diff options
author | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-20 19:54:58 +0100 |
---|---|---|
committer | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-20 19:54:58 +0100 |
commit | 4ae023183cc0d2e6463c811eb70f0a69392677af (patch) | |
tree | c39d8e2af62bcbc8d0cbd6b67f5770d1e0dc0fa2 /fs-tracer-ebpf | |
parent | Add comment (diff) | |
download | fs-tracer-4ae023183cc0d2e6463c811eb70f0a69392677af.tar.gz fs-tracer-4ae023183cc0d2e6463c811eb70f0a69392677af.tar.bz2 fs-tracer-4ae023183cc0d2e6463c811eb70f0a69392677af.zip |
Cleanup
Diffstat (limited to 'fs-tracer-ebpf')
-rw-r--r-- | fs-tracer-ebpf/src/main.rs | 132 |
1 files changed, 62 insertions, 70 deletions
diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs index d09d076..14b3a51 100644 --- a/fs-tracer-ebpf/src/main.rs +++ b/fs-tracer-ebpf/src/main.rs @@ -1,16 +1,15 @@ #![no_std] #![no_main] -use core::{ffi::c_void, any::Any}; -use core::{str, ptr}; +use core::ffi::c_void; -use aya_bpf::helpers::gen::bpf_probe_read; -use aya_bpf::helpers::{bpf_get_current_comm, bpf_probe_read_buf, bpf_probe_read_user, bpf_probe_read_user_str, bpf_probe_read_user_str_bytes}; +use aya_bpf::helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}; use aya_bpf::maps::HashMap; -//use aya_bpf::helpers::gen::bpf_probe_read; use aya_bpf::{ - macros::{tracepoint, map}, - programs::TracePointContext, BpfContext, helpers::{gen::{self, bpf_probe_read_kernel_str}, bpf_probe_read_kernel_str_bytes}, maps::{PerfEventArray, PerCpuArray}, + macros::{map, tracepoint}, + maps::PerfEventArray, + programs::TracePointContext, + BpfContext, }; use aya_log_ebpf::info; use fs_tracer_common::WriteSyscallBPF; @@ -24,8 +23,8 @@ static SYSCALLENTERS: HashMap<u32, WriteSyscallBPF> = HashMap::with_max_entries( //TODO: Clean up code. Generics. Arbitrary length buffer? https://github.com/elbaro/mybee/blob/fe037927b848cdbe399c0b0730ae79400cf95279/mybee-ebpf/src/main.rs#L29 enum SyscallType { - ENTER, - EXIT, + Enter, + Exit, } //#[map] @@ -33,7 +32,7 @@ enum SyscallType { #[tracepoint] pub fn fs_tracer_enter(ctx: TracePointContext) -> u32 { - match try_fs_tracer(ctx, SyscallType::ENTER) { + match try_fs_tracer(ctx, SyscallType::Enter) { Ok(ret) => ret, Err(ret) => ret, } @@ -41,7 +40,7 @@ pub fn fs_tracer_enter(ctx: TracePointContext) -> u32 { #[tracepoint] pub fn fs_tracer_exit(ctx: TracePointContext) -> u32 { - match try_fs_tracer(ctx, SyscallType::EXIT) { + match try_fs_tracer(ctx, SyscallType::Exit) { Ok(ret) => ret, Err(ret) => ret, } @@ -55,103 +54,96 @@ fn ptr_at<T>(ctx: &TracePointContext, offset: usize) -> Option<*const T> { } fn try_fs_tracer(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> { - let syscall_nr = unsafe { * ptr_at::<i32>(&ctx, 8).unwrap() }; + let syscall_nr = unsafe { *ptr_at::<i32>(&ctx, 8).unwrap() }; //info!( &ctx, "syscall_nr: {}", syscall_nr); //let typee = unsafe { *(cmd.as_ptr().add(0) as *const u16)}; //let typee = ctx.read_at(0) - /* let a: [u64; 1] = [0u64; 1]; - let ret = unsafe { bpf_probe_read(a.as_ptr() as *mut c_void, 8, ctx.as_ptr().add(0) as *const c_void)}; //TODO: Maybe we can try reading some high btis to get the type of the syscall exit or enter - info!(&ctx, "ret: {}", ret); - info!(&ctx, "x: {}", unsafe {a[0]}); - info!(&ctx, "syscall_nr: {}", syscall_nr);*/ + /* let a: [u64; 1] = [0u64; 1]; + let ret = unsafe { bpf_probe_read(a.as_ptr() as *mut c_void, 8, ctx.as_ptr().add(0) as *const c_void)}; //TODO: Maybe we can try reading some high btis to get the type of the syscall exit or enter + info!(&ctx, "ret: {}", ret); + info!(&ctx, "x: {}", unsafe {a[0]}); + info!(&ctx, "syscall_nr: {}", syscall_nr);*/ //info!(&ctx, "type: {}", typee); //return Ok(1); - return handle_syscall(ctx, syscall_nr, syscall_type); + handle_syscall(ctx, syscall_nr, syscall_type) } -fn handle_syscall(ctx: TracePointContext, syscall_nr: i32, syscall_type: SyscallType) -> Result<u32, u32> { +fn handle_syscall( + ctx: TracePointContext, + syscall_nr: i32, + syscall_type: SyscallType, +) -> Result<u32, u32> { match syscall_nr { - 1 => { - return handle_sys_write(ctx, syscall_type); - }, + 1 => handle_sys_write(ctx, syscall_type), 2 => { - return Ok(0) + Ok(0) //handle_sys_open(ctx); - }, + } 8 => { - return Ok(0) + Ok(0) //handle_sys_lseek(ctx); - }, + } 3 => { - return Ok(0) + Ok(0) //handle_sys_close(ctx); - }, + } _ => { info!