about summary refs log tree commit diff
path: root/fs-tracer-ebpf
diff options
context:
space:
mode:
authorBaitinq <manuelpalenzuelamerino@gmail.com>2024-01-20 19:54:58 +0100
committerBaitinq <manuelpalenzuelamerino@gmail.com>2024-01-20 19:54:58 +0100
commit4ae023183cc0d2e6463c811eb70f0a69392677af (patch)
treec39d8e2af62bcbc8d0cbd6b67f5770d1e0dc0fa2 /fs-tracer-ebpf
parentAdd comment (diff)
downloadfs-tracer-4ae023183cc0d2e6463c811eb70f0a69392677af.tar.gz
fs-tracer-4ae023183cc0d2e6463c811eb70f0a69392677af.tar.bz2
fs-tracer-4ae023183cc0d2e6463c811eb70f0a69392677af.zip
Cleanup
Diffstat (limited to 'fs-tracer-ebpf')
-rw-r--r--fs-tracer-ebpf/src/main.rs132
1 files changed, 62 insertions, 70 deletions
diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs
index d09d076..14b3a51 100644
--- a/fs-tracer-ebpf/src/main.rs
+++ b/fs-tracer-ebpf/src/main.rs
@@ -1,16 +1,15 @@
 #![no_std]
 #![no_main]
 
-use core::{ffi::c_void, any::Any};
-use core::{str, ptr};
+use core::ffi::c_void;
 
-use aya_bpf::helpers::gen::bpf_probe_read;
-use aya_bpf::helpers::{bpf_get_current_comm, bpf_probe_read_buf, bpf_probe_read_user, bpf_probe_read_user_str, bpf_probe_read_user_str_bytes};
+use aya_bpf::helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes};
 use aya_bpf::maps::HashMap;
-//use aya_bpf::helpers::gen::bpf_probe_read;
 use aya_bpf::{
-    macros::{tracepoint, map},
-    programs::TracePointContext, BpfContext, helpers::{gen::{self, bpf_probe_read_kernel_str}, bpf_probe_read_kernel_str_bytes}, maps::{PerfEventArray, PerCpuArray},
+    macros::{map, tracepoint},
+    maps::PerfEventArray,
+    programs::TracePointContext,
+    BpfContext,
 };
 use aya_log_ebpf::info;
 use fs_tracer_common::WriteSyscallBPF;
@@ -24,8 +23,8 @@ static SYSCALLENTERS: HashMap<u32, WriteSyscallBPF> = HashMap::with_max_entries(
 //TODO: Clean up code. Generics. Arbitrary length buffer? https://github.com/elbaro/mybee/blob/fe037927b848cdbe399c0b0730ae79400cf95279/mybee-ebpf/src/main.rs#L29
 
 enum SyscallType {
-    ENTER,
-    EXIT,
+    Enter,
+    Exit,
 }
 
 //#[map]
@@ -33,7 +32,7 @@ enum SyscallType {
 
 #[tracepoint]
 pub fn fs_tracer_enter(ctx: TracePointContext) -> u32 {
-    match try_fs_tracer(ctx, SyscallType::ENTER) {
+    match try_fs_tracer(ctx, SyscallType::Enter) {
         Ok(ret) => ret,
         Err(ret) => ret,
     }
@@ -41,7 +40,7 @@ pub fn fs_tracer_enter(ctx: TracePointContext) -> u32 {
 
 #[tracepoint]
 pub fn fs_tracer_exit(ctx: TracePointContext) -> u32 {
-    match try_fs_tracer(ctx, SyscallType::EXIT) {
+    match try_fs_tracer(ctx, SyscallType::Exit) {
         Ok(ret) => ret,
         Err(ret) => ret,
     }
@@ -55,103 +54,96 @@ fn ptr_at<T>(ctx: &TracePointContext, offset: usize) -> Option<*const T> {
 }
 
 fn try_fs_tracer(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
-    let syscall_nr = unsafe { * ptr_at::<i32>(&ctx, 8).unwrap() };
+    let syscall_nr = unsafe { *ptr_at::<i32>(&ctx, 8).unwrap() };
     //info!( &ctx, "syscall_nr: {}", syscall_nr);
 
