diff options
| -rw-r--r-- | fs-tracer-common/src/lib.rs | 5 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/open.rs | 18 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/write.rs | 1 | ||||
| -rw-r--r-- | fs-tracer/src/main.rs | 5 | ||||
| -rw-r--r-- | fs-tracer/src/syscall_handler.rs | 39 |
5 files changed, 40 insertions, 28 deletions
diff --git a/fs-tracer-common/src/lib.rs b/fs-tracer-common/src/lib.rs index cee95e1..3615dec 100644 --- a/fs-tracer-common/src/lib.rs +++ b/fs-tracer-common/src/lib.rs @@ -4,7 +4,6 @@ use aya_ebpf::cty::c_long; use core::ffi::c_int; use core::ffi::c_size_t; -use core::ffi::c_uint; use core::ffi::CStr; use core::fmt::{self, Formatter}; use core::str; @@ -21,7 +20,7 @@ pub enum SyscallInfo { #[derive(Clone, Copy)] pub struct WriteSyscallBPF { pub pid: u32, - pub fd: c_uint, + pub fd: c_int, pub buf: [u8; 96], //TODO: might want to use c_char here pub count: c_size_t, @@ -49,7 +48,7 @@ pub struct OpenSyscallBPF { pub filename: [u8; 96], pub flags: c_int, pub mode: umode_t, - pub ret: c_long, + pub ret: c_int, } unsafe impl Sync for OpenSyscallBPF {} diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs index 8f48672..9d5280d 100644 --- a/fs-tracer-ebpf/src/syscalls/open.rs +++ b/fs-tracer-ebpf/src/syscalls/open.rs @@ -66,14 +66,14 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long ) }; - info!( - &ctx, - "filename: {} dfd: {}, flags: {}, pid: {}", - filename, - args.dfd, - args.flags, - ctx.pid() - ); + // info!( + // &ctx, + // "filename: {} dfd: {}, flags: {}, pid: {}", + // filename, + // args.dfd, + // args.flags, + // ctx.pid() + // ); if filename.len() < 3 { return Ok(0); @@ -116,7 +116,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long> { //info!(&ctx, "handle_sys_open_exit start"); - let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns + let ret = ctx.read_at::<c_int>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns let tgid = ctx.tgid(); if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs index efad6f8..232dfba 100644 --- a/fs-tracer-ebpf/src/syscalls/write.rs +++ b/fs-tracer-ebpf/src/syscalls/write.rs @@ -39,6 +39,7 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_lon let mut anotherbuf = [0u8; 96]; let _ = bpf_probe_read_kernel_str_bytes(buf_ref.as_ptr(), &mut anotherbuf); + // info!(&ctx, "handle_sys_write fd: {} pid: {}", args.fd, ctx.pid()); let tgid: u32 = ctx.tgid(); let _ = SYSCALL_ENTERS.insert( diff --git a/fs-tracer/src/main.rs b/fs-tracer/src/main.rs index ba2f855..bc3eae9 100644 --- a/fs-tracer/src/main.rs +++ b/fs-tracer/src/main.rs @@ -51,7 +51,7 @@ async fn main() -> Result<(), anyhow::Error> { let trace_enters_program: &mut TracePoint = bpf.program_mut("fs_tracer_enter").unwrap().try_into()?; trace_enters_program.load()?; - // trace_enters_program.attach("syscalls", "sys_enter_openat")?; + trace_enters_program.attach("syscalls", "sys_enter_openat")?; trace_enters_program.attach("syscalls", "sys_enter_write")?; // program.attach("syscalls", "sys_exit_write")?; //trace_enters_program.attach("syscalls", "sys_enter_lseek")?; @@ -60,7 +60,7 @@ async fn main() -> Result<(), anyhow::Error> { let trace_exits_program: &mut TracePoint = bpf.program_mut("fs_tracer_exit").unwrap().try_into()?; trace_exits_program.load()?; - // trace_exits_program.attach("syscalls", "sys_exit_openat")?; + trace_exits_program.attach("syscalls", "sys_exit_openat")?; trace_exits_program.attach("syscalls", "sys_exit_write")?; println!("Num of cpus: {}", online_cpus()?.len()); @@ -116,6 +116,7 @@ async fn main() -> Result<(), anyhow::Error> { // Batching. TODO: we can probably increase this value but we need to increase max message // in kafka or compress or smth. We should probably batch taking into account the message // size and also sent messages from multiple threads somehow. + // We might just need websockets if i % 4000 != 0 { continue; } diff --git a/fs-tracer/src/syscall_handler.rs b/fs-tracer/src/syscall_handler.rs index fec8ecc..12c218e 100644 --- a/fs-tracer/src/syscall_handler.rs +++ b/fs-tracer/src/syscall_handler.rs @@ -1,23 +1,35 @@ -use std::{collections::HashMap, sync::mpsc::Sender}; +use std::{collections::HashMap, ffi::CStr, sync::mpsc::Sender}; use fs_tracer_common::SyscallInfo; pub struct SyscallHandler { resolved_files: Sender<String>, - syscall_map: HashMap<u64, fn([u64; 6]) -> u64>, //TODO + open_files: HashMap<i32, String>, } impl SyscallHandler { pub fn new(resolved_files: Sender<String>) -> Self { Self { resolved_files, - syscall_map: HashMap::new(), + open_files: HashMap::new(), } } - pub fn handle_syscall(&self, data: SyscallInfo) -> u64 { + pub fn handle_syscall(&mut self, data: SyscallInfo) -> u64 { match data { SyscallInfo::Write(x) => { + let filename = self.open_files.get(&x.fd); + let filename = match filename { + None => { + println!("DIDNT FIND AN OPEN FILE FOR THE WRITE SYSCALL"); + return 0; + } + Some(x) => x, + }; + let contents = CStr::from_bytes_until_nul(&x.buf) + .unwrap_or_default() + .to_str() + .unwrap_or_default(); println!("WRITE KERNEL: DATA {:?}", x); let _ = self.resolved_files.send(format!( r#" @@ -28,22 +40,21 @@ impl SyscallHandler { }} "#, chrono::Utc::now().to_rfc3339(), - "/tmp/file.txt", - "some contents!!" + filename, + contents, )); return 0; } SyscallInfo::Open(x) => { - // if !CStr::from_bytes_until_nul(&x.filename) - // .unwrap_or_default() - // .to_str() - // .unwrap_or_default() - // .starts_with('/') - // { + let filename = CStr::from_bytes_until_nul(&x.filename) + .unwrap_or_default() + .to_str() + .unwrap_or_default(); println!("OPEN KERNEL DATA: {:?}", x); + println!("OPEN FILENAME: {:?}", filename); + self.open_files.insert(x.ret, filename.to_string()); return 0; - // } - } + } //SyscallInfo::Close } } } |