about summary refs log tree commit diff
path: root/fs-tracer-ebpf/src/syscalls
diff options
context:
space:
mode:
Diffstat (limited to 'fs-tracer-ebpf/src/syscalls')
-rw-r--r--fs-tracer-ebpf/src/syscalls/mod.rs2
-rw-r--r--fs-tracer-ebpf/src/syscalls/open.rs17
-rw-r--r--fs-tracer-ebpf/src/syscalls/write.rs15
3 files changed, 15 insertions, 19 deletions
diff --git a/fs-tracer-ebpf/src/syscalls/mod.rs b/fs-tracer-ebpf/src/syscalls/mod.rs
index 483c13a..7bae953 100644
--- a/fs-tracer-ebpf/src/syscalls/mod.rs
+++ b/fs-tracer-ebpf/src/syscalls/mod.rs
@@ -1,2 +1,2 @@
 pub mod open;
-pub mod write;
+pub mod write;
\ No newline at end of file
diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs
index 7abb30d..9eb087d 100644
--- a/fs-tracer-ebpf/src/syscalls/open.rs
+++ b/fs-tracer-ebpf/src/syscalls/open.rs
@@ -1,8 +1,7 @@
+use aya_bpf::{helpers::{bpf_get_current_task_btf, bpf_probe_read_kernel, bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}, cty::{c_char, c_int, c_long}, maps::PerCpuArray};
 
+use crate::{*, vmlinux::{task_struct, umode_t}};
 
-use aya_bpf::{helpers::{bpf_probe_read_kernel, gen}, cty::{c_char, c_int, c_long, c_void}, maps::PerCpuArray};
-
-use crate::{*, vmlinux::umode_t};
 const AT_FDCWD: c_int = -100;
 const MAX_PATH: usize = 4096;
 
@@ -29,13 +28,6 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
     //info!(&ctx, "handle_sys_open_enter start");
     let mut task = bpf_get_current_task_btf() as *mut task_struct;
 
-    //info!(&ctx, "test: {}", (*files).next_fd);
-    let pid = (*task).fs as *const fs_struct;
-    let uwu = (*pid).pwd;
-    let ra = uwu.dentry as *const dentry;
-    let ma = str::from_utf8_unchecked(&(*ra).d_iname);
-    let buf = get_buf(&PATH_BUF)?;
-
     #[repr(C)]
     #[derive(Clone, Copy)]
     struct OpenAtSyscallArgs {
@@ -45,7 +37,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
         mode: umode_t,
     }
 
-    let args = *ptr_at::<OpenAtSyscallArgs>(&ctx, 16).unwrap_unchecked();
+    let args = ctx.read_at::<OpenAtSyscallArgs>(16)?;
 
     if args.dfd != AT_FDCWD {
         return Err(1)
@@ -56,6 +48,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
     
     info!(&ctx, "PWD: {}", pwd);
     
+    let buf = get_buf(&PATH_BUF)?;
     let filename = unsafe {
         core::str::from_utf8_unchecked(bpf_probe_read_user_str_bytes(
             args.filename as *const u8,
@@ -75,7 +68,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
 
 unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_open_exit start");
-    let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
+    let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
 
     let tgid = ctx.tgid();
     if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) {
diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs
index 28ea858..d9745a4 100644
--- a/fs-tracer-ebpf/src/syscalls/write.rs
+++ b/fs-tracer-ebpf/src/syscalls/write.rs
@@ -1,3 +1,6 @@
+use core::ffi::c_size_t;
+use aya_bpf::{cty::{c_char, c_uint}, helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}};
+
 use crate::*;
 
 pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> {
@@ -11,11 +14,11 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_lon
     // info!(&ctx, "handle_sys_write start");
     #[derive(Clone, Copy)]
     struct WriteSyscallArgs {
-        fd: u64,
-        buf: *const u8,
-        count: u64,
+        fd: c_uint,
+        buf: *const c_char,
+        count: c_size_t,
     }
-    let args = *ptr_at::<WriteSyscallArgs>(&ctx, 16).unwrap_unchecked();
+    let args = ctx.read_at::<WriteSyscallArgs>(16)?;
 
     // if fd is stdout, stderr or stdin, ignore
     if args.fd <= 2 {
@@ -23,7 +26,7 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_lon
     }
 
     let mut buf = [0u8; 96]; //we need to make this muuuuuch bigger, we could use some sync with a bpf ds
-    let _ = bpf_probe_read_user_str_bytes(args.buf, &mut buf);
+    let _ = bpf_probe_read_user_str_bytes(args.buf as *const u8, &mut buf);
     let buf_ref = &buf;
 
     let mut anotherbuf = [0u8; 96];
@@ -47,7 +50,7 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_lon
 
 unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_write_exit start");
-    let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
+    let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
 
     let tgid = ctx.tgid();
     if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) {
generated by cgit-pink (baitinq) at 2025-11-11 09:41:10 +0000