diff options
author | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-03-31 12:14:56 +0200 |
---|---|---|
committer | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-03-31 12:14:56 +0200 |
commit | 0b654a51fdd208f755a11938032f385075acb824 (patch) | |
tree | cb64acc13cd72d97b02a703167da91ff1de2d3fc /fs-tracer-ebpf | |
parent | Update aya (diff) | |
download | fs-tracer-0b654a51fdd208f755a11938032f385075acb824.tar.gz fs-tracer-0b654a51fdd208f755a11938032f385075acb824.tar.bz2 fs-tracer-0b654a51fdd208f755a11938032f385075acb824.zip |
TODO
Diffstat (limited to 'fs-tracer-ebpf')
-rw-r--r-- | fs-tracer-ebpf/src/main.rs | 8 | ||||
-rw-r--r-- | fs-tracer-ebpf/src/syscalls/mod.rs | 3 | ||||
-rw-r--r-- | fs-tracer-ebpf/src/syscalls/open.rs | 51 | ||||
-rw-r--r-- | fs-tracer-ebpf/src/syscalls/write.rs | 17 |
4 files changed, 59 insertions, 20 deletions
diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs index d6d6640..8287a7f 100644 --- a/fs-tracer-ebpf/src/main.rs +++ b/fs-tracer-ebpf/src/main.rs @@ -1,12 +1,11 @@ #![no_std] #![no_main] #![feature(c_size_t)] - +#![feature(let_chains)] #![allow(warnings, unused)] -mod vmlinux; mod syscalls; +mod vmlinux; -use core::str; use aya_ebpf::cty::{c_int, c_long}; use aya_ebpf::maps::HashMap; use aya_ebpf::{ @@ -16,6 +15,7 @@ use aya_ebpf::{ EbpfContext, }; use aya_log_ebpf::info; +use core::str; use fs_tracer_common::{SyscallInfo, WriteSyscallBPF}; #[map] @@ -52,7 +52,7 @@ pub fn fs_tracer_exit(ctx: TracePointContext) -> c_long { } fn try_fs_tracer(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> { - let syscall_nr = unsafe { ctx.read_at::<c_int>(8)? } ; + let syscall_nr = unsafe { ctx.read_at::<c_int>(8)? }; handle_syscall(ctx, syscall_nr, syscall_type) } diff --git a/fs-tracer-ebpf/src/syscalls/mod.rs b/fs-tracer-ebpf/src/syscalls/mod.rs index 7bae953..de2224a 100644 --- a/fs-tracer-ebpf/src/syscalls/mod.rs +++ b/fs-tracer-ebpf/src/syscalls/mod.rs @@ -1,2 +1,3 @@ pub mod open; -pub mod write; \ No newline at end of file +pub mod write; + diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs index 41f0c5e..69458f5 100644 --- a/fs-tracer-ebpf/src/syscalls/open.rs +++ b/fs-tracer-ebpf/src/syscalls/open.rs @@ -6,6 +6,7 @@ use aya_ebpf::{ }, maps::PerCpuArray, }; +use fs_tracer_common::OpenSyscallBPF; use crate::{ vmlinux::{task_struct, umode_t}, @@ -13,7 +14,7 @@ use crate::{ }; const AT_FDCWD: c_int = -100; -const MAX_PATH: usize = 4096; +const MAX_PATH: usize = 96; //TODO: 4096 #[repr(C)] pub struct Buffer { @@ -39,7 +40,6 @@ pub fn handle_sys_open( unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long> { //info!(&ctx, "handle_sys_open_enter start"); - let mut task = bpf_get_current_task_btf() as *mut task_struct; #[repr(C)] #[derive(Clone, Copy)] @@ -59,7 +59,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long // TODO: If the path isnt relative, we already know the full path let buf = get_buf(&PATH_BUF)?; - let filename = unsafe { + let filename: &str = unsafe { core::str::from_utf8_unchecked( bpf_probe_read_user_str_bytes(args.filename as *const u8, &mut buf.buf) .unwrap_unchecked(), @@ -68,15 +68,43 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long info!(&ctx, "filename: {} dfd: {}", filename, args.dfd); - // if !filename.is_empty() && filename.chars().next().unwrap_unchecked() == '/' { - // return Ok(0); + if filename.len() < 3 { + return Ok(0); + } + + //let kbuf = get_buf(&PATH_BUF)?; + //info!(&ctx, "count: {}", kbuf.buf.len()); + let (s, s1) = filename.split_at(0); //tODO this doesnt work + if s == "/" { + info!(&ctx, "SHIITT AINT RELATIVE BOIIIIIIIIIIIIIIIIIIIIIIII"); + return Ok(0); + } else { + info!(&ctx, "relative call! {} {}", s, s1); + } + + //TODO + // if filename.get(0).unwrap_unchecked() == '/' { + // return Ok(0); //} - info!(&ctx, "relative call!"); + let mut task = bpf_get_current_task_btf() as *mut task_struct; let pwd = get_task_pwd(&ctx, task)?; info!(&ctx, "PWD: {}", pwd); + let tgid: u32 = ctx.tgid(); + let _ = SYSCALL_ENTERS.insert( + &tgid, + &SyscallInfo::Open(OpenSyscallBPF { + pid: ctx.pid(), + dfd: args.dfd, + filename: buf.buf, + mode: args.mode, + flags: args.flags, + ret: -9999, + }), + 0, + ); Ok(0) } @@ -85,10 +113,11 @@ unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long> let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns let tgid = ctx.tgid(); - if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) { - let SyscallInfo::Write(mut syscall_write) = syscall; - syscall_write.ret = ret; - EVENTS.output(&ctx, &SyscallInfo::Write(syscall_write), 0); + if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) + && let SyscallInfo::Open(mut syscall_open) = syscall + { + syscall_open.ret = ret; + EVENTS.output(&ctx, &SyscallInfo::Open(syscall_open), 0); let _ = SYSCALL_ENTERS.remove(&tgid); return Ok(0); } @@ -118,7 +147,7 @@ unsafe fn get_task_pwd<'a>( break; } - *result.buf.as_mut_ptr().add(num_chars) = '/' as u8; + *result.buf.as_mut_ptr().add(num_chars) = '/' as u8; //TODO: Look at this to get char num_chars += 1; for i in 0..iname.len() { *result.buf.as_mut_ptr().add(num_chars) = iname[i]; //we shouldnt append but prepend diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs index b7e7a89..efad6f8 100644 --- a/fs-tracer-ebpf/src/syscalls/write.rs +++ b/fs-tracer-ebpf/src/syscalls/write.rs @@ -1,9 +1,17 @@ +#![feature(let_chains)] + +use aya_ebpf::{ + cty::{c_char, c_uint}, + helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}, +}; use core::ffi::c_size_t; -use aya_ebpf::{cty::{c_char, c_uint}, helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}}; use crate::*; -pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> { +pub fn handle_sys_write( + ctx: TracePointContext, + syscall_type: SyscallType, +) -> Result<c_long, c_long> { match syscall_type { SyscallType::Enter => unsafe { handle_sys_write_enter(ctx) }, SyscallType::Exit => unsafe { handle_sys_write_exit(ctx) }, @@ -53,8 +61,9 @@ unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<c_long, c_long let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns let tgid = ctx.tgid(); - if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) { - let SyscallInfo::Write(mut syscall_write) = syscall; + if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) + && let SyscallInfo::Write(mut syscall_write) = syscall + { syscall_write.ret = ret; EVENTS.output(&ctx, &SyscallInfo::Write(syscall_write), 0); let _ = SYSCALL_ENTERS.remove(&tgid); |