summaryrefslogtreecommitdiff
path: root/internal/c
diff options
context:
space:
mode:
Diffstat (limited to 'internal/c')
-rw-r--r--internal/c/Makefile4
-rw-r--r--internal/c/filter.c5
-rw-r--r--internal/c/ioriotng.bpf.c135
-rw-r--r--internal/c/tracepoints/close.c38
-rw-r--r--internal/c/tracepoints/open.c52
-rw-r--r--internal/c/tracepoints/write.c37
6 files changed, 144 insertions, 127 deletions
diff --git a/internal/c/Makefile b/internal/c/Makefile
index 03181b8..81f2e4b 100644
--- a/internal/c/Makefile
+++ b/internal/c/Makefile
@@ -5,8 +5,8 @@ SOURCES := $(wildcard *.bpf.c)
TARGETS := $(SOURCES:.bpf.c=.bpf.o)
all: $(TARGETS)
- # Only required when linking multiple .o into a single .o (not doing that atm)
- # bpftool gen object ioriotng.bpf.o $(TARGETS)
+
+redo: clean all
%.bpf.o: %.bpf.c vmlinux.h
$(CC) -g -O2 -Wall -fpie -target bpf -D__TARGET_ARCH_amd64 \
diff --git a/internal/c/filter.c b/internal/c/filter.c
new file mode 100644
index 0000000..a91eb84
--- /dev/null
+++ b/internal/c/filter.c
@@ -0,0 +1,5 @@
+//+build ignore
+
+static __always_inline int filter() {
+ return (bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER;
+}
diff --git a/internal/c/ioriotng.bpf.c b/internal/c/ioriotng.bpf.c
index 2247daa..a48c944 100644
--- a/internal/c/ioriotng.bpf.c
+++ b/internal/c/ioriotng.bpf.c
@@ -6,130 +6,15 @@
#include "maps.h"
#include "flags.h"
-static __always_inline int filter() {
- return (bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER;
-}
-
-SEC("tracepoint/syscalls/sys_enter_openat")
-int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
- if (filter())
- return 0;
-
- struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0);
- if (!ev)
- return 0;
-
- ev->op_id = OPENAT_ENTER_OP_ID;
- ev->pid_tgid = bpf_get_current_pid_tgid();
- ev->time = bpf_ktime_get_ns();
-
- __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm));
- bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]);
- bpf_get_current_comm(&ev->comm, sizeof(ev->comm));
- bpf_ringbuf_submit(ev, 0);
-
- return 0;
-}
-
-SEC("tracepoint/syscalls/sys_exit_openat")
-int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) {
- if (filter())
- return 0;
-
- struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
- if (!ev)
- return 0;
-
- ev->op_id = OPENAT_EXIT_OP_ID;
- ev->pid_tgid = bpf_get_current_pid_tgid();
- ev->time = bpf_ktime_get_ns();
- ev->fd = ctx->ret;
-
- bpf_ringbuf_submit(ev, 0);
-
- return 0;
-}
-
-SEC("tracepoint/syscalls/sys_enter_open")
-int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
- return handle_enter_openat(ctx);
-}
-
-SEC("tracepoint/syscalls/sys_exit_open")
-int handle_exit_open(struct trace_event_raw_sys_exit *ctx) {
- return handle_exit_openat(ctx);
-}
-
-SEC("tracepoint/syscalls/sys_enter_close")
-int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
- if (filter())
- return 0;
-
- struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
- if (!ev)
- return 0;
-
- ev->op_id = CLOSE_ENTER_OP_ID;
- ev->pid_tgid = bpf_get_current_pid_tgid();
- ev->time = bpf_ktime_get_ns();
- ev->fd = (int)ctx->args[0];
-
- bpf_ringbuf_submit(ev, 0);
- return 0;
-}
-
-SEC("tracepoint/syscalls/sys_exit_close")
-int handle_exit_close(struct trace_event_raw_sys_enter *ctx) {
- if (filter())
- return 0;
-
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
- if (!ev)
- return 0;
-
- ev->op_id = CLOSE_EXIT_OP_ID;
- ev->pid_tgid = bpf_get_current_pid_tgid();
- ev->time = bpf_ktime_get_ns();
-
- bpf_ringbuf_submit(ev, 0);
-
- return 0;
-}
-
-SEC("tracepoint/syscalls/sys_enter_write")
-int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
- if (filter())
- return 0;
-
- struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
- if (!ev)
- return 0;
-
- ev->op_id = WRITE_ENTER_OP_ID;
- ev->pid_tgid = bpf_get_current_pid_tgid();
- ev->time = bpf_ktime_get_ns();
- ev->fd = (int)ctx->args[0];
-
- bpf_ringbuf_submit(ev, 0);
- return 0;
-}
-
-SEC("tracepoint/syscalls/sys_exit_write")
-int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
- if (filter())
- return 0;
-
- struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
- if (!ev)
- return 0;
-
- ev->op_id = WRITE_EXIT_OP_ID;
- ev->pid_tgid = bpf_get_current_pid_tgid();
- ev->time = bpf_ktime_get_ns();
-
- bpf_ringbuf_submit(ev, 0);
-
- return 0;
-}
+/**
+ * Including .c files, as linking several .o files into one single .o file doesn't work
+ * with shared BPF state such as ring buffers, maps and globals so well. Other BPF projects
+ * come along with one huuuuughe .c file with all the BPF code in it. I am rather
+ * splitting the code up into several smaller files.
