diff options
| -rw-r--r-- | internal/ioriotng.bpf.c | 37 | ||||
| -rw-r--r-- | internal/ioriotng.go | 32 | ||||
| -rw-r--r-- | internal/types/types.bpf.h | 4 | ||||
| -rw-r--r-- | internal/types/types.go | 12 |
4 files changed, 73 insertions, 12 deletions
diff --git a/internal/ioriotng.bpf.c b/internal/ioriotng.bpf.c index ce06d8a..3948529 100644 --- a/internal/ioriotng.bpf.c +++ b/internal/ioriotng.bpf.c @@ -96,4 +96,41 @@ int handle_exit_close(struct trace_event_raw_sys_enter *ctx) { return 0; } +SEC("tracepoint/syscalls/sys_enter_write") +int handle_enter_write(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->op_id = WRITE_ENTER_OP_ID; + ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + ev->fd = (int)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_write") +int handle_exit_write(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->op_id = WRITE_EXIT_OP_ID; + ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + + bpf_ringbuf_submit(ev, 0); + + return 0; +} + + char LICENSE[] SEC("license") = "Dual BSD/GPL"; diff --git a/internal/ioriotng.go b/internal/ioriotng.go index 2892431..97b46ea 100644 --- a/internal/ioriotng.go +++ b/internal/ioriotng.go @@ -11,7 +11,7 @@ import ( "ioriotng/internal/flags" "ioriotng/internal/syncpool" "ioriotng/internal/tracepoints" - "ioriotng/internal/types" + . "ioriotng/internal/types" bpf "github.com/aquasecurity/libbpfgo" ) @@ -54,19 +54,19 @@ func Run(flags flags.Flags) { } rb.Poll(300) - enterOpen := make(map[uint32]*types.OpenatEnterEvent) - enterFd := make(map[uint32]*types.FdEvent) + enterOpen := make(map[uint32]*OpenatEnterEvent) + enterFd := make(map[uint32]*FdEvent) // To do this, extract the PID from the TID (pid_tid >> 32) // openFiles := make(map[ for raw := range ch { - switch types.OpId(raw[0]) { - case types.OPENAT_ENTER_OP_ID: - ev := readRaw(raw, syncpool.OpenEnterEvent.Get().(*types.OpenatEnterEvent)) + switch OpId(raw[0]) { + case OPENAT_ENTER_OP_ID: + ev := readRaw(raw, syncpool.OpenEnterEvent.Get().(*OpenatEnterEvent)) enterOpen[ev.PidTGid] = ev - case types.OPENAT_EXIT_OP_ID: - ev := readRaw(raw, syncpool.FdEvent.Get().(*types.FdEvent)) + case OPENAT_EXIT_OP_ID: + ev := readRaw(raw, syncpool.FdEvent.Get().(*FdEvent)) enterEv, ok := enterOpen[ev.PidTGid] if !ok { fmt.Println("Dropping", ev) @@ -80,12 +80,20 @@ func Run(flags flags.Flags) { syncpool.FdEvent.Put(ev) syncpool.OpenEnterEvent.Put(enterEv) - case types.CLOSE_ENTER_OP_ID: - ev := readRaw(raw, syncpool.FdEvent.Get().(*types.FdEvent)) + case CLOSE_ENTER_OP_ID: + fallthrough + case WRITE_ENTER_OP_ID: + fallthrough + case WRITEV_ENTER_OP_ID: + ev := readRaw(raw, syncpool.FdEvent.Get().(*FdEvent)) enterFd[ev.PidTGid] = ev - case types.CLOSE_EXIT_OP_ID: - ev := readRaw(raw, syncpool.NullEvent.Get().(*types.NullEvent)) + case CLOSE_EXIT_OP_ID: + fallthrough + case WRITE_EXIT_OP_ID: + fallthrough + case WRITEV_EXIT_OP_ID: + ev := readRaw(raw, syncpool.NullEvent.Get().(*NullEvent)) enterEv, ok := enterFd[ev.PidTGid] if !ok { fmt.Println("Dropping", ev) diff --git a/internal/types/types.bpf.h b/internal/types/types.bpf.h index 35c5311..25cfcd8 100644 --- a/internal/types/types.bpf.h +++ b/internal/types/types.bpf.h @@ -9,6 +9,10 @@ #define OPENAT_EXIT_OP_ID 2 #define CLOSE_ENTER_OP_ID 3 #define CLOSE_EXIT_OP_ID 4 +#define WRITE_ENTER_OP_ID 5 +#define WRITE_EXIT_OP_ID 6 +#define WRITEV_ENTER_OP_ID 7 +#define WRITEV_EXIT_OP_ID 8 struct null_event { __u32 op_id; diff --git a/internal/types/types.go b/internal/types/types.go index 1d151dd..a662b4b 100644 --- a/internal/types/types.go +++ b/internal/types/types.go @@ -17,6 +17,10 @@ const ( OPENAT_EXIT_OP_ID CLOSE_ENTER_OP_ID CLOSE_EXIT_OP_ID + WRITE_ENTER_OP_ID + WRITE_EXIT_OP_ID + WRITEV_ENTER_OP_ID + WRITEV_EXIT_OP_ID ) func (id OpId) String() string { @@ -29,6 +33,14 @@ func (id OpId) String() string { return "close:enter" case CLOSE_EXIT_OP_ID: return "close:exit" + case WRITE_ENTER_OP_ID: + return "write:enter" + case WRITE_EXIT_OP_ID: + return "write:exit" + case WRITEV_ENTER_OP_ID: + return "write:enter" + case WRITEV_EXIT_OP_ID: + return "write:exit" default: panic(fmt.Sprintf("Unknown OpId %d", uint32(id))) } |