diff options
Diffstat (limited to 'internal')
| -rw-r--r-- | internal/c/generated/tracepoints.c | 28 | ||||
| -rw-r--r-- | internal/c/generated/tracepoints.raku | 4 | ||||
| -rw-r--r-- | internal/eventloop.go | 19 | ||||
| -rw-r--r-- | internal/file.go | 23 |
4 files changed, 53 insertions, 21 deletions
diff --git a/internal/c/generated/tracepoints.c b/internal/c/generated/tracepoints.c index e824de3..6e17c0c 100644 --- a/internal/c/generated/tracepoints.c +++ b/internal/c/generated/tracepoints.c @@ -692,8 +692,8 @@ int handle_sys_enter_rename(struct trace_event_raw_sys_enter *ctx) { ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; @@ -736,8 +736,8 @@ int handle_sys_enter_renameat(struct trace_event_raw_sys_enter *ctx) { ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; @@ -780,8 +780,8 @@ int handle_sys_enter_renameat2(struct trace_event_raw_sys_enter *ctx) { ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; @@ -824,8 +824,8 @@ int handle_sys_enter_link(struct trace_event_raw_sys_enter *ctx) { ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; @@ -868,8 +868,8 @@ int handle_sys_enter_linkat(struct trace_event_raw_sys_enter *ctx) { ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; @@ -912,8 +912,8 @@ int handle_sys_enter_symlink(struct trace_event_raw_sys_enter *ctx) { ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; @@ -956,8 +956,8 @@ int handle_sys_enter_symlinkat(struct trace_event_raw_sys_enter *ctx) { ev->tid = tid; ev->time = bpf_ktime_get_ns() / 1000; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated/tracepoints.raku b/internal/c/generated/tracepoints.raku index ef79ed6..6eb938b 100644 --- a/internal/c/generated/tracepoints.raku +++ b/internal/c/generated/tracepoints.raku @@ -71,8 +71,8 @@ class Format { elsif $!has-name { q:to/END/.trim-trailing; __builtin_memset(&(ev->oldname), 0, sizeof(ev->oldname) + sizeof(ev->newname)); - bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (const char*)ctx->args[0]); - bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (const char*)ctx->args[1]); + bpf_probe_read_user_str(ev->oldname, sizeof(ev->oldname), (void*)ctx->args[0]); + bpf_probe_read_user_str(ev->newname, sizeof(ev->newname), (void*)ctx->args[1]); END } else { '' }; diff --git a/internal/eventloop.go b/internal/eventloop.go index fa799ee..bf0ddf2 100644 --- a/internal/eventloop.go +++ b/internal/eventloop.go @@ -43,6 +43,7 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent { delete(enterEvs, exitEv.GetTid()) ev.exitEv = exitEv + // TODO: Rename SyscallId to TraceId // Expect ID one lower, otherwise, enter and exit tracepoints // don't match up. E.g.: // enterEv:SYS_ENTER_OPEN => exitEv:SYS_EXIT_OPEN @@ -50,12 +51,14 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent { ev.tracepointMismatch = true } - // Handle the opening of a file. + // TODO: switch here on type? + + // Handle file open. if ev.is(SYS_ENTER_OPENAT) || ev.is(SYS_ENTER_OPEN) { openEnterEv := ev.enterEv.(*OpenEnterEvent) fd := ev.exitEv.(*FdEvent).Fd - file := file{fd, string(openEnterEv.Filename[:])} + file := fdFile{fd, string(openEnterEv.Filename[:])} if fd >= 0 { files[fd] = file } @@ -69,12 +72,20 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent { return } + // Generic handling of any syscall with newname/oldname arguments + if nameEvent, ok := ev.enterEv.(*NameEvent); ok { + ev.file = oldnameNewnameFile{ + oldname: string(nameEvent.Oldname[:]), + newname: string(nameEvent.Newname[:]), + } + } + // Generic handling of any syscall expecting a file descriptor (fd) if fdEvent, ok := ev.enterEv.(*FdEvent); ok { if file_, ok := files[fdEvent.Fd]; ok { ev.file = file_ } else { - ev.file = file{fdEvent.Fd, "?"} + ev.file = fdFile{fdEvent.Fd, "?"} } if ev.is(SYS_ENTER_CLOSE) { delete(files, fdEvent.Fd) @@ -102,6 +113,8 @@ func events(rawCh <-chan []byte) <-chan enterExitEvent { exit(NewNullEvent(raw)) case EXIT_RET_EVENT: exit(NewRetEvent(raw)) + case ENTER_NAME_EVENT: + enter(NewNameEvent(raw)) default: panic(fmt.Sprintf("Unhandled event type %s", EventType(raw[0]))) } diff --git a/internal/file.go b/internal/file.go index 069e68f..81fe43d 100644 --- a/internal/file.go +++ b/internal/file.go @@ -5,12 +5,16 @@ import ( "strings" ) -type file struct { +type file interface { + String() string +} + +type fdFile struct { fd int32 name string } -func (f file) String() string { +func (f fdFile) String() string { var sb strings.Builder if len(f.name) == 0 { @@ -24,3 +28,18 @@ func (f file) String() string { return sb.String() } + +type oldnameNewnameFile struct { + oldname, newname string +} + +func (f oldnameNewnameFile) String() string { + var sb strings.Builder + + sb.WriteString("old:") + sb.WriteString(f.oldname) + sb.WriteString(" ->new:") + sb.WriteString(f.newname) + + return sb.String() +} |