+ */
+#include "filter.c"
+#include "tracepoints/open.c"
+#include "tracepoints/close.c"
+#include "tracepoints/write.c"
char LICENSE[] SEC("license") = "Dual BSD/GPL";
diff --git a/internal/c/tracepoints/close.c b/internal/c/tracepoints/close.c
new file mode 100644
index 0000000..5e9504b
--- /dev/null
+++ b/internal/c/tracepoints/close.c
@@ -0,0 +1,38 @@
+//+build ignore
+
+SEC("tracepoint/syscalls/sys_enter_close")
+int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
+ if (filter())
+ return 0;
+
+ struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->op_id = CLOSE_ENTER_OP_ID;
+ ev->pid_tgid = bpf_get_current_pid_tgid();
+ ev->time = bpf_ktime_get_ns();
+ ev->fd = (int)ctx->args[0];
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_close")
+int handle_exit_close(struct trace_event_raw_sys_enter *ctx) {
+ if (filter())
+ return 0;
+
+ struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->op_id = CLOSE_EXIT_OP_ID;
+ ev->pid_tgid = bpf_get_current_pid_tgid();
+ ev->time = bpf_ktime_get_ns();
+
+ bpf_ringbuf_submit(ev, 0);
+
+ return 0;
+}
+
diff --git a/internal/c/tracepoints/open.c b/internal/c/tracepoints/open.c
new file mode 100644
index 0000000..b405c0e
--- /dev/null
+++ b/internal/c/tracepoints/open.c
@@ -0,0 +1,52 @@
+//+build ignore
+
+SEC("tracepoint/syscalls/sys_enter_openat")
+int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
+ if (filter())
+ return 0;
+
+ struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->op_id = OPENAT_ENTER_OP_ID;
+ ev->pid_tgid = bpf_get_current_pid_tgid();
+ ev->time = bpf_ktime_get_ns();
+
+ __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm));
+ bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]);
+ bpf_get_current_comm(&ev->comm, sizeof(ev->comm));
+ bpf_ringbuf_submit(ev, 0);
+
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_openat")
+int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) {
+ if (filter())
+ return 0;
+
+ struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->op_id = OPENAT_EXIT_OP_ID;
+ ev->pid_tgid = bpf_get_current_pid_tgid();
+ ev->time = bpf_ktime_get_ns();
+ ev->fd = ctx->ret;
+
+ bpf_ringbuf_submit(ev, 0);
+
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_enter_open")
+int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
+ return handle_enter_openat(ctx);
+}
+
+SEC("tracepoint/syscalls/sys_exit_open")
+int handle_exit_open(struct trace_event_raw_sys_exit *ctx) {
+ return handle_exit_openat(ctx);
+}
+
diff --git a/internal/c/tracepoints/write.c b/internal/c/tracepoints/write.c
new file mode 100644
index 0000000..262cb48
--- /dev/null
+++ b/internal/c/tracepoints/write.c
@@ -0,0 +1,37 @@
+//+build ignore
+
+SEC("tracepoint/syscalls/sys_enter_write")
+int handle_enter_write(struct trace_event_raw_sys_enter *ctx) {
+ if (filter())
+ return 0;
+
+ struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->op_id = WRITE_ENTER_OP_ID;
+ ev->pid_tgid = bpf_get_current_pid_tgid();
+ ev->time = bpf_ktime_get_ns();
+ ev->fd = (int)ctx->args[0];
+
+ bpf_ringbuf_submit(ev, 0);
+ return 0;
+}
+
+SEC("tracepoint/syscalls/sys_exit_write")
+int handle_exit_write(struct trace_event_raw_sys_enter *ctx) {
+ if (filter())
+ return 0;
+
+ struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0);
+ if (!ev)
+ return 0;
+
+ ev->op_id = WRITE_EXIT_OP_ID;
+ ev->pid_tgid = bpf_get_current_pid_tgid();
+ ev->time = bpf_ktime_get_ns();
+
+ bpf_ringbuf_submit(ev, 0);
+
+ return 0;
+}
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-16 14:45:51 +0000