1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
|
package internal
import "C"
import (
"fmt"
. "ioriotng/internal/generated/types"
bpf "github.com/aquasecurity/libbpfgo"
)
func eventLoop(bpfModule *bpf.Module, rawCh <-chan []byte) {
for ev := range events(rawCh) {
fmt.Println(ev)
ev.recycle()
}
fmt.Println("Good bye")
}
func events(rawCh <-chan []byte) <-chan enterExitEvent {
evCh := make(chan enterExitEvent)
enterEvs := make(map[uint32]enterExitEvent)
files := make(map[int32]file)
enter := func(enterEv event) {
enterEvs[enterEv.GetTid()] = enterExitEvent{
enterEv: enterEv,
}
}
exit := func(exitEv event) {
ev, ok := enterEvs[exitEv.GetTid()]
if !ok {
exitEv.Recycle()
return
}
delete(enterEvs, exitEv.GetTid())
ev.exitEv = exitEv
if ev.is(SYS_ENTER_OPENAT, SYS_EXIT_OPENAT) || ev.is(SYS_ENTER_OPEN, SYS_EXIT_OPEN) {
openEnterEv := ev.enterEv.(*OpenEnterEvent)
fd := ev.exitEv.(*FdEvent).Fd
file := file{fd, string(openEnterEv.Filename[:])}
if fd >= 0 {
files[fd] = file
}
ev.comm = string(openEnterEv.Comm[:])
ev.file = file
return
}
if fdEvent, ok := ev.enterEv.(*FdEvent); ok {
if file_, ok := files[fdEvent.Fd]; ok {
ev.file = file_
} else {
ev.file = file{fdEvent.Fd, "?"}
}
if ev.is(SYS_ENTER_CLOSE, SYS_EXIT_CLOSE) {
delete(files, fdEvent.Fd)
}
}
evCh <- ev
}
go func() {
defer close(evCh)
for raw := range rawCh {
switch EventType(raw[0]) {
case ENTER_OPEN_EVENT:
enter(NewOpenEnterEvent(raw))
case EXIT_OPEN_EVENT:
exit(NewFdEvent(raw))
case ENTER_FD_EVENT:
enter(NewFdEvent(raw))
case EXIT_FD_EVENT:
exit(NewFdEvent(raw))
case EXIT_NULL_EVENT:
exit(NewNullEvent(raw))
case EXIT_RET_EVENT:
exit(NewRetEvent(raw))
default:
panic(fmt.Sprintf("Unhandled event type %s", EventType(raw[0])))
}
}
}()
return evCh
}
|
