diff options
| author | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-03-26 17:34:07 +0100 |
|---|---|---|
| committer | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-03-26 17:34:07 +0100 |
| commit | 24abae0fd0f994621fc65080a46601d0b7d1f11c (patch) | |
| tree | fc46c11660b14998ed5e96724e68a1b223b12d2e /fs-tracer-ebpf/src | |
| parent | Update llvm (diff) | |
| download | fs-tracer-24abae0fd0f994621fc65080a46601d0b7d1f11c.tar.gz fs-tracer-24abae0fd0f994621fc65080a46601d0b7d1f11c.tar.bz2 fs-tracer-24abae0fd0f994621fc65080a46601d0b7d1f11c.zip | |
TODO
Diffstat (limited to 'fs-tracer-ebpf/src')
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/open.rs | 82 |
1 files changed, 51 insertions, 31 deletions
diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs index 17f65bc..6df5039 100644 --- a/fs-tracer-ebpf/src/syscalls/open.rs +++ b/fs-tracer-ebpf/src/syscalls/open.rs @@ -1,12 +1,22 @@ -use aya_bpf::{helpers::{bpf_get_current_task_btf, bpf_probe_read_kernel, bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes, bpf_tail_call}, cty::{c_char, c_int, c_long}, maps::PerCpuArray}; - -use crate::{*, vmlinux::{task_struct, umode_t}}; +use aya_bpf::{ + cty::{c_char, c_int, c_long}, + helpers::{ + bpf_get_current_task_btf, bpf_probe_read_kernel, bpf_probe_read_kernel_str_bytes, + bpf_probe_read_user_str_bytes, bpf_tail_call, + }, + maps::PerCpuArray, +}; + +use crate::{ + vmlinux::{task_struct, umode_t}, + *, +}; const AT_FDCWD: c_int = -100; const MAX_PATH: usize = 4096; #[repr(C)] -pub struct Buffer<> { +pub struct Buffer { pub buf: [u8; MAX_PATH], } @@ -16,7 +26,10 @@ static mut PATH_BUF: PerCpuArray<Buffer> = PerCpuArray::with_max_entries(1, 0); #[map] static mut TMP_BUF: PerCpuArray<Buffer> = PerCpuArray::with_max_entries(1, 0); -pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> { +pub fn handle_sys_open( + ctx: TracePointContext, + syscall_type: SyscallType, +) -> Result<c_long, c_long> { //info!(&ctx, "called"); match syscall_type { SyscallType::Enter => unsafe { handle_sys_open_enter(ctx) }, @@ -40,29 +53,30 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long let args = ctx.read_at::<OpenAtSyscallArgs>(16)?; if args.dfd != AT_FDCWD { - return Err(1) + return Err(1); } - info!(&ctx, "relative call!"); - let pwd = get_task_pwd(&ctx, task)?; - - info!(&ctx, "PWD: {}", pwd); - + // TODO: If the path isnt relative, we already know the full path + let buf = get_buf(&PATH_BUF)?; let filename = unsafe { - core::str::from_utf8_unchecked(bpf_probe_read_user_str_bytes( - args.filename as *const u8, - &mut buf.buf, - ).unwrap_unchecked()) + core::str::from_utf8_unchecked( + bpf_probe_read_user_str_bytes(args.filename as *const u8, &mut buf.buf) + .unwrap_unchecked(), + ) }; - info!( - &ctx, - "filename: {} dfd: {}", - filename, - args.dfd - ); - + info!(&ctx, "filename: {} dfd: {}", filename, args.dfd); + + if !filename.is_empty() && filename.chars().next().unwrap_unchecked() == '/' { + return Ok(0); + } + + info!(&ctx, "relative call!"); + let pwd = get_task_pwd(&ctx, task)?; + + info!(&ctx, "PWD: {}", pwd); + Ok(0) } @@ -83,7 +97,10 @@ unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long> Err(0) } -unsafe fn get_task_pwd<'a>(ctx: &TracePointContext, task: *const task_struct) -> Result<&'a str, c_long> { +unsafe fn get_task_pwd<'a>( + ctx: &TracePointContext, + task: *const task_struct, +) -> Result<&'a str, c_long> { let result = get_buf(&PATH_BUF)?; let tmp_buf: &mut Buffer = get_buf(&TMP_BUF)?; let fs = bpf_probe_read_kernel(&(*task).fs)?; @@ -95,22 +112,24 @@ unsafe fn get_task_pwd<'a>(ctx: &TracePointContext, task: *const task_struct) -> loop { info!(ctx, "num_chars: {}", num_chars); - let iname = bpf_probe_read_kernel_str_bytes(&(*dentry).d_iname as *const u8, &mut tmp_buf.buf)?; + let iname = + bpf_probe_read_kernel_str_bytes(&(*dentry).d_iname as *const u8, &mut tmp_buf.buf)?; if iname.len() > 40 { - break + break; } *result.buf.as_mut_ptr().add(num_chars) = '/' as u8; - num_chars+=1; + num_chars += 1; for i in 0..iname.len() { *result.buf.as_mut_ptr().add(num_chars) = iname[i]; //we shouldnt append but prepend - num_chars+=1; + num_chars += 1; } - + iters += 1; prev_dentry = dentry; dentry = bpf_probe_read_kernel(&(*dentry).d_parent)?; - if dentry == prev_dentry || iters >= 2 { //TODO: we are running out of instrs + if dentry == prev_dentry || iters >= 2 { + //TODO: we are running out of instrs break; } } @@ -119,7 +138,7 @@ unsafe fn get_task_pwd<'a>(ctx: &TracePointContext, task: *const task_struct) -> Ok(str_from_u8_nul_utf8_unchecked(&result.buf)) } -unsafe fn get_buf<'a>(buf: &PerCpuArray<Buffer>) -> Result<&'a mut Buffer, i64>{ +unsafe fn get_buf<'a>(buf: &PerCpuArray<Buffer>) -> Result<&'a mut Buffer, i64> { let ptr = buf.get_ptr_mut(0).ok_or(1)?; Ok(&mut *ptr) } @@ -127,7 +146,8 @@ unsafe fn get_buf<'a>(buf: &PerCpuArray<Buffer>) -> Result<&'a mut Buffer, i64>{ unsafe fn str_from_u8_nul_utf8_unchecked(utf8_src: &[u8]) -> &str { let mut nul_range_end = utf8_src.len(); for i in 0..utf8_src.len() { - if i > 200 { //satisfy the verifier + if i > 200 { + //satisfy the verifier break; } if utf8_src[i] == b'\0' { |