From 88483511d71a4f74e03580866be73769c407beee Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Mon, 19 Feb 2024 10:31:59 +0200 Subject: move all C code to internal/c --- Makefile | 10 ++-- internal/c/Makefile | 14 +++++ internal/c/flags.h | 4 ++ internal/c/ioriotng.bpf.c | 136 +++++++++++++++++++++++++++++++++++++++++++++ internal/c/maps.h | 6 ++ internal/c/types.h | 41 ++++++++++++++ internal/flags/flags.bpf.h | 4 -- internal/ioriotng.bpf.c | 136 --------------------------------------------- internal/types/maps.bpf.h | 6 -- internal/types/types.bpf.h | 41 -------------- 10 files changed, 206 insertions(+), 192 deletions(-) create mode 100644 internal/c/Makefile create mode 100644 internal/c/flags.h create mode 100644 internal/c/ioriotng.bpf.c create mode 100644 internal/c/maps.h create mode 100644 internal/c/types.h delete mode 100644 internal/flags/flags.bpf.h delete mode 100644 internal/ioriotng.bpf.c delete mode 100644 internal/types/maps.bpf.h delete mode 100644 internal/types/types.bpf.h diff --git a/Makefile b/Makefile index 60ab9b3..68e70a2 100644 --- a/Makefile +++ b/Makefile @@ -11,9 +11,9 @@ build: bpfbuild gobuild .PHONY: bpfbuild bpfbuild: - bpftool btf dump file /sys/kernel/btf/vmlinux format c > ./internal/types/vmlinux.h - if [ ! -e ioriotng.bpf.c ]; then ln -s ./internal/ioriotng.bpf.c .; fi - $(CC) -g -O2 -Wall -fpie -target bpf -D__TARGET_ARCH_amd64 -I$(LIBBPFGO)/output -c ./internal/ioriotng.bpf.c -o ioriotng.bpf.o + make -C ./internal/c + if [ ! -e ioriotng.bpf.c ]; then ln -s ./internal/c/ioriotng.bpf.c .; fi + if [ ! -e ioriotng.bpf.o ]; then ln -s ./internal/c/ioriotng.bpf.o .; fi .PHONY: gobuild gobuild: @@ -22,9 +22,9 @@ gobuild: .PHONY: clean clean: find . -type f -name ioriotng -delete - find . -name \*.o -delete - find . -name vmlinux.h -delete if [ -e ioriotng.bpf.c ]; then rm ioriotng.bpf.c; fi + if [ -e ioriotng.bpf.o ]; then rm ioriotng.bpf.o; fi + make -C ./internal/c clean .PHONY: run run: diff --git a/internal/c/Makefile b/internal/c/Makefile new file mode 100644 index 0000000..196b2d3 --- /dev/null +++ b/internal/c/Makefile @@ -0,0 +1,14 @@ +export LIBBPFGO = $(CURDIR)/../../../libbpfgo +export CC = clang + +all: bpfbuild + +.PHONY: bpfbuild +bpfbuild: + bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h + $(CC) -g -O2 -Wall -fpie -target bpf -D__TARGET_ARCH_amd64 -I$(LIBBPFGO)/output -c ioriotng.bpf.c -o ioriotng.bpf.o + +.PHONY: clean +clean: + find . -name \*.o -delete + find . -name vmlinux.h -delete diff --git a/internal/c/flags.h b/internal/c/flags.h new file mode 100644 index 0000000..53b9492 --- /dev/null +++ b/internal/c/flags.h @@ -0,0 +1,4 @@ +//+build ignore + +const volatile u32 UID_FILTER = 0; +volatile u32 DYNAMIC_UID_FILTER = 0; diff --git a/internal/c/ioriotng.bpf.c b/internal/c/ioriotng.bpf.c new file mode 100644 index 0000000..c9c9c88 --- /dev/null +++ b/internal/c/ioriotng.bpf.c @@ -0,0 +1,136 @@ +//+build ignore + +#include "vmlinux.h" +#include +#include "types.h" +#include "maps.h" +#include "flags.h" + +static __always_inline int filter() { + return (bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER; +} + +SEC("tracepoint/syscalls/sys_enter_openat") +int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0); + if (!ev) + return 0; + + ev->op_id = OPENAT_ENTER_OP_ID; + ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + + __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); + bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); + bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); + bpf_ringbuf_submit(ev, 0); + + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_openat") +int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) { + if (filter()) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->op_id = OPENAT_EXIT_OP_ID; + ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + ev->fd = ctx->ret; + + bpf_ringbuf_submit(ev, 0); + + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_open") +int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { + return handle_enter_openat(ctx); +} + +SEC("tracepoint/syscalls/sys_exit_open") +int handle_exit_open(struct trace_event_raw_sys_exit *ctx) { + return handle_exit_openat(ctx); +} + +SEC("tracepoint/syscalls/sys_enter_close") +int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->op_id = CLOSE_ENTER_OP_ID; + ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + ev->fd = (int)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_close") +int handle_exit_close(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->op_id = CLOSE_EXIT_OP_ID; + ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + + bpf_ringbuf_submit(ev, 0); + + return 0; +} + +SEC("tracepoint/syscalls/sys_enter_write") +int handle_enter_write(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); + if (!ev) + return 0; + + ev->op_id = WRITE_ENTER_OP_ID; + ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + ev->fd = (int)ctx->args[0]; + + bpf_ringbuf_submit(ev, 0); + return 0; +} + +SEC("tracepoint/syscalls/sys_exit_write") +int handle_exit_write(struct trace_event_raw_sys_enter *ctx) { + if (filter()) + return 0; + + struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + if (!ev) + return 0; + + ev->op_id = WRITE_EXIT_OP_ID; + ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->time = bpf_ktime_get_ns(); + + bpf_ringbuf_submit(ev, 0); + + return 0; +} + + +char LICENSE[] SEC("license") = "Dual BSD/GPL"; diff --git a/internal/c/maps.h b/internal/c/maps.h new file mode 100644 index 0000000..7ec871c --- /dev/null +++ b/internal/c/maps.h @@ -0,0 +1,6 @@ +//+build ignore + +struct { + __uint(type, BPF_MAP_TYPE_RINGBUF); + __uint(max_entries, 1 << 24); +} event_map SEC(".maps"); diff --git a/internal/c/types.h b/internal/c/types.h new file mode 100644 index 0000000..25cfcd8 --- /dev/null +++ b/internal/c/types.h @@ -0,0 +1,41 @@ +//+build ignore + +// These types mirror the Go types from internal/types/types.go +// +#define MAX_FILENAME_LENGTH 256 +#define MAX_PROGNAME_LENGTH 16 + +#define OPENAT_ENTER_OP_ID 1 +#define OPENAT_EXIT_OP_ID 2 +#define CLOSE_ENTER_OP_ID 3 +#define CLOSE_EXIT_OP_ID 4 +#define WRITE_ENTER_OP_ID 5 +#define WRITE_EXIT_OP_ID 6 +#define WRITEV_ENTER_OP_ID 7 +#define WRITEV_EXIT_OP_ID 8 + +struct null_event { + __u32 op_id; + __u32 pid_tgid; + __u64 time; +}; + +struct fd_event { + __u32 op_id; + __u32 pid_tgid; + __u64 time; + __s32 fd; +}; + +struct openat_enter_event { + __u32 op_id; + __u32 pid_tgid; + __u64 time; + char filename[MAX_FILENAME_LENGTH]; + char comm[MAX_PROGNAME_LENGTH]; +}; + +struct flags { + __u32 uid_filter; +}; + diff --git a/internal/flags/flags.bpf.h b/internal/flags/flags.bpf.h deleted file mode 100644 index 53b9492..0000000 --- a/internal/flags/flags.bpf.h +++ /dev/null @@ -1,4 +0,0 @@ -//+build ignore - -const volatile u32 UID_FILTER = 0; -volatile u32 DYNAMIC_UID_FILTER = 0; diff --git a/internal/ioriotng.bpf.c b/internal/ioriotng.bpf.c deleted file mode 100644 index 3948529..0000000 --- a/internal/ioriotng.bpf.c +++ /dev/null @@ -1,136 +0,0 @@ -//+build ignore - -#include "types/vmlinux.h" -#include -#include "types/types.bpf.h" -#include "types/maps.bpf.h" -#include "flags/flags.bpf.h" - -static __always_inline int filter() { - return (bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER; -} - -SEC("tracepoint/syscalls/sys_enter_openat") -int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { - if (filter()) - return 0; - - struct openat_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct openat_enter_event), 0); - if (!ev) - return 0; - - ev->op_id = OPENAT_ENTER_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - - __builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm)); - bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]); - bpf_get_current_comm(&ev->comm, sizeof(ev->comm)); - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_openat") -int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) { - if (filter()) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->op_id = OPENAT_EXIT_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - ev->fd = ctx->ret; - - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_open") -int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { - return handle_enter_openat(ctx); -} - -SEC("tracepoint/syscalls/sys_exit_open") -int handle_exit_open(struct trace_event_raw_sys_exit *ctx) { - return handle_exit_openat(ctx); -} - -SEC("tracepoint/syscalls/sys_enter_close") -int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { - if (filter()) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->op_id = CLOSE_ENTER_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - ev->fd = (int)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_close") -int handle_exit_close(struct trace_event_raw_sys_enter *ctx) { - if (filter()) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->op_id = CLOSE_EXIT_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - - bpf_ringbuf_submit(ev, 0); - - return 0; -} - -SEC("tracepoint/syscalls/sys_enter_write") -int handle_enter_write(struct trace_event_raw_sys_enter *ctx) { - if (filter()) - return 0; - - struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); - if (!ev) - return 0; - - ev->op_id = WRITE_ENTER_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - ev->fd = (int)ctx->args[0]; - - bpf_ringbuf_submit(ev, 0); - return 0; -} - -SEC("tracepoint/syscalls/sys_exit_write") -int handle_exit_write(struct trace_event_raw_sys_enter *ctx) { - if (filter()) - return 0; - - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); - if (!ev) - return 0; - - ev->op_id = WRITE_EXIT_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); - ev->time = bpf_ktime_get_ns(); - - bpf_ringbuf_submit(ev, 0); - - return 0; -} - - -char LICENSE[] SEC("license") = "Dual BSD/GPL"; diff --git a/internal/types/maps.bpf.h b/internal/types/maps.bpf.h deleted file mode 100644 index 7ec871c..0000000 --- a/internal/types/maps.bpf.h +++ /dev/null @@ -1,6 +0,0 @@ -//+build ignore - -struct { - __uint(type, BPF_MAP_TYPE_RINGBUF); - __uint(max_entries, 1 << 24); -} event_map SEC(".maps"); diff --git a/internal/types/types.bpf.h b/internal/types/types.bpf.h deleted file mode 100644 index 25cfcd8..0000000 --- a/internal/types/types.bpf.h +++ /dev/null @@ -1,41 +0,0 @@ -//+build ignore - -// These types mirror the Go types from internal/types/types.go -// -#define MAX_FILENAME_LENGTH 256 -#define MAX_PROGNAME_LENGTH 16 - -#define OPENAT_ENTER_OP_ID 1 -#define OPENAT_EXIT_OP_ID 2 -#define CLOSE_ENTER_OP_ID 3 -#define CLOSE_EXIT_OP_ID 4 -#define WRITE_ENTER_OP_ID 5 -#define WRITE_EXIT_OP_ID 6 -#define WRITEV_ENTER_OP_ID 7 -#define WRITEV_EXIT_OP_ID 8 - -struct null_event { - __u32 op_id; - __u32 pid_tgid; - __u64 time; -}; - -struct fd_event { - __u32 op_id; - __u32 pid_tgid; - __u64 time; - __s32 fd; -}; - -struct openat_enter_event { - __u32 op_id; - __u32 pid_tgid; - __u64 time; - char filename[MAX_FILENAME_LENGTH]; - char comm[MAX_PROGNAME_LENGTH]; -}; - -struct flags { - __u32 uid_filter; -}; - -- cgit v1.2.3