #include <bpf/bpf_helpers.h> #include "maps.bpf.h" -// TODO: Split out this file into several *.bpf.c programs. - // TODO: Make UID_FILTER configurable via a flag from the userland part. // For now, this is set to my own user for development purposes. #define UID_FILTER 1001 @@ -19,6 +17,7 @@ int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { u32 tid = bpf_get_current_pid_tgid(); struct open_event event = { .op_id = OPEN, + .enter_time = bpf_ktime_get_ns(), }; bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[0]); @@ -40,6 +39,7 @@ int handle_exit_open(struct trace_event_raw_sys_exit *ctx) { return 0; } eventp->fd = ctx->ret; + eventp->exit_time = bpf_ktime_get_ns(); bpf_perf_event_output(ctx, &open_event_map, BPF_F_CURRENT_CPU, eventp, sizeof(struct open_event)); bpf_map_delete_elem(&open_event_temp_map, &tid); @@ -52,7 +52,10 @@ int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { return 0; u32 tid = bpf_get_current_pid_tgid(); - struct open_event event = { .op_id = OPEN_AT }; + struct open_event event = { + .op_id = OPEN_AT, + .enter_time = bpf_ktime_get_ns(), + }; bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[1]); bpf_get_current_comm(&event.comm, sizeof(event.comm)); @@ -75,12 +78,31 @@ int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) return 0; + u32 tid = bpf_get_current_pid_tgid(); struct fd_event event = { .fd = (int)ctx->args[0], .op_id = CLOSE, .tid = bpf_get_current_pid_tgid(), + .enter_time = bpf_ktime_get_ns(), }; - bpf_perf_event_output(ctx, &fd_event_map, BPF_F_CURRENT_CPU, &event, sizeof(struct fd_event)); + bpf_map_update_elem(&fd_event_temp_map, &tid, &event, BPF_ANY); + + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_close") +int handle_exit_close(struct trace_event_raw_sys_enter *ctx) { + if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) + return 0; + + u32 tid = bpf_get_current_pid_tgid(); + struct open_event *eventp = bpf_map_lookup_elem(&fd_event_temp_map, &tid); + if (!eventp) { + return 0; + } + eventp->exit_time = bpf_ktime_get_ns(); + bpf_perf_event_output(ctx, &fd_event_map, BPF_F_CURRENT_CPU, eventp, sizeof(struct fd_event)); + bpf_map_delete_elem(&fd_event_temp_map, &tid); return 0; } |