diff options
| author | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-14 19:32:22 +0100 |
|---|---|---|
| committer | Baitinq <manuelpalenzuelamerino@gmail.com> | 2024-01-14 19:32:22 +0100 |
| commit | 7bab8b108c1e2c238f9e5745ebdc2860a7cc5fcf (patch) | |
| tree | a4252a8a019d1392cc2959b024248edf34ff24a2 /fs-tracer-ebpf | |
| parent | Handle write syscall (diff) | |
| download | fs-tracer-7bab8b108c1e2c238f9e5745ebdc2860a7cc5fcf.tar.gz fs-tracer-7bab8b108c1e2c238f9e5745ebdc2860a7cc5fcf.tar.bz2 fs-tracer-7bab8b108c1e2c238f9e5745ebdc2860a7cc5fcf.zip | |
Send write_syscall events to userspace
Diffstat (limited to 'fs-tracer-ebpf')
| -rw-r--r-- | fs-tracer-ebpf/src/main.rs | 66 |
1 files changed, 50 insertions, 16 deletions
diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs index 36365d8..b14154d 100644 --- a/fs-tracer-ebpf/src/main.rs +++ b/fs-tracer-ebpf/src/main.rs @@ -5,10 +5,24 @@ use core::ffi::c_void; use core::str; use aya_bpf::{ - macros::tracepoint, - programs::TracePointContext, BpfContext, helpers::gen + macros::{tracepoint, map}, + programs::TracePointContext, BpfContext, helpers::{gen::{self, bpf_probe_read_kernel_str}, bpf_probe_read_kernel_str_bytes}, maps::{PerfEventArray, PerCpuArray}, }; use aya_log_ebpf::info; +use fs_tracer_common::WriteSyscallBPF; + +#[derive(Clone, Copy)] + struct WriteSyscallArgs { + fd: u64, + buf: *const u8, + count: u64, +} + +#[map] +static EVENTS: PerfEventArray<WriteSyscallBPF> = PerfEventArray::with_max_entries(1024, 0); + +//#[map] +//static mut READ_FROM_USERSPACE_BUFFER: PerCpuArray<[u8;2048]> = PerCpuArray::with_max_entries(1, 0); #[tracepoint] pub fn fs_tracer(ctx: TracePointContext) -> u32 { @@ -55,27 +69,47 @@ fn handle_syscall(ctx: TracePointContext, syscall_nr: i32) -> Result<u32, u32> { } } -#[derive(Clone, Copy)] -struct WriteArgs { - fd: u64, - buf: *const u8, - count: u64, -} +/*static mut read_from_userspace_buffer: [u8; 2048] = [0u8; 2048]; +static mut write_to_userspace_buffer: [u8; 2048] = [0u8; 2048]; +static mut write_syscall_bpf: WriteSyscallBPF = WriteSyscallBPF { + fd: 0, + buf: [0u8; 2048], + count: 0, +};*/ fn handle_sys_write(ctx: TracePointContext) -> Result<u32, u32> { - info!(&ctx, "handle_sys_write start"); - let args = unsafe { *ptr_at::<WriteArgs>(&ctx, 16).unwrap() }; + //info!(&ctx, "handle_sys_write start"); + let args = unsafe { *ptr_at::<WriteSyscallArgs>(&ctx, 16).unwrap() }; - info!(&ctx, "argfs fd: {}", args.fd); - let mut buf = [0u8; 256]; + // if fd is stdout, stderr or stdin, ignore + if args.fd <= 2 { + return Ok(0) + } + + // info!(&ctx, "argfs fd: {}", args.fd); + let mut buf = [0u8; 128]; + //get_string_from_userspace(args.buf, unsafe { &mut *READ_FROM_USERSPACE_BUFFER.get_ptr_mut(0).unwrap() }); get_string_from_userspace(args.buf, &mut buf); let buf_ref = &buf; - info!(&ctx, "buf: {}", unsafe { str::from_utf8_unchecked(buf_ref) }); - info!(&ctx, "count: {}", args.count); + // info!(&ctx, "buf: {}", unsafe { str::from_utf8_unchecked(buf_ref) }); + //info!(&ctx, "count: {}", args.count); "; + + let mut anotherbuf = [0u8; 128]; + unsafe { bpf_probe_read_kernel_str(anotherbuf.as_mut_ptr() as *mut c_void, 128, buf_ref.as_ptr() as *const c_void) }; - info!(&ctx, "handle_sys_write end"); + EVENTS.output(&ctx, &WriteSyscallBPF { + pid: ctx.pid(), + fd: args.fd, + buf: anotherbuf, + count: args.count, + }, 0); + + //info!(&ctx, "handle_sys_write end"); return Ok(0) -} //TODO: Communicate with userspace (share a some data structure in memory?) +} + +//TODO: How are we going to correlate. We have open of a filename, we need to insert that into (pid, fd) -> filename. on close we remove from map. we need some timeout to remove stale entries +//TODO: to get the fd from open, we need to know the return value of the syscall. for that we need a tracepoint on end and keep a map of (tgid, pid) -> WriteSyscallBPF) fn get_string_from_userspace(ptr: *const u8, buf: &mut [u8]) { unsafe { gen::bpf_probe_read_user_str( buf.as_mut_ptr() as *mut c_void, buf.len() as u32, ptr as *const c_void) }; |