diff options
| author | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-31 00:25:30 +0100 |
|---|---|---|
| committer | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-31 00:25:30 +0100 |
| commit | 050bc2c9690fd5932c83e8ed2750d5e4b72b5906 (patch) | |
| tree | 25297ad01b1c4a5df84c443e2e34b135d8ad6bcc | |
| parent | start fetching pwd recursively (diff) | |
| download | fs-tracer-050bc2c9690fd5932c83e8ed2750d5e4b72b5906.tar.gz fs-tracer-050bc2c9690fd5932c83e8ed2750d5e4b72b5906.tar.bz2 fs-tracer-050bc2c9690fd5932c83e8ed2750d5e4b72b5906.zip | |
cleanup
| -rw-r--r-- | fs-tracer-common/Cargo.toml | 2 | ||||
| -rw-r--r-- | fs-tracer-common/src/lib.rs | 12 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/main.rs | 43 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/mod.rs | 2 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/open.rs | 17 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/write.rs | 15 |
6 files changed, 34 insertions, 57 deletions
diff --git a/fs-tracer-common/Cargo.toml b/fs-tracer-common/Cargo.toml index 2600868..6fc97ca 100644 --- a/fs-tracer-common/Cargo.toml +++ b/fs-tracer-common/Cargo.toml @@ -9,6 +9,8 @@ user = ["aya"] [dependencies] aya = { git = "https://github.com/aya-rs/aya", optional = true } +aya-bpf = { git = "https://github.com/aya-rs/aya" } + [lib] path = "src/lib.rs" diff --git a/fs-tracer-common/src/lib.rs b/fs-tracer-common/src/lib.rs index 7ed6d66..4469128 100644 --- a/fs-tracer-common/src/lib.rs +++ b/fs-tracer-common/src/lib.rs @@ -1,7 +1,11 @@ #![no_std] +#![feature(c_size_t)] +use core::ffi::c_uint; use core::fmt::{self, Formatter}; use core::str; +use aya_bpf::cty::c_long; +use core::ffi::c_size_t; pub enum SyscallInfo { Write(WriteSyscallBPF), @@ -10,11 +14,11 @@ pub enum SyscallInfo { #[derive(Clone, Copy)] pub struct WriteSyscallBPF { pub pid: u32, - pub fd: u64, - pub buf: [u8; 96], - pub count: u64, + pub fd: c_uint, + pub buf: [u8; 96], //TODO: might want to use c_char here + pub count: c_size_t, - pub ret: i64, + pub ret: c_long, } unsafe impl Sync for WriteSyscallBPF {} diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs index d6539cd..18f22eb 100644 --- a/fs-tracer-ebpf/src/main.rs +++ b/fs-tracer-ebpf/src/main.rs @@ -1,16 +1,13 @@ #![no_std] #![no_main] +#![feature(c_size_t)] -use core::fmt::Error; -mod syscalls; -use core::str; +#![allow(warnings, unused)] mod vmlinux; +mod syscalls; -use aya_bpf::cty::c_long; -use aya_bpf::helpers::{ - bpf_get_current_task, bpf_get_current_task_btf, bpf_probe_read_kernel_str_bytes, - bpf_probe_read_user_str_bytes, -}; +use core::str; +use aya_bpf::cty::{c_int, c_long}; use aya_bpf::maps::HashMap; use aya_bpf::{ macros::{map, tracepoint}, @@ -20,7 +17,6 @@ use aya_bpf::{ }; use aya_log_ebpf::info; use fs_tracer_common::{SyscallInfo, WriteSyscallBPF}; -use vmlinux::{dentry, fs_struct, path, task_struct}; #[map] static EVENTS: PerfEventArray<SyscallInfo> = PerfEventArray::with_max_entries(24, 0); @@ -33,8 +29,6 @@ static EVENTS: PerfEventArray<SyscallInfo> = PerfEventArray::with_max_entries(24 #[map] static SYSCALL_ENTERS: HashMap<u32, SyscallInfo> = HashMap::with_max_entries(24, 0); -//TODO: Clean up code. Generics. Arbitrary length buffer? https://github.com/elbaro/mybee/blob/fe037927b848cdbe399c0b0730ae79400cf95279/mybee-ebpf/src/main.rs#L29 - enum SyscallType { Enter, Exit, @@ -44,7 +38,7 @@ enum SyscallType { pub fn fs_tracer_enter(ctx: TracePointContext) -> c_long { match try_fs_tracer(ctx, SyscallType::Enter) { Ok(ret) => ret, - Err(ret) => ret, + Err(ret) => -ret, } } @@ -53,38 +47,19 @@ pub fn fs_tracer_exit(ctx: TracePointContext) -> c_long { //info!(&ctx, "Hi"); match try_fs_tracer(ctx, SyscallType::Exit) { Ok(ret) => ret, - Err(ret) => ret, + Err(ret) => -ret, } } - -#[inline(always)] -fn ptr_at<T>(ctx: &TracePointContext, offset: usize) -> Option<*const T> { - let start = ctx.as_ptr(); //maybe try using the bpf_probe_read here to see if we can use result of that to know the type of the syscall - - Some(unsafe { start.add(offset) } as *const T) -} - fn try_fs_tracer(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> { - let syscall_nr = unsafe { *ptr_at::<i32>(&ctx, 8).unwrap() }; - //info!( &ctx, "syscall_nr: {}", syscall_nr); - - //let typee = unsafe { *(cmd.as_ptr().add(0) as *const u16)}; - //let typee = ctx.read_at(0) + let syscall_nr = unsafe { ctx.read_at::<c_int>(8)? } ; - /* let a: [u64; 1] = [0u64; 1]; - let ret = unsafe { bpf_probe_read(a.as_ptr() as *mut c_void, 8, ctx.as_ptr().add(0) as *const c_void)}; //TODO: Maybe we can try reading some high btis to get the type of the syscall exit or enter - info!