diff options
| -rw-r--r-- | fs-tracer-common/src/lib.rs | 9 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/main.rs | 10 | ||||
| -rw-r--r-- | fs-tracer/src/main.rs | 10 |
3 files changed, 15 insertions, 14 deletions
diff --git a/fs-tracer-common/src/lib.rs b/fs-tracer-common/src/lib.rs index 9be9774..7ed6d66 100644 --- a/fs-tracer-common/src/lib.rs +++ b/fs-tracer-common/src/lib.rs @@ -1,8 +1,11 @@ #![no_std] -use core::fmt::{Formatter, self}; +use core::fmt::{self, Formatter}; use core::str; +pub enum SyscallInfo { + Write(WriteSyscallBPF), +} #[derive(Clone, Copy)] pub struct WriteSyscallBPF { @@ -21,9 +24,9 @@ impl fmt::Debug for WriteSyscallBPF { f.debug_struct("WriteSyscallBPF") .field("pid", &self.pid) .field("fd", &self.fd) - .field("buf", &str::from_utf8(&self.buf).unwrap_or("") ) + .field("buf", &str::from_utf8(&self.buf).unwrap_or("")) .field("count", &self.count) .field("ret", &self.ret) .finish() } -} \ No newline at end of file +} diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs index 14b3a51..772fe1f 100644 --- a/fs-tracer-ebpf/src/main.rs +++ b/fs-tracer-ebpf/src/main.rs @@ -1,8 +1,6 @@ #![no_std] #![no_main] -use core::ffi::c_void; - use aya_bpf::helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}; use aya_bpf::maps::HashMap; use aya_bpf::{ @@ -12,10 +10,10 @@ use aya_bpf::{ BpfContext, }; use aya_log_ebpf::info; -use fs_tracer_common::WriteSyscallBPF; +use fs_tracer_common::{SyscallInfo, WriteSyscallBPF}; #[map] -static EVENTS: PerfEventArray<WriteSyscallBPF> = PerfEventArray::with_max_entries(1024, 0); +static EVENTS: PerfEventArray<SyscallInfo> = PerfEventArray::with_max_entries(1024, 0); #[map] static SYSCALLENTERS: HashMap<u32, WriteSyscallBPF> = HashMap::with_max_entries(1024, 0); @@ -152,9 +150,9 @@ fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> { let tgid = ctx.tgid(); if let Some(&syscall) = unsafe { SYSCALLENTERS.get(&tgid) } { - let mut newsyscall = syscall.clone(); + let mut newsyscall: WriteSyscallBPF = syscall; newsyscall.ret = ret; - EVENTS.output(&ctx, &newsyscall, 0); + EVENTS.output(&ctx, &SyscallInfo::Write(newsyscall), 0); } //syscall_enter.ret = ret; //EVENTS.output(&ctx, &syscall_enter, 0); diff --git a/fs-tracer/src/main.rs b/fs-tracer/src/main.rs index 443e28e..dff9461 100644 --- a/fs-tracer/src/main.rs +++ b/fs-tracer/src/main.rs @@ -1,5 +1,3 @@ -use std::fmt::Write; - use aya::maps::AsyncPerfEventArray; use aya::programs::TracePoint; use aya::util::online_cpus; @@ -8,7 +6,7 @@ use aya_log::BpfLogger; use log::{info, warn, debug}; use tokio::{signal, task}; use bytes::BytesMut; -use fs_tracer_common::WriteSyscallBPF; +use fs_tracer_common::SyscallInfo; #[tokio::main] async fn main() -> Result<(), anyhow::Error> { @@ -68,9 +66,11 @@ async fn main() -> Result<(), anyhow::Error> { loop { let events = buf.read_events(&mut buffers).await.unwrap(); for buf in buffers.iter_mut().take(events.read) { - let ptr = buf.as_ptr() as *const WriteSyscallBPF; + let ptr = buf.as_ptr() as *const SyscallInfo; let data = unsafe { ptr.read_unaligned() }; - println!("KERNEL: DATA {:?}", data); + match data { + SyscallInfo::Write(x) => println!("KERNEL: DATA {:?}", x), + } } } }); |