From 0f3e937fff5e8e7407f262694e8e2558bcfec703 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sun, 11 Feb 2024 00:02:38 +0200
Subject: refactor

---
 main.bpf.c | 40 +---------------------------------------
 main.go    | 10 ++--------
 maps.bpf.h | 36 ++++++++++++++++++++++++++++++++++++
 3 files changed, 39 insertions(+), 47 deletions(-)
 create mode 100644 maps.bpf.h

diff --git a/main.bpf.c b/main.bpf.c
index 8a99d05..c162775 100644
--- a/main.bpf.c
+++ b/main.bpf.c
@@ -2,8 +2,8 @@
 
 #include "vmlinux.h"
 #include "opids.h"
-
 #include <bpf/bpf_helpers.h>
+#include "maps.bpf.h"
 
 // TODO: Split out this file into several *.bpf.c programs.
 
@@ -11,30 +11,6 @@
 // For now, this is set to my own user for development purposes.
 #define UID_FILTER 1001 
 
-// Helper structs for opening file(s)
-
-struct open_event {
-    int fd;
-    int op_id;
-    u32 tid;
-    char filename[256];
-    char comm[16];
-};
-
-struct {
-    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
-    __uint(key_size, sizeof(u32));
-    __uint(value_size, sizeof(u32));
-} open_event_map SEC(".maps");
-
-// Map to temporarily store the filename from sys_enter_openat
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __uint(key_size, sizeof(u32));
-    __uint(value_size, sizeof(struct open_event));
-    __uint(max_entries, 128); // Adjust size as needed
-} open_event_temp_map SEC(".maps");
-
 SEC("tracepoint/syscalls/sys_enter_open")
 int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
     if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
@@ -92,20 +68,6 @@ int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) {
     return handle_exit_open(ctx);
 }
 
-// Helper structs for other syscalls on FDs
-
-struct fd_event {
-    int fd;
-    int op_id;
-    u32 tid;
-};
-
-struct {
-    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
-    __uint(key_size, sizeof(u32));
-    __uint(value_size, sizeof(u32));
-} fd_event_map SEC(".maps");
-
 SEC("tracepoint/syscalls/sys_enter_close")
 int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
     if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
diff --git a/main.go b/main.go
index d280f94..5930763 100644
--- a/main.go
+++ b/main.go
@@ -73,12 +73,10 @@ func main() {
 	}
 	defer bpfModule.Close()
 
-	// Todo, could build a eventListener struct, which is generic.
-	if err = resizeMap(bpfModule, "open_event_map", 8192*10); err != nil {
+	if err = resizeMap(bpfModule, "open_event_map", 8192); err != nil {
 		log.Fatal(err)
 	}
-
-	if err = resizeMap(bpfModule, "fd_event_map", 8192*10); err != nil {
+	if err = resizeMap(bpfModule, "fd_event_map", 8192); err != nil {
 		log.Fatal(err)
 	}
 
@@ -109,10 +107,6 @@ func main() {
 		}
 	}()
 
-	go func() {
-		defer wg.Done()
-	}()
-
 	wg.Wait()
 	log.Println("Good bye")
 }
diff --git a/maps.bpf.h b/maps.bpf.h
new file mode 100644
index 0000000..afa1064
--- /dev/null
+++ b/maps.bpf.h
@@ -0,0 +1,36 @@
+//+build ignore
+
+struct open_event {
+    int fd;
+    int op_id;
+    u32 tid;
+    char filename[256];
+    char comm[16];
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(u32));
+    __uint(value_size, sizeof(u32));
+} open_event_map SEC(".maps");
+
+// Map to temporarily store the filename from sys_enter_openat
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(key_size, sizeof(u32));
+    __uint(value_size, sizeof(struct open_event));
+    __uint(max_entries, 128); // Adjust size as needed
+} open_event_temp_map SEC(".maps");
+
+struct fd_event {
+    int fd;
+    int op_id;
+    u32 tid;
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(u32));
+    __uint(value_size, sizeof(u32));
+} fd_event_map SEC(".maps");
+
-- 
cgit v1.2.3