about summary refs log tree commit diff
path: root/fs-tracer-ebpf/src/syscalls
diff options
context:
space:
mode:
Diffstat (limited to 'fs-tracer-ebpf/src/syscalls')
-rw-r--r--fs-tracer-ebpf/src/syscalls/open.rs39
-rw-r--r--fs-tracer-ebpf/src/syscalls/write.rs6
2 files changed, 31 insertions, 14 deletions
diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs
index 4b55400..ab45aca 100644
--- a/fs-tracer-ebpf/src/syscalls/open.rs
+++ b/fs-tracer-ebpf/src/syscalls/open.rs
@@ -1,11 +1,19 @@
 
 use core::{mem, ptr};
 
-use aya_bpf::{helpers::{bpf_d_path, bpf_probe_read, bpf_probe_read_kernel, gen}, cty::c_void};
+use aya_bpf::{helpers::{bpf_d_path, bpf_probe_read, bpf_probe_read_kernel, gen}, cty::{c_void, c_long}, maps::PerCpuArray};
 
 use crate::{*, vmlinux::files_struct};
 
-pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
+#[repr(C)]
+pub struct Buffer {
+    pub buf: [u8; 4096],
+}
+
+#[map]
+static mut BUF: PerCpuArray<Buffer> = PerCpuArray::with_max_entries(1, 0);
+
+pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> {
     //info!(&ctx, "called");
     match syscall_type {
         SyscallType::Enter => unsafe { handle_sys_open_enter(ctx) },
@@ -13,14 +21,18 @@ pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Res
     }
 }
 
-unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> {
+unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_open_enter start");
     let x = bpf_get_current_task_btf() as *const task_struct;
     let pid = (*x).fs as *const fs_struct;
     let uwu = (*pid).pwd;
     let ra = uwu.dentry as *const dentry;
     let ma = str::from_utf8_unchecked(&(*ra).d_iname);
-    let mut buf = [0u8; 12];
+    let buf = unsafe {
+        let ptr = BUF.get_ptr_mut(0).ok_or(0)?;
+        &mut *ptr
+    };
+
     #[derive(Clone, Copy)]
     struct OpenAtSyscallArgs {
         dfd: i64,
@@ -45,8 +57,8 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> {
         info!(&ctx, "pid from task {}", (*x).pid);
         //let x_addr = &x as *const _ as usize;
         //info!(&ctx, "x_addr: {}", x_addr);
-        let good_files = bpf_probe_read_kernel(&(*x).files).unwrap_unchecked();
-        info!(&ctx, "test: {}", (*good_files).next_fd)
+       // let good_files = bpf_probe_read_kernel(&(*x).files).unwrap_unchecked();
+        //info!(&ctx, "test: {}", (*good_files).next_fd)
         /*let file = (*fdd).add(args.dfd as usize * 8);
         let mut pat = (*file).f_path;
         //info!(&ctx, "path: {}", &pat)
@@ -66,20 +78,25 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> {
     }
 
 
-    let _ = bpf_probe_read_user_str_bytes(args.filename, &mut buf);
-    let xd = &buf;
+    let filename = unsafe {
+        core::str::from_utf8_unchecked(bpf_probe_read_user_str_bytes(
+            args.filename as *const u8,
+            &mut buf.buf,
+        ).unwrap_unchecked())
+    };
+
     info!(
         &ctx,
         "Tf {} {} dfd: {}",
         ma,
-        str::from_utf8_unchecked(xd),
+        filename,
         args.dfd
     );
-
+ 
     Ok(0)
 }
 
-unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<u32, u32> {
+unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_open_exit start");
     let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
 
diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs
index b204b45..28ea858 100644
--- a/fs-tracer-ebpf/src/syscalls/write.rs
+++ b/fs-tracer-ebpf/src/syscalls/write.rs
@@ -1,13 +1,13 @@
 use crate::*;
 
-pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
+pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> {
     match syscall_type {
         SyscallType::Enter => unsafe { handle_sys_write_enter(ctx) },
         SyscallType::Exit => unsafe { handle_sys_write_exit(ctx) },
     }
 }
 
-unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<u32, u32> {
+unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_long> {
     // info!(&ctx, "handle_sys_write start");
     #[derive(Clone, Copy)]
     struct WriteSyscallArgs {
@@ -45,7 +45,7 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<u32, u32> {
     Ok(0)
 }
 
-unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> {
+unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_write_exit start");
     let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
generated by cgit-pink (baitinq) at 2025-02-02 16:02:13 +0000