diff options
| author | Baitinq <[email protected]> | 2024-02-05 00:02:52 +0100 |
|---|---|---|
| committer | Baitinq <[email protected]> | 2024-02-05 00:02:52 +0100 |
| commit | 99be7e2e6964bae3335fd414f755c80769d46608 (patch) | |
| tree | 72aa3415138cf3f591874e97509d80dc4b3b0bd1 /fs-tracer-ebpf | |
| parent | start traversing pwd path (diff) | |
| download | fs-tracer-bpf_tail_call.tar.gz fs-tracer-bpf_tail_call.tar.bz2 fs-tracer-bpf_tail_call.zip | |
TODO bpf_tail_call
Diffstat (limited to 'fs-tracer-ebpf')
| -rw-r--r-- | fs-tracer-ebpf/src/main.rs | 28 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/open.rs | 76 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/write.rs | 10 |
3 files changed, 73 insertions, 41 deletions
diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs index e41285a..c1f6a5f 100644 --- a/fs-tracer-ebpf/src/main.rs +++ b/fs-tracer-ebpf/src/main.rs @@ -1,14 +1,13 @@ #![no_std] #![no_main] #![feature(c_size_t)] - #![allow(warnings, unused)] -mod vmlinux; mod syscalls; +mod vmlinux; -use core::str; use aya_bpf::cty::{c_int, c_long}; -use aya_bpf::maps::HashMap; +use aya_bpf::helpers::bpf_tail_call; +use aya_bpf::maps::{HashMap, ProgramArray}; use aya_bpf::{ macros::{map, tracepoint}, maps::PerfEventArray, @@ -16,9 +15,13 @@ use aya_bpf::{ BpfContext, }; use aya_log_ebpf::info; +use core::str; use fs_tracer_common::{SyscallInfo, WriteSyscallBPF}; #[map] +static JUMP_TABLE: ProgramArray = ProgramArray::with_max_entries(16, 0); + +#[map] static EVENTS: PerfEventArray<SyscallInfo> = PerfEventArray::with_max_entries(24, 0); // NOTE: We use this map for tracking syscalls. We have a tracepoint both at the entry @@ -52,19 +55,26 @@ pub fn fs_tracer_exit(ctx: TracePointContext) -> c_long { } fn try_fs_tracer(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> { - let syscall_nr = unsafe { ctx.read_at::<c_int>(8)? } ; + let syscall_nr = unsafe { ctx.read_at::<c_int>(8)? }; - handle_syscall(ctx, syscall_nr, syscall_type) + unsafe { handle_syscall(ctx, syscall_nr, syscall_type) } } -fn handle_syscall( +unsafe fn handle_syscall( ctx: TracePointContext, syscall_nr: c_int, syscall_type: SyscallType, ) -> Result<c_long, c_long> { match syscall_nr { - 1 => syscalls::write::handle_sys_write(ctx, syscall_type), - 257 => syscalls::open::handle_sys_open(ctx, syscall_type), + 1 => { + //JUMP_TABLE.tail_call(&ctx, 0); + syscalls::write::handle_sys_write(ctx, syscall_type) + } + 257 => { + JUMP_TABLE.tail_call(&ctx, 0); + Ok(0) + //syscalls::open::handle_sys_open(ctx, syscall_type) + } /*8 => { Ok(0) //handle_sys_lseek(ctx); diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs index 17f65bc..724aba3 100644 --- a/fs-tracer-ebpf/src/syscalls/open.rs +++ b/fs-tracer-ebpf/src/syscalls/open.rs @@ -1,12 +1,22 @@ -use aya_bpf::{helpers::{bpf_get_current_task_btf, bpf_probe_read_kernel, bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes, bpf_tail_call}, cty::{c_char, c_int, c_long}, maps::PerCpuArray}; - -use crate::{*, vmlinux::{task_struct, umode_t}}; +use aya_bpf::{ + cty::{c_char, c_int, c_long}, + helpers::{ + bpf_get_current_task_btf, bpf_probe_read_kernel, bpf_probe_read_kernel_str_bytes, + bpf_probe_read_user_str_bytes, bpf_tail_call, + }, + maps::PerCpuArray, +}; + +use crate::{ + vmlinux::{task_struct, umode_t}, + *, +}; const AT_FDCWD: c_int = -100; const MAX_PATH: usize = 4096; #[repr(C)] -pub struct Buffer<> { +pub struct Buffer { pub buf: [u8; MAX_PATH], } @@ -16,12 +26,17 @@ static mut PATH_BUF: PerCpuArray<Buffer> = PerCpuArray::with_max_entries(1, 0); #[map] static mut TMP_BUF: PerCpuArray<Buffer> = PerCpuArray::with_max_entries(1, 0); -pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> { +#[tracepoint] +pub fn handle_sys_open( + ctx: TracePointContext, + //syscall_type: SyscallType, +) -> Result<c_long, c_long> { //info!