diff options
| -rw-r--r-- | main.bpf.c | 40 | ||||
| -rw-r--r-- | main.go | 10 | ||||
| -rw-r--r-- | maps.bpf.h | 36 |
3 files changed, 39 insertions, 47 deletions
@@ -2,8 +2,8 @@ #include "vmlinux.h" #include "opids.h" - #include <bpf/bpf_helpers.h> +#include "maps.bpf.h" // TODO: Split out this file into several *.bpf.c programs. @@ -11,30 +11,6 @@ // For now, this is set to my own user for development purposes. #define UID_FILTER 1001 -// Helper structs for opening file(s) - -struct open_event { - int fd; - int op_id; - u32 tid; - char filename[256]; - char comm[16]; -}; - -struct { - __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); - __uint(key_size, sizeof(u32)); - __uint(value_size, sizeof(u32)); -} open_event_map SEC(".maps"); - -// Map to temporarily store the filename from sys_enter_openat -struct { - __uint(type, BPF_MAP_TYPE_HASH); - __uint(key_size, sizeof(u32)); - __uint(value_size, sizeof(struct open_event)); - __uint(max_entries, 128); // Adjust size as needed -} open_event_temp_map SEC(".maps"); - SEC("tracepoint/syscalls/sys_enter_open") int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) @@ -92,20 +68,6 @@ int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) { return handle_exit_open(ctx); } -// Helper structs for other syscalls on FDs - -struct fd_event { - int fd; - int op_id; - u32 tid; -}; - -struct { - __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); - __uint(key_size, sizeof(u32)); - __uint(value_size, sizeof(u32)); -} fd_event_map SEC(".maps"); - SEC("tracepoint/syscalls/sys_enter_close") int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) @@ -73,12 +73,10 @@ func main() { } defer bpfModule.Close() - // Todo, could build a eventListener struct, which is generic. - if err = resizeMap(bpfModule, "open_event_map", 8192*10); err != nil { + if err = resizeMap(bpfModule, "open_event_map", 8192); err != nil { log.Fatal(err) } - - if err = resizeMap(bpfModule, "fd_event_map", 8192*10); err != nil { + if err = resizeMap(bpfModule, "fd_event_map", 8192); err != nil { log.Fatal(err) } @@ -109,10 +107,6 @@ func main() { } }() - go func() { - defer wg.Done() - }() - wg.Wait() log.Println("Good bye") } diff --git a/maps.bpf.h b/maps.bpf.h new file mode 100644 index 0000000..afa1064 --- /dev/null +++ b/maps.bpf.h @@ -0,0 +1,36 @@ +//+build ignore + +struct open_event { + int fd; + int op_id; + u32 tid; + char filename[256]; + char comm[16]; +}; + +struct { + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); + __uint(key_size, sizeof(u32)); + __uint(value_size, sizeof(u32)); +} open_event_map SEC(".maps"); + +// Map to temporarily store the filename from sys_enter_openat +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(key_size, sizeof(u32)); + __uint(value_size, sizeof(struct open_event)); + __uint(max_entries, 128); // Adjust size as needed +} open_event_temp_map SEC(".maps"); + +struct fd_event { + int fd; + int op_id; + u32 tid; +}; + +struct { + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); + __uint(key_size, sizeof(u32)); + __uint(value_size, sizeof(u32)); +} fd_event_map SEC(".maps"); + |