     //let typee = unsafe { *(cmd.as_ptr().add(0)  as *const u16)};
     //let typee = ctx.read_at(0)
 
-   /* let a: [u64; 1] = [0u64; 1];
-    let ret = unsafe { bpf_probe_read(a.as_ptr() as *mut c_void, 8, ctx.as_ptr().add(0) as *const c_void)}; //TODO: Maybe we can try reading some high btis to get the type of the syscall exit or enter
-    info!(&ctx, "ret: {}", ret);
- info!(&ctx, "x: {}", unsafe {a[0]});
-    info!(&ctx, "syscall_nr: {}", syscall_nr);*/ 
+    /* let a: [u64; 1] = [0u64; 1];
+       let ret = unsafe { bpf_probe_read(a.as_ptr() as *mut c_void, 8, ctx.as_ptr().add(0) as *const c_void)}; //TODO: Maybe we can try reading some high btis to get the type of the syscall exit or enter
+       info!(&ctx, "ret: {}", ret);
+    info!(&ctx, "x: {}", unsafe {a[0]});
+       info!(&ctx, "syscall_nr: {}", syscall_nr);*/
     //info!(&ctx, "type: {}", typee);
     //return Ok(1);
-    return handle_syscall(ctx, syscall_nr, syscall_type);
+    handle_syscall(ctx, syscall_nr, syscall_type)
 }
 
-fn handle_syscall(ctx: TracePointContext, syscall_nr: i32, syscall_type: SyscallType) -> Result<u32, u32> {
+fn handle_syscall(
+    ctx: TracePointContext,
+    syscall_nr: i32,
+    syscall_type: SyscallType,
+) -> Result<u32, u32> {
     match syscall_nr {
-        1 => {
-            return handle_sys_write(ctx, syscall_type);
-        },
+        1 => handle_sys_write(ctx, syscall_type),
         2 => {
-            return Ok(0)
+            Ok(0)
             //handle_sys_open(ctx);
-        },
+        }
         8 => {
-            return Ok(0)
+            Ok(0)
             //handle_sys_lseek(ctx);
-        },
+        }
         3 => {
-            return Ok(0)
+            Ok(0)
             //handle_sys_close(ctx);
-        },
+        }
         _ => {
             info!(&ctx, "unhandled syscall: {}", syscall_nr);
-            return Err(1)
+            Err(1)
         }
     }
 }
 
-/*static mut read_from_userspace_buffer: [u8; 2048] = [0u8; 2048];
-static mut write_to_userspace_buffer: [u8; 2048] = [0u8; 2048];
-static mut write_syscall_bpf: WriteSyscallBPF = WriteSyscallBPF {
-    fd: 0,
-    buf: [0u8; 2048],
-    count: 0,
-};*/
-
-#[derive(Clone, Copy)]
- struct WriteSyscallArgs {
-     fd: u64,
-     buf: *const u8,
-     count: u64,
-}
-
 fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
     match syscall_type {
-        SyscallType::ENTER => {
-            return handle_sys_write_enter(ctx);
-        },
-        SyscallType::EXIT => {
-            return handle_sys_write_exit(ctx);
-        },
+        SyscallType::Enter => handle_sys_write_enter(ctx),
+        SyscallType::Exit => handle_sys_write_exit(ctx),
     }
 }
 
 fn handle_sys_write_enter(ctx: TracePointContext) -> Result<u32, u32> {
-   // info!(&ctx, "handle_sys_write start");
+    // info!(&ctx, "handle_sys_write start");
+    #[derive(Clone, Copy)]
+    struct WriteSyscallArgs {
+        fd: u64,
+        buf: *const u8,
+        count: u64,
+    }
     let args = unsafe { *ptr_at::<WriteSyscallArgs>(&ctx, 16).unwrap() };
 
