about summary refs log tree commit diff
path: root/fs-tracer-ebpf/src/syscalls
diff options
context:
space:
mode:
Diffstat (limited to 'fs-tracer-ebpf/src/syscalls')
-rw-r--r--fs-tracer-ebpf/src/syscalls/mod.rs2
-rw-r--r--fs-tracer-ebpf/src/syscalls/open.rs79
-rw-r--r--fs-tracer-ebpf/src/syscalls/write.rs62
3 files changed, 143 insertions, 0 deletions
diff --git a/fs-tracer-ebpf/src/syscalls/mod.rs b/fs-tracer-ebpf/src/syscalls/mod.rs
new file mode 100644
index 0000000..483c13a
--- /dev/null
+++ b/fs-tracer-ebpf/src/syscalls/mod.rs
@@ -0,0 +1,2 @@
+pub mod open;
+pub mod write;
diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs
new file mode 100644
index 0000000..f33a302
--- /dev/null
+++ b/fs-tracer-ebpf/src/syscalls/open.rs
@@ -0,0 +1,79 @@
+#![feature(ptr_metadata)]
+
+use aya_bpf::helpers::{bpf_d_path, bpf_probe_read};
+
+use crate::*;
+
+pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
+    //info!(&ctx, "called");
+    match syscall_type {
+        SyscallType::Enter => unsafe { handle_sys_open_enter(ctx) },
+        SyscallType::Exit => unsafe { handle_sys_open_exit(ctx) },
+    }
+}
+
+unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> {
+    //info!(&ctx, "handle_sys_open_enter start");
+    let x = bpf_get_current_task_btf() as *const task_struct;
+    let pid = (*x).fs as *const fs_struct;
+    let uwu = (*pid).pwd;
+    let ra = uwu.dentry as *const dentry;
+    let ma = str::from_utf8_unchecked(&(*ra).d_iname);
+    let mut buf = [0u8; 120];
+    #[derive(Clone, Copy)]
+    struct OpenAtSyscallArgs {
+        dfd: i64,
+        filename: *const u8,
+        flags: u64,
+        mode: u64,
+    }
+
+    //TODO: Check if the flags is relative
+
+    let args = *ptr_at::<OpenAtSyscallArgs>(&ctx, 16).unwrap_unchecked();
+
+    if args.dfd == -100 {
+        info!(&ctx, "wat")
+    } else {
+        info!(&ctx, "not relative {}", args.dfd);
+        let files = (*x).files;
+        let fdt = (*files).fdt;
+        let fdd = (*fdt).fd;
+        let file = (*fdd).add(args.dfd as usize * 8);
+        let pat = (*file).f_path;
+        let pathname = pat.dentry;
+        let mut huh = [0u8; 64];
+        let xxxx = (*pathname).d_name.name;
+        let aa = core::slice::from_raw_parts(xxxx, 10);
+        info!(&ctx, "dawdwa: {}", str::from_utf8_unchecked(aa))
+        //let filename = bpf_probe_read_kernel_str_bytes(xxxx.name, &mut huh);
+    }
+
+    let _ = bpf_probe_read_user_str_bytes(args.filename, &mut buf);
+    let xd = &buf;
+    info!(
+        &ctx,
+        "Tf {} {} dfd: {}",
+        ma,
+        str::from_utf8_unchecked(xd),
+        args.dfd
+    );
+
+    Ok(0)
+}
+
+unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<u32, u32> {
+    info!(&ctx, "handle_sys_open_exit start");
+    let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
+
+    let tgid = ctx.tgid();
+    if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) {
+        let SyscallInfo::Write(mut syscall_write) = syscall;
+        syscall_write.ret = ret;
+        EVENTS.output(&ctx, &SyscallInfo::Write(syscall_write), 0);
+        let _ = SYSCALL_ENTERS.remove(&tgid);
+        return Ok(0);
+    }
+
+    Err(0)
+}
diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs
new file mode 100644
index 0000000..b204b45
--- /dev/null
+++ b/fs-tracer-ebpf/src/syscalls/write.rs
@@ -0,0 +1,62 @@
+use crate::*;
+
+pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
+    match syscall_type {
+        SyscallType::Enter => unsafe { handle_sys_write_enter(ctx) },
+        SyscallType::Exit => unsafe { handle_sys_write_exit(ctx) },
+    }
+}
+
+unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<u32, u32> {
+    // info!(&ctx, "handle_sys_write start");
+    #[derive(Clone, Copy)]
+    struct WriteSyscallArgs {
+        fd: u64,
+        buf: *const u8,
+        count: u64,
+    }
+    let args = *ptr_at::<WriteSyscallArgs>(&ctx, 16).unwrap_unchecked();
+
+    // if fd is stdout, stderr or stdin, ignore
+    if args.fd <= 2 {
+        return Ok(0);
+    }
+
+    let mut buf = [0u8; 96]; //we need to make this muuuuuch bigger, we could use some sync with a bpf ds
+    let _ = bpf_probe_read_user_str_bytes(args.buf, &mut buf);
+    let buf_ref = &buf;
+
+    let mut anotherbuf = [0u8; 96];
+    let _ = bpf_probe_read_kernel_str_bytes(buf_ref.as_ptr(), &mut anotherbuf);
+
+    let tgid: u32 = ctx.tgid();
+    let _ = SYSCALL_ENTERS.insert(
+        &tgid,
+        &SyscallInfo::Write(WriteSyscallBPF {
+            pid: ctx.pid(),
+            fd: args.fd,
+            buf: anotherbuf,
+            count: args.count,
+            ret: -9999,
+        }),
+        0,
+    );
+
+    Ok(0)
+}
+
+unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<u32, u32> {
+    //info!(&ctx, "handle_sys_write_exit start");
+    let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
+
+    let tgid = ctx.tgid();
+    if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) {
+        let SyscallInfo::Write(mut syscall_write) = syscall;
+        syscall_write.ret = ret;
+        EVENTS.output(&ctx, &SyscallInfo::Write(syscall_write), 0);
+        let _ = SYSCALL_ENTERS.remove(&tgid);
+        return Ok(0);
+    }
+
+    Err(0)
+}
generated by cgit-pink (baitinq) at 2025-11-11 06:27:56 +0000