(&ctx, "unhandled syscall: {}", syscall_nr); - return Err(1) + Err(1) } } } -/*static mut read_from_userspace_buffer: [u8; 2048] = [0u8; 2048]; -static mut write_to_userspace_buffer: [u8; 2048] = [0u8; 2048]; -static mut write_syscall_bpf: WriteSyscallBPF = WriteSyscallBPF { - fd: 0, - buf: [0u8; 2048], - count: 0, -};*/ - -#[derive(Clone, Copy)] - struct WriteSyscallArgs { - fd: u64, - buf: *const u8, - count: u64, -} - fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> { match syscall_type { - SyscallType::ENTER => { - return handle_sys_write_enter(ctx); - }, - SyscallType::EXIT => { - return handle_sys_write_exit(ctx); - }, + SyscallType::Enter => handle_sys_write_enter(ctx), + SyscallType::Exit => handle_sys_write_exit(ctx), } } fn handle_sys_write_enter(ctx: TracePointContext) -> Result<u32, u32> { - // info!(&ctx, "handle_sys_write start"); + // info!(&ctx, "handle_sys_write start"); + #[derive(Clone, Copy)] + struct WriteSyscallArgs { + fd: u64, + buf: *const u8, + count: u64, + } let args = unsafe { *ptr_at::<WriteSyscallArgs>(&ctx, 16).unwrap() }; // if fd is stdout, stderr or stdin, ignore if args.fd <= 2 { - return Ok(0) + return Ok(0); } - // info!(&ctx, "argfs fd: {}", args.fd); + // info!(&ctx, "argfs fd: {}", args.fd); let mut buf = [0u8; 96]; //we need to make this muuuuuch bigger - //get_string_from_userspace(args.buf, unsafe { &mut *READ_FROM_USERSPACE_BUFFER.get_ptr_mut(0).unwrap() }); - //get_string_from_userspace(args.buf, &mut buf); + //get_string_from_userspace(args.buf, unsafe { &mut *READ_FROM_USERSPACE_BUFFER.get_ptr_mut(0).unwrap() }); + //get_string_from_userspace(args.buf, &mut buf); let _ = unsafe { bpf_probe_read_user_str_bytes(args.buf, &mut buf) }; let buf_ref = &buf; - // info!(&ctx, "buf: {}", unsafe { str::from_utf8_unchecked(buf_ref) }); + // info!(&ctx, "buf: {}", unsafe { str::from_utf8_unchecked(buf_ref) }); //info!(&ctx, "count: {}", args.count); "; let mut anotherbuf = [0u8; 96]; - unsafe { bpf_probe_read_kernel_str(anotherbuf.as_mut_ptr() as *mut c_void, 96, buf_ref.as_ptr() as *const c_void) }; + let _ = unsafe { bpf_probe_read_kernel_str_bytes(buf_ref.as_ptr(), &mut anotherbuf) }; let tgid: u32 = ctx.tgid(); - let _ = SYSCALLENTERS.insert(&tgid, &WriteSyscallBPF { - pid: ctx.pid(), - fd: args.fd, - buf: anotherbuf, - count: args.count, - ret: -9999, - }, 0); - - return Ok(0) + let _ = SYSCALLENTERS.insert( + &tgid, + &WriteSyscallBPF { + pid: ctx.pid(), + fd: args.fd, + buf: anotherbuf, + count: args.count, + ret: -9999, + }, + 0, + ); + + Ok(0) } fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> { @@ -159,7 +151,7 @@ fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> { let ret = unsafe { *ptr_at::<i64>(&ctx, 16).unwrap() }; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns let tgid = ctx.tgid(); - if let Some(& syscall) = unsafe { SYSCALLENTERS.get(&tgid) } { + if let Some(&syscall) = unsafe { SYSCALLENTERS.get(&tgid) } { let mut newsyscall = syscall.clone(); newsyscall.ret = ret; EVENTS.output(&ctx, &newsyscall, 0); @@ -167,10 +159,10 @@ fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> { //syscall_enter.ret = ret; //EVENTS.output(&ctx, &syscall_enter, 0); - return Ok(0) + Ok(0) } -// thread can only execute 1 syscall at a time <- +// thread can only execute 1 syscall at a time <- //TODO: How are we going to correlate. We have open of a filename, we need to insert that into (pid, fd) -> filename. on close we remove from map. we need some timeout to remove stale entries //TODO: to get the fd from open, we need to know the return value of the syscall. for that we need a tracepoint on end and keep a map of (tgid, pid) -> WriteSyscallBPF). we need to differenciate the syscalls by id @@ -179,4 +171,4 @@ fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> { #[panic_handler] fn panic(_info: &core::panic::PanicInfo) -> ! { unsafe { core::hint::unreachable_unchecked() } -} \ No newline at end of file +} |