fs-tracer: keep track of seen file's contents

4 files changed, 68 insertions, 21 deletions

diff --git a/fs-tracer-ebpf/src/syscalls/close.rs b/fs-tracer-ebpf/src/syscalls/close.rs
index 020ad64..4b5f82c 100644
--- a/fs-tracer-ebpf/src/syscalls/close.rs
+++ b/fs-tracer-ebpf/src/syscalls/close.rs
@@ -18,7 +18,7 @@ pub fn handle_sys_close(
 }
 
 unsafe fn handle_sys_close_enter(ctx: TracePointContext) -> Result<c_long, c_long> {
-    info!(&ctx, "handle_sys_close start");
+    // info!(&ctx, "handle_sys_close start");
     #[repr(C)]
     #[derive(Clone, Copy)]
     struct CloseSyscallArgs {
@@ -40,7 +40,7 @@ unsafe fn handle_sys_close_enter(ctx: TracePointContext) -> Result<c_long, c_lon
 }
 
 unsafe fn handle_sys_close_exit(ctx: TracePointContext) -> Result<c_long, c_long> {
-    info!(&ctx, "handle_sys_close_exit start");
+    // info!(&ctx, "handle_sys_close_exit start");
     let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
 
     let tgid = ctx.tgid();
diff --git a/fs-tracer/src/main.rs b/fs-tracer/src/main.rs
index d11fe90..b36707e 100644
--- a/fs-tracer/src/main.rs
+++ b/fs-tracer/src/main.rs
@@ -117,15 +117,12 @@ async fn main() -> Result<(), anyhow::Error> {
     let mut resolved_files_for_request: Vec<FSTracerFile> = vec![];
     for elt in &resolved_files_recv {
         info!("HELLO123!");
-        if elt.absolute_path.starts_with("/proc/") {
-            continue;
-        }
         resolved_files_for_request.push(elt);
-        if last_sent_time.elapsed() < batch_timeout {
+        if last_sent_time.elapsed() < batch_timeout && resolved_files_for_request.len() < 1000 {
             continue;
         }
 
-        info!("SENDING REQUEST!");
+        info!("SENDING REQUEST! {}", resolved_files_for_request.len());
         send_request(&url, &fs_tracer_api_key, &resolved_files_for_request);
         resolved_files_for_request.clear();
         last_sent_time = Instant::now();
diff --git a/fs-tracer/src/syscall_handler.rs b/fs-tracer/src/syscall_handler.rs
index 0ecc243..3ec18b2 100644
--- a/fs-tracer/src/syscall_handler.rs
+++ b/fs-tracer/src/syscall_handler.rs
@@ -1,4 +1,8 @@
-use std::ffi::CStr;
+use log::info;
+use std::collections::HashMap;
+use std::io::Read;
+use std::path::Path;
+use std::{ffi::CStr, fs::File};
 
 use crossbeam_channel::Sender;
 use delay_map::HashMapDelay;
@@ -19,6 +23,7 @@ struct OpenFile {
 pub struct SyscallHandler {
     resolved_files: Sender<FSTracerFile>,
     open_files: HashMapDelay<(i32, u32), OpenFile>,
+    seen_files: HashMap<String, String>,
 }
 
 impl SyscallHandler {
@@ -26,6 +31,7 @@ impl SyscallHandler {
         Self {
             resolved_files,
             open_files: HashMapDelay::new(std::time::Duration::from_secs(400)),
+            seen_files: HashMap::new(),
         }
     }
 
@@ -41,7 +47,7 @@ impl SyscallHandler {
     fn handle_write(&mut self, write_syscall: WriteSyscallBPF) -> Result<(), ()> {
         let open_file = match self.open_files.get(&(write_syscall.fd, write_syscall.pid)) {
             None => {
-                println!(
+                info!(
                     "DIDNT FIND AN OPEN FILE FOR THE WRITE SYSCALL (fd: {}, ret: {})",
                     write_syscall.fd, write_syscall.ret
                 );
@@ -63,12 +69,13 @@ impl SyscallHandler {
         }
         new_contents.replace_range(start..end, buf);
 