(&ctx, "ret: {}", ret); - info!(&ctx, "x: {}", unsafe {a[0]}); - info!(&ctx, "syscall_nr: {}", syscall_nr);*/ - //info!(&ctx, "type: {}", typee); - //return Ok(1); handle_syscall(ctx, syscall_nr, syscall_type) } fn handle_syscall( ctx: TracePointContext, - syscall_nr: i32, + syscall_nr: c_int, syscall_type: SyscallType, ) -> Result<c_long, c_long> { match syscall_nr { diff --git a/fs-tracer-ebpf/src/syscalls/mod.rs b/fs-tracer-ebpf/src/syscalls/mod.rs index 483c13a..7bae953 100644 --- a/fs-tracer-ebpf/src/syscalls/mod.rs +++ b/fs-tracer-ebpf/src/syscalls/mod.rs @@ -1,2 +1,2 @@ pub mod open; -pub mod write; +pub mod write; \ No newline at end of file diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs index 7abb30d..9eb087d 100644 --- a/fs-tracer-ebpf/src/syscalls/open.rs +++ b/fs-tracer-ebpf/src/syscalls/open.rs @@ -1,8 +1,7 @@ +use aya_bpf::{helpers::{bpf_get_current_task_btf, bpf_probe_read_kernel, bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}, cty::{c_char, c_int, c_long}, maps::PerCpuArray}; +use crate::{*, vmlinux::{task_struct, umode_t}}; -use aya_bpf::{helpers::{bpf_probe_read_kernel, gen}, cty::{c_char, c_int, c_long, c_void}, maps::PerCpuArray}; - -use crate::{*, vmlinux::umode_t}; const AT_FDCWD: c_int = -100; const MAX_PATH: usize = 4096; @@ -29,13 +28,6 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long //info!(&ctx, "handle_sys_open_enter start"); let mut task = bpf_get_current_task_btf() as *mut task_struct; - //info!(&ctx, "test: {}", (*files).next_fd); - let pid = (*task).fs as *const fs_struct; - let uwu = (*pid).pwd; - let ra = uwu.dentry as *const dentry; - let ma = str::from_utf8_unchecked(&(*ra).d_iname); - let buf = get_buf(&PATH_BUF)?; - #[repr(C)] #[derive(Clone, Copy)] struct OpenAtSyscallArgs { @@ -45,7 +37,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long mode: umode_t, } - let args = *ptr_at::<OpenAtSyscallArgs>(&ctx, 16).unwrap_unchecked(); + let args = ctx.read_at::<OpenAtSyscallArgs>(16)?; if args.dfd != AT_FDCWD { return Err(1) @@ -56,6 +48,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long info!(&ctx, "PWD: {}", pwd); + let buf = get_buf(&PATH_BUF)?; let filename = unsafe { core::str::from_utf8_unchecked(bpf_probe_read_user_str_bytes( args.filename as *const u8, @@ -75,7 +68,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long> { //info!(&ctx, "handle_sys_open_exit start"); - let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns + let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns let tgid = ctx.tgid(); if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) { diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs index 28ea858..d9745a4 100644 --- a/fs-tracer-ebpf/src/syscalls/write.rs +++ b/fs-tracer-ebpf/src/syscalls/write.rs @@ -1,3 +1,6 @@ +use core::ffi::c_size_t; +use aya_bpf::{cty::{c_char, c_uint}, helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}}; + use crate::*; pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> { @@ -11,11 +14,11 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_lon // info!(&ctx, "handle_sys_write start"); #[derive(Clone, Copy)] struct WriteSyscallArgs { - fd: u64, - buf: *const u8, - count: u64, + fd: c_uint, + buf: *const c_char, + count: c_size_t, } - let args = *ptr_at::<WriteSyscallArgs>(&ctx, 16).unwrap_unchecked(); + let args = ctx.read_at::<WriteSyscallArgs>(16)?; // if fd is stdout, stderr or stdin, ignore if args.fd <= 2 { @@ -23,7 +26,7 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_lon } let mut buf = [0u8; 96]; //we need to make this muuuuuch bigger, we could use some sync with a bpf ds - let _ = bpf_probe_read_user_str_bytes(args.buf, &mut buf); + let _ = bpf_probe_read_user_str_bytes(args.buf as *const u8, &mut buf); let buf_ref = &buf; let mut anotherbuf = [0u8; 96]; @@ -47,7 +50,7 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_lon unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<c_long, c_long> { //info!(&ctx, "handle_sys_write_exit start"); - let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns + let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns let tgid = ctx.tgid(); if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) { |