     // if fd is stdout, stderr or stdin, ignore
     if args.fd <= 2 {
-        return Ok(0)
+        return Ok(0);
     }
 
-   // info!(&ctx, "argfs fd: {}", args.fd);
+    // info!(&ctx, "argfs fd: {}", args.fd);
     let mut buf = [0u8; 96]; //we need to make this muuuuuch bigger
-    //get_string_from_userspace(args.buf, unsafe { &mut *READ_FROM_USERSPACE_BUFFER.get_ptr_mut(0).unwrap() });
-    //get_string_from_userspace(args.buf, &mut buf);
+                             //get_string_from_userspace(args.buf, unsafe { &mut *READ_FROM_USERSPACE_BUFFER.get_ptr_mut(0).unwrap() });
+                             //get_string_from_userspace(args.buf, &mut buf);
     let _ = unsafe { bpf_probe_read_user_str_bytes(args.buf, &mut buf) };
     let buf_ref = &buf;
-   // info!(&ctx, "buf: {}", unsafe { str::from_utf8_unchecked(buf_ref) });
+    // info!(&ctx, "buf: {}", unsafe { str::from_utf8_unchecked(buf_ref) });
     //info!(&ctx, "count: {}", args.count);                                                                                                               ";
 
     let mut anotherbuf = [0u8; 96];
-    unsafe { bpf_probe_read_kernel_str(anotherbuf.as_mut_ptr() as *mut c_void, 96, buf_ref.as_ptr() as *const c_void) };
+    let _ = unsafe { bpf_probe_read_kernel_str_bytes(buf_ref.as_ptr(), &mut anotherbuf) };
 
     let tgid: u32 = ctx.tgid();
-    let _ = SYSCALLENTERS.insert(&tgid, &WriteSyscallBPF {
-        pid: ctx.pid(),
-        fd: args.fd,
-        buf: anotherbuf,
-        count: args.count,
-        ret: -9999,
-    }, 0);
-
-    return Ok(0)
+    let _ = SYSCALLENTERS.insert(
+        &tgid,
+        &WriteSyscallBPF {
+            pid: ctx.pid(),
+            fd: args.fd,
+            buf: anotherbuf,
+            count: args.count,
+            ret: -9999,
+        },
+        0,
+    );
+
+    Ok(0)
 }
 
 fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> {
@@ -159,7 +151,7 @@ fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> {
     let ret = unsafe { *ptr_at::<i64>(&ctx, 16).unwrap() }; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
 
     let tgid = ctx.tgid();
-    if let Some(& syscall) = unsafe { SYSCALLENTERS.get(&tgid) } {
+    if let Some(&syscall) = unsafe { SYSCALLENTERS.get(&tgid) } {
         let mut newsyscall = syscall.clone();
         newsyscall.ret = ret;
         EVENTS.output(&ctx, &newsyscall, 0);
@@ -167,10 +159,10 @@ fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> {
     //syscall_enter.ret = ret;
     //EVENTS.output(&ctx, &syscall_enter, 0);
 
-    return Ok(0)
+    Ok(0)
 }
 
-// thread can only execute 1 syscall at a time <- 
+// thread can only execute 1 syscall at a time <-
 
 //TODO: How are we going to correlate. We have open of a filename, we need to insert that into (pid, fd) -> filename. on close we remove from map. we need some timeout to remove stale entries
 //TODO: to get the fd from open, we need to know the return value of the syscall. for that we need a tracepoint on end and keep a map of (tgid, pid) -> WriteSyscallBPF). we need to differenciate the syscalls by id
@@ -179,4 +171,4 @@ fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> {
 #[panic_handler]
 fn panic(_info: &core::panic::PanicInfo) -> ! {
     unsafe { core::hint::unreachable_unchecked() }
-}
\ No newline at end of file
+}