fs-tracer: handle fseek syscall

4 files changed, 79 insertions, 5 deletions

diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs
index a6794f5..c67ffd1 100644
--- a/fs-tracer-ebpf/src/main.rs
+++ b/fs-tracer-ebpf/src/main.rs
@@ -65,10 +65,7 @@ fn handle_syscall(
     match syscall_nr {
         1 => syscalls::write::handle_sys_write(ctx, syscall_type),
         257 => syscalls::open::handle_sys_open(ctx, syscall_type),
-        /*8 => {
-            Ok(0)
-            //handle_sys_lseek(ctx);
-        }*/
+        8 => syscalls::fseek::handle_sys_fseek(ctx, syscall_type),
         3 => syscalls::close::handle_sys_close(ctx, syscall_type),
         _ => {
             info!(&ctx, "unhandled syscall: {}", syscall_nr);
diff --git a/fs-tracer-ebpf/src/syscalls/fseek.rs b/fs-tracer-ebpf/src/syscalls/fseek.rs
new file mode 100644
index 0000000..fd2317b
--- /dev/null
+++ b/fs-tracer-ebpf/src/syscalls/fseek.rs
@@ -0,0 +1,76 @@
+use aya_ebpf::{
+    cty::{c_char, c_longlong, c_uint},
+    helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes},
+};
+use core::ffi::c_size_t;
+use fs_tracer_common::FSeekSyscallBPF;
+
+use crate::*;
+
+pub fn handle_sys_fseek(
+    ctx: TracePointContext,
+    syscall_type: SyscallType,
+) -> Result<c_long, c_long> {
+    match syscall_type {
+        SyscallType::Enter => unsafe { handle_sys_fseek_enter(ctx) },
+        SyscallType::Exit => unsafe { handle_sys_fseek_exit(ctx) },
+    }
+}
+
+unsafe fn handle_sys_fseek_enter(ctx: TracePointContext) -> Result<c_long, c_long> {
+    // info!(&ctx, "handle_sys_fseek start");
+    #[repr(C)]
+    #[derive(Clone, Copy)]
+    struct FSeekSyscallArgs {
+        fd: c_int,
+        offset: i64,
+        whence: c_uint,
+    }
+    let args = ctx.read_at::<FSeekSyscallArgs>(16)?;
+
+    // if fd is stdout, stderr or stdin, ignore
+    if args.fd <= 2 {
+        return Ok(0);
+    }
+
+    info!(
+        &ctx,
+        "handle_sys_fseek fd: {} pid: {} offset: {} whence: {}",
+        args.fd,
+        ctx.pid(),
+        args.offset,
+        args.whence
+    );
+
+    let tgid: u32 = ctx.tgid();
+    let _ = SYSCALL_ENTERS.insert(
+        &tgid,
+        &SyscallInfo::FSeek(FSeekSyscallBPF {
+            pid: ctx.pid(),
+            fd: args.fd,
+            offset: args.offset,
+            whence: args.whence,
+            ret: -9999,
+        }),
+        0,
+    );
+
+    Ok(0)
+}
+
+unsafe fn handle_sys_fseek_exit(ctx: TracePointContext) -> Result<c_long, c_long> {
+    //info!(&ctx, "handle_sys_fseek_exit start");
+    let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
+
+    let tgid = ctx.tgid();
+    if let Some(syscall) = SYSCALL_ENTERS.get(&tgid)
+        && let SyscallInfo::FSeek(mut syscall_fseek) = syscall
+    {
+        syscall_fseek.ret = ret;
+        EVENTS.output(&ctx, &SyscallInfo::FSeek(syscall_fseek), 0);
+        let _ = SYSCALL_ENTERS.remove(&tgid);
+        return Ok(0);
+    }
+
+    Err(0)
+}
diff --git a/fs-tracer-ebpf/src/syscalls/mod.rs b/fs-tracer-ebpf/src/syscalls/mod.rs
index 8661535..c346900 100644
--- a/fs-tracer-ebpf/src/syscalls/mod.rs
+++ b/fs-tracer-ebpf/src/syscalls/mod.rs
@@ -1,3 +1,4 @@
 pub mod close;
+pub mod fseek;
 pub mod open;
 pub mod write;
diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs
index 6010dce..ff309e9 100644
--- a/fs-tracer-ebpf/src/syscalls/write.rs
+++ b/fs-tracer-ebpf/src/syscalls/write.rs
@@ -23,7 +23,7 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_lon
     struct WriteSyscallArgs {
         fd: c_int,
         buf: *const c_char,
-        count: c_size_t,
+        count: i64,
     }
     let args = ctx.read_at::<WriteSyscallArgs>(16)?;