(&ctx, "called"); - match syscall_type { + /*match syscall_type { SyscallType::Enter => unsafe { handle_sys_open_enter(ctx) }, SyscallType::Exit => unsafe { handle_sys_open_exit(ctx) }, - } + }*/ + unsafe { handle_sys_open_enter(ctx) } } unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long> { @@ -40,29 +55,24 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long let args = ctx.read_at::<OpenAtSyscallArgs>(16)?; if args.dfd != AT_FDCWD { - return Err(1) + return Err(1); } info!(&ctx, "relative call!"); let pwd = get_task_pwd(&ctx, task)?; - + info!(&ctx, "PWD: {}", pwd); - + let buf = get_buf(&PATH_BUF)?; let filename = unsafe { - core::str::from_utf8_unchecked(bpf_probe_read_user_str_bytes( - args.filename as *const u8, - &mut buf.buf, - ).unwrap_unchecked()) + core::str::from_utf8_unchecked( + bpf_probe_read_user_str_bytes(args.filename as *const u8, &mut buf.buf) + .unwrap_unchecked(), + ) }; - info!( - &ctx, - "filename: {} dfd: {}", - filename, - args.dfd - ); - + info!(&ctx, "filename: {} dfd: {}", filename, args.dfd); + Ok(0) } @@ -83,7 +93,10 @@ unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long> Err(0) } -unsafe fn get_task_pwd<'a>(ctx: &TracePointContext, task: *const task_struct) -> Result<&'a str, c_long> { +unsafe fn get_task_pwd<'a>( + ctx: &TracePointContext, + task: *const task_struct, +) -> Result<&'a str, c_long> { let result = get_buf(&PATH_BUF)?; let tmp_buf: &mut Buffer = get_buf(&TMP_BUF)?; let fs = bpf_probe_read_kernel(&(*task).fs)?; @@ -95,22 +108,24 @@ unsafe fn get_task_pwd<'a>(ctx: &TracePointContext, task: *const task_struct) -> loop { info!(ctx, "num_chars: {}", num_chars); - let iname = bpf_probe_read_kernel_str_bytes(&(*dentry).d_iname as *const u8, &mut tmp_buf.buf)?; + let iname = + bpf_probe_read_kernel_str_bytes(&(*dentry).d_iname as *const u8, &mut tmp_buf.buf)?; if iname.len() > 40 { - break + break; } *result.buf.as_mut_ptr().add(num_chars) = '/' as u8; - num_chars+=1; + num_chars += 1; for i in 0..iname.len() { *result.buf.as_mut_ptr().add(num_chars) = iname[i]; //we shouldnt append but prepend - num_chars+=1; + num_chars += 1; } - + iters += 1; prev_dentry = dentry; dentry = bpf_probe_read_kernel(&(*dentry).d_parent)?; - if dentry == prev_dentry || iters >= 2 { //TODO: we are running out of instrs + if dentry == prev_dentry || iters >= 2 { + //TODO: we are running out of instrs break; } } @@ -119,7 +134,7 @@ unsafe fn get_task_pwd<'a>(ctx: &TracePointContext, task: *const task_struct) -> Ok(str_from_u8_nul_utf8_unchecked(&result.buf)) } -unsafe fn get_buf<'a>(buf: &PerCpuArray<Buffer>) -> Result<&'a mut Buffer, i64>{ +unsafe fn get_buf<'a>(buf: &PerCpuArray<Buffer>) -> Result<&'a mut Buffer, i64> { let ptr = buf.get_ptr_mut(0).ok_or(1)?; Ok(&mut *ptr) } @@ -127,7 +142,8 @@ unsafe fn get_buf<'a>(buf: &PerCpuArray<Buffer>) -> Result<&'a mut Buffer, i64>{ unsafe fn str_from_u8_nul_utf8_unchecked(utf8_src: &[u8]) -> &str { let mut nul_range_end = utf8_src.len(); for i in 0..utf8_src.len() { - if i > 200 { //satisfy the verifier + if i > 200 { + //satisfy the verifier break; } if utf8_src[i] == b'\0' { diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs index d9745a4..44a13a5 100644 --- a/fs-tracer-ebpf/src/syscalls/write.rs +++ b/fs-tracer-ebpf/src/syscalls/write.rs @@ -1,9 +1,15 @@ +use aya_bpf::{ + cty::{c_char, c_uint}, + helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}, +}; use core::ffi::c_size_t; -use aya_bpf::{cty::{c_char, c_uint}, helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}}; use crate::*; -pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> { +pub fn handle_sys_write( + ctx: TracePointContext, + syscall_type: SyscallType, +) -> Result<c_long, c_long> { match syscall_type { SyscallType::Enter => unsafe { handle_sys_write_enter(ctx) }, SyscallType::Exit => unsafe { handle_sys_write_exit(ctx) }, |