-        println!(
-            "WRITE KERNEL: DATA {:?} FILENAME: {:?} STORED OFFSET: {:?} LEN: {:?} NEW_CONTENTS: {:?}",
+        info!(
+            "WRITE KERNEL: DATA {:?} FILENAME: {:?} STORED OFFSET: {:?} LEN: {:?} OLD_CONTENTS: {:?}, NEW_CONTENTS: {:?}",
             write_syscall,
             open_file.filename,
             open_file.offset,
             buf.len(),
+            open_file.contents,
             new_contents
         );
         self.resolved_files
@@ -95,7 +102,7 @@ impl SyscallHandler {
     fn handle_fseek(&mut self, fseek_syscall: FSeekSyscallBPF) -> Result<(), ()> {
         let open_file = match self.open_files.get(&(fseek_syscall.fd, fseek_syscall.pid)) {
             None => {
-                println!(
+                info!(
                     "DIDNT FIND AN OPEN FILE FOR THE FSEEK SYSCALL (fd: {}, ret: {})",
                     fseek_syscall.fd, fseek_syscall.ret
                 );
@@ -103,7 +110,7 @@ impl SyscallHandler {
             }
             Some(str) => str.clone(),
         };
-        println!(
+        info!(
             "FSEEK KERNEL: DATA {:?} FILENAME: {:?} STORED OFFSET: {:?}",
             fseek_syscall, open_file.filename, open_file.offset,
         );
@@ -133,27 +140,62 @@ impl SyscallHandler {
             .unwrap_or_default()
             .to_str()
             .unwrap_or_default();
-        println!("OPEN KERNEL DATA: {:?}", open_syscall);
-        println!("OPEN FILENAME: {:?}", filename);
+        info!("OPEN KERNEL DATA: {:?}", open_syscall);
+        info!("OPEN FILENAME: {:?}", filename);
+
+        // if filename.starts_with("/") && !filename.starts_with("/home/") {
+        //     info!("Ignoring file: {}", filename);
+        //     return Ok(());
+        // }
+        //
+        // let mut contents = "".to_string();
+        // let path = Path::new(filename);
+        // if false && path.exists() && !path.is_dir() {
+        //     info!("Will read file contents for {}", filename);
+        //     let mut buf = vec![];
+        //     let mut file = File::open(filename).expect("unable to open file for reading");
+        //     file.read_to_end(&mut buf).expect("unable to read file");
+        //     let str = String::from_utf8_lossy(&buf);
+        //     contents = str.to_string();
+        //     info!("Read file contents for {}", filename);
+        // } else {
+        //     info!("File previously didnt exist: {}", filename);
+        // }
+        //
+
+        let mut contents = String::from("");
+        match self.seen_files.get(filename) {
+            Some(content) => {
+                contents = content.to_string();
+                info!(
+                    "Fetched file contents from memory {}: {}",
+                    filename, content
+                );
+            }
+            None => {
+                info!("File previously wasnt seen: {}", filename);
+            }
+        }
+
         let fd = open_syscall.ret;
         self.open_files.insert(
             (fd, open_syscall.pid),
             OpenFile {
                 filename: filename.to_string(),
                 offset: 0,
-                contents: "".to_string(),
+                contents,
             },
         );
         Ok(())
     }
 
     fn handle_close(&mut self, close_syscall: CloseSyscallBPF) -> Result<(), ()> {
-        let filename = match self
+        let open_file = match self
             .open_files
             .remove(&(close_syscall.fd, close_syscall.pid))
         {
             None => {
-                println!(
+                info!(
                     "DIDNT FIND AN OPEN FILE FOR THE CLOSE SYSCALL (fd: {})",
                     close_syscall.fd
                 );
@@ -161,8 +203,16 @@ impl SyscallHandler {
             }
             Some(str) => str,
         };
-        println!("CLOSE KERNEL DATA: {:?}", close_syscall);
-        println!("CLOSE FILENAME: {:?}", filename);
+        info!("CLOSE KERNEL DATA: {:?}", close_syscall);
+        info!(
+            "CLOSE FILENAME {:?} with contents: {:?}",
+            open_file.filename, open_file.contents
+        );
+
+        // NOTE: This is a hack.
+        self.seen_files
+            .insert(open_file.filename, open_file.contents);
+
         Ok(())
     }
 }
diff --git a/tests/testfile b/tests/testfile
index 4cd697c..3ee97c6 100644
--- a/tests/testfile
+++ b/tests/testfile
@@ -1,2 +1,2 @@
 A'm writing this :) pls.
-please
\ No newline at end of file
+please