Use sharedCpuArray for buf

author: Baitinq <manuelpalenzuelamerino@gmail.com> 2024-01-27 19:05:03 +0100
committer: Baitinq <manuelpalenzuelamerino@gmail.com> 2024-01-27 19:05:03 +0100
commit: 29a4bd062a45f57b52d3724477af12d964e0c9ef (patch)
tree: a2e404ae9b817d543e674f3053babe675c4f1d96 /fs-tracer-ebpf
parent: Continue (diff)
download: fs-tracer-29a4bd062a45f57b52d3724477af12d964e0c9ef.tar.gz
fs-tracer-29a4bd062a45f57b52d3724477af12d964e0c9ef.tar.bz2
fs-tracer-29a4bd062a45f57b52d3724477af12d964e0c9ef.zip
3 files changed, 36 insertions, 18 deletions
diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs
index 206fc3b..f33d42e 100644
--- a/fs-tracer-ebpf/src/main.rs
+++ b/fs-tracer-ebpf/src/main.rs
@@ -6,6 +6,7 @@ mod syscalls;
 use core::str;
 mod vmlinux;
 
+use aya_bpf::cty::c_long;
 use aya_bpf::helpers::{
     bpf_get_current_task, bpf_get_current_task_btf, bpf_probe_read_kernel_str_bytes,
     bpf_probe_read_user_str_bytes,
@@ -43,7 +44,7 @@ enum SyscallType {
 //static mut READ_FROM_USERSPACE_BUFFER: PerCpuArray<[u8;2048]> = PerCpuArray::with_max_entries(1, 0);
 
 #[tracepoint]
-pub fn fs_tracer_enter(ctx: TracePointContext) -> u32 {
+pub fn fs_tracer_enter(ctx: TracePointContext) -> c_long {
     match try_fs_tracer(ctx, SyscallType::Enter) {
         Ok(ret) => ret,
         Err(ret) => ret,
@@ -51,7 +52,7 @@ pub fn fs_tracer_enter(ctx: TracePointContext) -> u32 {
 }
 
 #[tracepoint]
-pub fn fs_tracer_exit(ctx: TracePointContext) -> u32 {
+pub fn fs_tracer_exit(ctx: TracePointContext) -> c_long {
     //info!(&ctx, "Hi");
     match try_fs_tracer(ctx, SyscallType::Exit) {
         Ok(ret) => ret,
@@ -66,7 +67,7 @@ fn ptr_at<T>(ctx: &TracePointContext, offset: usize) -> Option<*const T> {
     Some(unsafe { start.add(offset) } as *const T)
 }
 
-fn try_fs_tracer(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
+fn try_fs_tracer(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> {
     let syscall_nr = unsafe { *ptr_at::<i32>(&ctx, 8).unwrap() };
     //info!( &ctx, "syscall_nr: {}", syscall_nr);
 
@@ -87,7 +88,7 @@ fn handle_syscall(
     ctx: TracePointContext,
     syscall_nr: i32,
     syscall_type: SyscallType,
-) -> Result<u32, u32> {
+) -> Result<c_long, c_long> {
     match syscall_nr {
         1 => syscalls::write::handle_sys_write(ctx, syscall_type),
         257 => syscalls::open::handle_sys_open(ctx, syscall_type),
diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs
index 4b55400..ab45aca 100644
--- a/fs-tracer-ebpf/src/syscalls/open.rs
+++ b/fs-tracer-ebpf/src/syscalls/open.rs
@@ -1,11 +1,19 @@
 
 use core::{mem, ptr};
 
-use aya_bpf::{helpers::{bpf_d_path, bpf_probe_read, bpf_probe_read_kernel, gen}, cty::c_void};
+use aya_bpf::{helpers::{bpf_d_path, bpf_probe_read, bpf_probe_read_kernel, gen}, cty::{c_void, c_long}, maps::PerCpuArray};
 
 use crate::{*, vmlinux::files_struct};
 
-pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
+#[repr(C)]
+pub struct Buffer {
+    pub buf: [u8; 4096],
+}
+
+#[map]
+static mut BUF: PerCpuArray<Buffer> = PerCpuArray::with_max_entries(1, 0);
+
+pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> {
     //info!(&ctx, "called");
     match syscall_type {
         SyscallType::Enter => unsafe { handle_sys_open_enter(ctx) },
@@ -13,14 +21,18 @@ pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Res
     }
 }
 
-unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> {
+unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_open_enter start");
     let x = bpf_get_current_task_btf() as *const task_struct;
     let pid = (*x).fs as *const fs_struct;
     let uwu = (*pid).pwd;
     let ra = uwu.dentry as *const dentry;
     let ma = str::from_utf8_unchecked(&(*ra).d_iname);
-    let mut buf = [0u8; 12];
+    let buf = unsafe {
+        let ptr = BUF.get_ptr_mut(0).ok_or(0)?;
+        &mut *ptr
+    };
+
     #[derive(Clone, Copy)]
     struct OpenAtSyscallArgs {
         dfd: i64,
@@ -45,8 +57,8 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> {
         info!(&ctx, "pid from task {}", (*x).pid);
         //let x_addr = &x as *const _ as usize;
         //info!(&ctx, "x_addr: {}", x_addr);
-        let good_files = bpf_probe_read_kernel(&(*x).files).unwrap_unchecked();
-        info!(&ctx, "test: {}", (*good_files).next_fd)
+       // let good_files = bpf_probe_read_kernel(&(*x).files).unwrap_unchecked();
+        //info!(&ctx, "test: {}", (*good_files).next_fd)
         /*let file = (*fdd).add(args.dfd as usize * 8);
         let mut pat = (*file).f_path;
         //info!(&ctx, "path: {}", &pat)
@@ -66,20 +78,25 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> {
     }
 
 
-    let _ = bpf_probe_read_user_str_bytes(args.filename, &mut buf);
-    let xd = &buf;
+    let filename = unsafe {
+        core::str::from_utf8_unchecked(bpf_probe_read_user_str_bytes(
+            args.filename as *const u8,
+            &mut buf.buf,
+        ).unwrap_unchecked())
+    };
+
     info!(
         &ctx,
         "Tf {} {} dfd: {}",
         ma,
-        str::from_utf8_unchecked(xd),
+        filename,
         args.dfd
     );
-
+ 
     Ok(0)
 }
 
-unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<u32, u32> {
+unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_open_exit start");
     let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
 
diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs
index b204b45..28ea858 100644
--- a/fs-tracer-ebpf/src/syscalls/write.rs
+++ b/fs-tracer-ebpf/src/syscalls/write.rs
@@ -1,13 +1,13 @@
 use crate::*;
 
-pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
+pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> {
     match syscall_type {
         SyscallType::Enter => unsafe { handle_sys_write_enter(ctx) },
         SyscallType::Exit => unsafe { handle_sys_write_exit(ctx) },
     }
 }
 
-unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<u32, u32> {
+unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_long> {
     // info!(&ctx, "handle_sys_write start");
     #[derive(Clone, Copy)]
     struct WriteSyscallArgs {
@@ -45,7 +45,7 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<u32, u32> {
     Ok(0)
 }
 
-unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> {
+unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_write_exit start");
     let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
author	Baitinq <manuelpalenzuelamerino@gmail.com>	2024-01-27 19:05:03 +0100
committer	Baitinq <manuelpalenzuelamerino@gmail.com>	2024-01-27 19:05:03 +0100
commit	29a4bd062a45f57b52d3724477af12d964e0c9ef (patch)
tree	a2e404ae9b817d543e674f3053babe675c4f1d96 /fs-tracer-ebpf
parent	Continue (diff)
download	fs-tracer-29a4bd062a45f57b52d3724477af12d964e0c9ef.tar.gz fs-tracer-29a4bd062a45f57b52d3724477af12d964e0c9ef.tar.bz2 fs-tracer-29a4bd062a45f57b52d3724477af12d964e0c9ef.zip