From 202c3c4e6fe6bd8082e221f8866dd1d55a398636 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Fri, 16 Feb 2024 02:06:14 +0200 Subject: move C file to internal --- .gitignore | 2 + Makefile | 4 +- internal/ioriotng.bpf.c | 100 ++++++++++++++++++++++++++++++++++++++++++++++++ ioriotng.bpf.c | 100 ------------------------------------------------ 4 files changed, 105 insertions(+), 101 deletions(-) create mode 100644 internal/ioriotng.bpf.c delete mode 100644 ioriotng.bpf.c diff --git a/.gitignore b/.gitignore index 0a40280..bb65147 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ ioriotng +/ioriotng.bpf.c *.o vmlinux.h + diff --git a/Makefile b/Makefile index 116d967..60ab9b3 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,8 @@ build: bpfbuild gobuild .PHONY: bpfbuild bpfbuild: bpftool btf dump file /sys/kernel/btf/vmlinux format c > ./internal/types/vmlinux.h - $(CC) -g -O2 -Wall -fpie -target bpf -D__TARGET_ARCH_amd64 -I$(LIBBPFGO)/output -c ioriotng.bpf.c -o ioriotng.bpf.o + if [ ! -e ioriotng.bpf.c ]; then ln -s ./internal/ioriotng.bpf.c .; fi + $(CC) -g -O2 -Wall -fpie -target bpf -D__TARGET_ARCH_amd64 -I$(LIBBPFGO)/output -c ./internal/ioriotng.bpf.c -o ioriotng.bpf.o .PHONY: gobuild gobuild: @@ -23,6 +24,7 @@ clean: find . -type f -name ioriotng -delete find . -name \*.o -delete find . -name vmlinux.h -delete + if [ -e ioriotng.bpf.c ]; then rm ioriotng.bpf.c; fi .PHONY: run run: diff --git a/internal/ioriotng.bpf.c b/internal/ioriotng.bpf.c new file mode 100644 index 0000000..13a112d --- /dev/null +++ b/internal/ioriotng.bpf.c @@ -0,0 +1,100 @@ +//+build ignore + +#include "types/vmlinux.h" +#include +#include "types/types.bpf.h" +#include "types/maps.bpf.h" + +static inline int filter() { + u32 key = 1; + struct flags *flagsp = bpf_map_lookup_elem(&flags_map, &key); + return flagsp == NULL || (bpf_get_current_uid_gid() & 0xFFFFFFFF) != flagsp->uid_filter; +} + +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0); + if (!ev) + return 0; + + ev->op_id = OPENAT_ENTER_OP_ID; + ev->tid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + bpf_ringbuf_submit(ev, 0); + + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) { + if (filter()) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->op_id = OPENAT_EXIT_OP_ID; + ev->tid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + ev->fd = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_open") +int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { + return handle_enter_openat(ctx); +} + +SEC("tracepoint/syscalls/sys_exit_open") +int handle_exit_open(struct trace_event_raw_sys_exit *ctx) { + return handle_exit_openat(ctx); +} + +SEC("tracepoint/syscalls/sys_enter_close") +int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->op_id = CLOSE_ENTER_OP_ID; + ev->tid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + ev->fd = (int)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_close") +int handle_exit_close(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->op_id = CLOSE_EXIT_OP_ID; + ev->tid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + + bpf_ringbuf_submit(ev, 0); + + return 0; +} + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; diff --git a/ioriotng.bpf.c b/ioriotng.bpf.c deleted file mode 100644 index 1b64ee4..0000000 --- a/ioriotng.bpf.c +++ /dev/null @@ -1,100 +0,0 @@ -//+build ignore - -#include "internal/types/vmlinux.h" -#include -#include "internal/types/types.bpf.h" -#include "internal/types/maps.bpf.h" - -static inline int filter() { - u32 key = 1; - struct flags *flagsp = bpf_map_lookup_elem(&flags_map, &key); - return flagsp == NULL || (bpf_get_current_uid_gid() & 0xFFFFFFFF) != flagsp->uid_filter; -} - -SEC("tracepoint/syscalls/sys_enter_openat") -int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { - if (filter()) - return 0; - - struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0); - if (!ev) - return 0; - - ev->op_id = OPENAT_ENTER_OP_ID; - ev->tid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) { - if (filter()) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->op_id = OPENAT_EXIT_OP_ID; - ev->tid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - ev->fd = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_open") -int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { - return handle_enter_openat(ctx); -} - -SEC("tracepoint/syscalls/sys_exit_open") -int handle_exit_open(struct trace_event_raw_sys_exit *ctx) { - return handle_exit_openat(ctx); -} - -SEC("tracepoint/syscalls/sys_enter_close") -int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { - if (filter()) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->op_id = CLOSE_ENTER_OP_ID; - ev->tid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - ev->fd = (int)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_close") -int handle_exit_close(struct trace_event_raw_sys_enter *ctx) { - if (filter()) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->op_id = CLOSE_EXIT_OP_ID; - ev->tid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -char LICENSE[] SEC("license") = "Dual BSD/GPL"; -- cgit v1.2.3