diff options
| author | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-04-22 23:47:38 +0200 |
|---|---|---|
| committer | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-04-22 23:47:38 +0200 |
| commit | ca0bcdcc28d110e21d9a225387ef47a467057730 (patch) | |
| tree | 670c582ff4d0ba7808b778f8d6d8e746817aaa04 | |
| parent | fix undefined fn (diff) | |
| download | fs-tracer-ca0bcdcc28d110e21d9a225387ef47a467057730.tar.gz fs-tracer-ca0bcdcc28d110e21d9a225387ef47a467057730.tar.bz2 fs-tracer-ca0bcdcc28d110e21d9a225387ef47a467057730.zip | |
TODO
| -rw-r--r-- | fs-tracer-common/src/lib.rs | 6 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/open.rs | 62 | ||||
| -rw-r--r-- | fs-tracer/src/main.rs | 30 |
3 files changed, 60 insertions, 38 deletions
diff --git a/fs-tracer-common/src/lib.rs b/fs-tracer-common/src/lib.rs index 3b67f63..cee95e1 100644 --- a/fs-tracer-common/src/lib.rs +++ b/fs-tracer-common/src/lib.rs @@ -5,6 +5,7 @@ use aya_ebpf::cty::c_long; use core::ffi::c_int; use core::ffi::c_size_t; use core::ffi::c_uint; +use core::ffi::CStr; use core::fmt::{self, Formatter}; use core::str; @@ -58,7 +59,10 @@ impl fmt::Debug for OpenSyscallBPF { f.debug_struct("OpenSyscallBPF") .field("pid", &self.pid) .field("dfd", &self.dfd) - // .field("filename", &str::from_utf8(&self.filename).unwrap_or("")) + .field( + "filename", + &CStr::from_bytes_until_nul(&self.filename).unwrap_or_default(), + ) .field("flags", &self.flags) .field("ret", &self.ret) .finish() diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs index 58ff464..8f48672 100644 --- a/fs-tracer-ebpf/src/syscalls/open.rs +++ b/fs-tracer-ebpf/src/syscalls/open.rs @@ -66,7 +66,14 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long ) }; - info!(&ctx, "filename: {} dfd: {}", filename, args.dfd); + info!( + &ctx, + "filename: {} dfd: {}, flags: {}, pid: {}", + filename, + args.dfd, + args.flags, + ctx.pid() + ); if filename.len() < 3 { return Ok(0); @@ -74,37 +81,36 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long //let kbuf = get_buf(&PATH_BUF)?; //info!(&ctx, "count: {}", kbuf.buf.len()); - let (s, s1) = filename.split_at(0); //tODO this doesnt work - if s == "/" { - info!(&ctx, "SHIITT AINT RELATIVE BOIIIIIIIIIIIIIIIIIIIIIIII"); - return Ok(0); - } else { - info!(&ctx, "relative call! {} {}", s, s1); - } - + // let (s, s1) = filename.split_at(0); //tODO this doesnt work + // if s == "/" { + // // info!(&ctx, "SHIITT AINT RELATIVE BOIIIIIIIIIIIIIIIIIIIIIIII"); + // return Ok(0); + // } else { + // // info!(&ctx, "relative call! {} {}", s, s1); + // } //TODO // if filename.get(0).unwrap_unchecked() == '/' { // return Ok(0); //} - - let mut task = bpf_get_current_task_btf() as *mut task_struct; - let pwd = get_task_pwd(&ctx, task)?; - - info!(&ctx, "PWD: {}", pwd); - - // let tgid: u32 = ctx.tgid(); - // let _ = SYSCALL_ENTERS.insert( - // &tgid, - // &SyscallInfo::Open(OpenSyscallBPF { - // pid: ctx.pid(), - // dfd: args.dfd, - // filename: buf.buf, - // mode: args.mode, - // flags: args.flags, - // ret: -9999, - // }), - // 0, - // ); + // let mut task = bpf_get_current_task_btf() as *mut task_struct; + // let pwd = get_task_pwd(&ctx, task)?; + // + // info!(&ctx, "PWD: {}", pwd); + let mut anotherbuf = [0u8; 96]; + let _ = bpf_probe_read_kernel_str_bytes(buf.buf.as_ptr(), &mut anotherbuf); + let tgid: u32 = ctx.tgid(); + let _ = SYSCALL_ENTERS.insert( + &tgid, + &SyscallInfo::Open(OpenSyscallBPF { + pid: ctx.pid(), + dfd: args.dfd, + filename: anotherbuf, + mode: args.mode, + flags: args.flags, + ret: -9999, + }), + 0, + ); Ok(0) } diff --git a/fs-tracer/src/main.rs b/fs-tracer/src/main.rs index f1f3d93..db9e15d 100644 --- a/fs-tracer/src/main.rs +++ b/fs-tracer/src/main.rs @@ -1,3 +1,5 @@ +use std::ffi::CStr; + use aya::maps::AsyncPerfEventArray; use aya::programs::TracePoint; use aya::util::online_cpus; @@ -42,17 +44,17 @@ async fn main() -> Result<(), anyhow::Error> { let trace_enters_program: &mut TracePoint = bpf.program_mut("fs_tracer_enter").unwrap().try_into()?; trace_enters_program.load()?; - trace_enters_program.attach("syscalls", "sys_enter_openat")?; //TODO: For some reason enter not being called. Try c program or assembly - //trace_enters_program.attach("syscalls", "sys_enter_write")?; - // program.attach("syscalls", "sys_exit_write")?; - //trace_enters_program.attach("syscalls", "sys_enter_lseek")?; - //program.attach("syscalls", "sys_enter_close")?; + trace_enters_program.attach("syscalls", "sys_enter_openat")?; + trace_enters_program.attach("syscalls", "sys_enter_write")?; + // program.attach("syscalls", "sys_exit_write")?; + //trace_enters_program.attach("syscalls", "sys_enter_lseek")?; + //program.attach("syscalls", "sys_enter_close")?; let trace_exits_program: &mut TracePoint = bpf.program_mut("fs_tracer_exit").unwrap().try_into()?; trace_exits_program.load()?; trace_exits_program.attach("syscalls", "sys_exit_openat")?; - //program2.attach("syscalls", "sys_exit_write")?; + trace_exits_program.attach("syscalls", "sys_exit_write")?; println!("Num of cpus: {}", online_cpus()?.len()); @@ -71,8 +73,19 @@ async fn main() -> Result<(), anyhow::Error> { let ptr = buf.as_ptr() as *const SyscallInfo; let data = unsafe { ptr.read_unaligned() }; match data { - SyscallInfo::Write(x) => println!("WRITE KERNEL: DATA {:?}", x), - SyscallInfo::Open(x) => println!("OPEN KERNEL DATA: {:?}", x), + SyscallInfo::Write(x) => { + println!("WRITE KERNEL: DATA {:?}", x) + } + SyscallInfo::Open(x) => { + // if !CStr::from_bytes_until_nul(&x.filename) + // .unwrap_or_default() + // .to_str() + // .unwrap_or_default() + // .starts_with('/') + // { + println!("OPEN KERNEL DATA: {:?}", x) + // } + } } } } @@ -85,4 +98,3 @@ async fn main() -> Result<(), anyhow::Error> { Ok(()) } - |