From 0f3e937fff5e8e7407f262694e8e2558bcfec703 Mon Sep 17 00:00:00 2001 From: Paul Buetow Date: Sun, 11 Feb 2024 00:02:38 +0200 Subject: refactor --- main.bpf.c | 40 +--------------------------------------- 1 file changed, 1 insertion(+), 39 deletions(-) (limited to 'main.bpf.c') diff --git a/main.bpf.c b/main.bpf.c index 8a99d05..c162775 100644 --- a/main.bpf.c +++ b/main.bpf.c @@ -2,8 +2,8 @@ #include "vmlinux.h" #include "opids.h" - #include +#include "maps.bpf.h" // TODO: Split out this file into several *.bpf.c programs. @@ -11,30 +11,6 @@ // For now, this is set to my own user for development purposes. #define UID_FILTER 1001 -// Helper structs for opening file(s) - -struct open_event { - int fd; - int op_id; - u32 tid; - char filename[256]; - char comm[16]; -}; - -struct { - __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); - __uint(key_size, sizeof(u32)); - __uint(value_size, sizeof(u32)); -} open_event_map SEC(".maps"); - -// Map to temporarily store the filename from sys_enter_openat -struct { - __uint(type, BPF_MAP_TYPE_HASH); - __uint(key_size, sizeof(u32)); - __uint(value_size, sizeof(struct open_event)); - __uint(max_entries, 128); // Adjust size as needed -} open_event_temp_map SEC(".maps"); - SEC("tracepoint/syscalls/sys_enter_open") int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) @@ -92,20 +68,6 @@ int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) { return handle_exit_open(ctx); } -// Helper structs for other syscalls on FDs - -struct fd_event { - int fd; - int op_id; - u32 tid; -}; - -struct { - __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); - __uint(key_size, sizeof(u32)); - __uint(value_size, sizeof(u32)); -} fd_event_map SEC(".maps"); - SEC("tracepoint/syscalls/sys_enter_close") int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) -- cgit v1.2.3