From 8ec79e38f30738701c1ca48f5cfa724b41f866f6 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 10 Feb 2024 20:13:40 +0200
Subject: add opids

---
 build.sh   |  4 ++++
 main.bpf.c | 11 ++++++-----
 main.go    | 29 +++++++++++++++++------------
 opids.go   |  5 +++++
 opids.h    |  3 +++
 5 files changed, 35 insertions(+), 17 deletions(-)
 create mode 100644 opids.go
 create mode 100644 opids.h

diff --git a/build.sh b/build.sh
index 4777061..8e49c9c 100755
--- a/build.sh
+++ b/build.sh
@@ -5,6 +5,10 @@ set -xeuf -o pipefail
 declare -r LIBBPFGO="$(pwd)/../libbpfgo"
 
 bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h
+echo 'package main' > opids.go
+echo >> opids.go
+sed -E 's/#define (.*) ([0-9]+)/const \1 = \2/' opids.h >> opids.go
+
 clang -g -O2 -Wall -fpie -I../libbpfgo/selftest/common -target bpf -D__TARGET_ARCH_amd64 -I../libbpfgo/output -I../libbpfgo/selftest/common -c main.bpf.c -o main.bpf.o
 
 export CC=clang
diff --git a/main.bpf.c b/main.bpf.c
index 8b0b2a2..8a99d05 100644
--- a/main.bpf.c
+++ b/main.bpf.c
@@ -1,6 +1,7 @@
 //+build ignore
 
 #include "vmlinux.h"
+#include "opids.h"
 
 #include <bpf/bpf_helpers.h>
 
@@ -14,7 +15,7 @@
 
 struct open_event {
     int fd;
-    int syscall_id;
+    int op_id;
     u32 tid;
     char filename[256];
     char comm[16];
@@ -40,7 +41,7 @@ int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
         return 0;
 
     u32 tid = bpf_get_current_pid_tgid();
-    struct open_event event = { .syscall_id = ctx->id };
+    struct open_event event = { .op_id = OPEN };
 
     bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[0]);
     bpf_get_current_comm(&event.comm, sizeof(event.comm));
@@ -73,7 +74,7 @@ int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
         return 0;
 
     u32 tid = bpf_get_current_pid_tgid();
-    struct open_event event = { .syscall_id = ctx->id };
+    struct open_event event = { .op_id = OPEN_AT };
 
     bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[1]);
     bpf_get_current_comm(&event.comm, sizeof(event.comm));
@@ -95,7 +96,7 @@ int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) {
 
 struct fd_event {
     int fd;
-    int syscall_id;
+    int op_id;
     u32 tid;
 };
 
@@ -112,7 +113,7 @@ int handle_enter_close(struct trace_event_raw_sys_enter *ctx) {
 
     struct fd_event event = {
         .fd = (int)ctx->args[0],
-        .syscall_id = ctx->id,
+        .op_id = CLOSE,
         .tid = bpf_get_current_pid_tgid(),
     };
     bpf_perf_event_output(ctx, &fd_event_map, BPF_F_CURRENT_CPU, &event, sizeof(struct fd_event));
diff --git a/main.go b/main.go
index 48e4f95..941af2f 100644
--- a/main.go
+++ b/main.go
@@ -21,28 +21,28 @@ type BpfMapper interface {
 }
 
 type openEvent struct {
-	FD        int32
-	SyscallID int32
-	TID       uint32
-	Filename  [256]byte
-	Comm      [16]byte
+	FD       int32
+	OpID     int32
+	TID      uint32
+	Filename [256]byte
+	Comm     [16]byte
 }
 
 func (e openEvent) String() string {
 	filename := e.Filename[:]
 	comm := e.Comm[:]
-	return fmt.Sprintf("syscall:%d tid:%v fd:%v filename:%s, comm:%s",
-		e.SyscallID, e.TID, e.FD, string(filename), string(comm))
+	return fmt.Sprintf("opId:%d tid:%v fd:%v filename:%s, comm:%s",
+		e.OpID, e.TID, e.FD, string(filename), string(comm))
 }
 
 type fdEvent struct {
-	FD        int32
-	SyscallID int32
-	TID       uint32
+	FD   int32
+	OpID int32
+	TID  uint32
 }
 
 func (e fdEvent) String() string {
-	return fmt.Sprintf("syscall:%d tid:%v fd:%v", e.SyscallID, e.TID, e.FD)
+	return fmt.Sprintf("opId:%d tid:%v fd:%v", e.OpID, e.TID, e.FD)
 }
 
 func resizeMap(module *bpf.Module, name string, size uint32) error {
@@ -69,10 +69,15 @@ func main() {
 	}
 	defer bpfModule.Close()
 
+	// Todo, could build a eventListener struct, which is generic.
 	if err = resizeMap(bpfModule, "open_event_map", 8192*10); err != nil {
 		log.Fatal(err)
 	}
 
+	if err = resizeMap(bpfModule, "fd_event_map", 8192*10); err != nil {
+		log.Fatal(err)
+	}
+
 	err = bpfModule.BPFLoadObject()
 	if err != nil {
 		log.Fatal(err)
@@ -115,7 +120,6 @@ func listenToEvents[T BpfMapper](ctx context.Context, bpfModule *bpf.Module, map
 	eventsCh := make(chan T)
 
 	pb, err := bpfModule.InitPerfBuf(mapName, rawEventsCh, rawLostCh, 1)
-	pb.Poll(pollSize)
 	if err != nil {
 		log.Fatal(err)
 	}
@@ -126,6 +130,7 @@ func listenToEvents[T BpfMapper](ctx context.Context, bpfModule *bpf.Module, map
 			pb.Close()
 			close(eventsCh)
 		}()
+		pb.Poll(pollSize)
 		for {
 			select {
 			case <-ctx.Done():
diff --git a/opids.go b/opids.go
new file mode 100644
index 0000000..eda15fd
--- /dev/null
+++ b/opids.go
@@ -0,0 +1,5 @@
+package main
+
+const OPEN = 1
+const OPEN_AT = 2
+const CLOSE = 3
diff --git a/opids.h b/opids.h
new file mode 100644
index 0000000..71ddf98
--- /dev/null
+++ b/opids.h
@@ -0,0 +1,3 @@
+#define OPEN 1
+#define OPEN_AT 2
+#define CLOSE 3
-- 
cgit v1.2.3