diff options
| author | Baitinq <[email protected]> | 2024-01-27 14:12:39 +0100 |
|---|---|---|
| committer | Baitinq <[email protected]> | 2024-01-27 18:19:19 +0100 |
| commit | 381e938b85c0183881df51bfc375ea919abe2562 (patch) | |
| tree | dfad54ad45caab18cc6387b66bf3c2bd9a042e7c /fs-tracer-ebpf/src/syscalls/write.rs | |
| parent | Start with openat syscall (diff) | |
| download | fs-tracer-381e938b85c0183881df51bfc375ea919abe2562.tar.gz fs-tracer-381e938b85c0183881df51bfc375ea919abe2562.tar.bz2 fs-tracer-381e938b85c0183881df51bfc375ea919abe2562.zip | |
Add missing files
Diffstat (limited to '')
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/write.rs | 62 |
1 files changed, 62 insertions, 0 deletions
diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs new file mode 100644 index 0000000..b204b45 --- /dev/null +++ b/fs-tracer-ebpf/src/syscalls/write.rs @@ -0,0 +1,62 @@ +use crate::*; + +pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> { + match syscall_type { + SyscallType::Enter => unsafe { handle_sys_write_enter(ctx) }, + SyscallType::Exit => unsafe { handle_sys_write_exit(ctx) }, + } +} + +unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<u32, u32> { + // info!(&ctx, "handle_sys_write start"); + #[derive(Clone, Copy)] + struct WriteSyscallArgs { + fd: u64, + buf: *const u8, + count: u64, + } + let args = *ptr_at::<WriteSyscallArgs>(&ctx, 16).unwrap_unchecked(); + + // if fd is stdout, stderr or stdin, ignore + if args.fd <= 2 { + return Ok(0); + } + + let mut buf = [0u8; 96]; //we need to make this muuuuuch bigger, we could use some sync with a bpf ds + let _ = bpf_probe_read_user_str_bytes(args.buf, &mut buf); + let buf_ref = &buf; + + let mut anotherbuf = [0u8; 96]; + let _ = bpf_probe_read_kernel_str_bytes(buf_ref.as_ptr(), &mut anotherbuf); + + let tgid: u32 = ctx.tgid(); + let _ = SYSCALL_ENTERS.insert( + &tgid, + &SyscallInfo::Write(WriteSyscallBPF { + pid: ctx.pid(), + fd: args.fd, + buf: anotherbuf, + count: args.count, + ret: -9999, + }), + 0, + ); + + Ok(0) +} + +unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> { + //info!(&ctx, "handle_sys_write_exit start"); + let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns + + let tgid = ctx.tgid(); + if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) { + let SyscallInfo::Write(mut syscall_write) = syscall; + syscall_write.ret = ret; + EVENTS.output(&ctx, &SyscallInfo::Write(syscall_write), 0); + let _ = SYSCALL_ENTERS.remove(&tgid); + return Ok(0); + } + + Err(0) +} |