1 files changed, 50 insertions, 3 deletions

diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs
index f6d7dfb..03ac2ba 100644
--- a/fs-tracer-ebpf/src/main.rs
+++ b/fs-tracer-ebpf/src/main.rs
@@ -3,7 +3,7 @@
 
 use aya_bpf::{
     macros::tracepoint,
-    programs::TracePointContext,
+    programs::TracePointContext, BpfContext, cty::{int32_t, uint32_t},
 };
 use aya_log_ebpf::info;
 
@@ -15,9 +15,56 @@ pub fn fs_tracer(ctx: TracePointContext) -> u32 {
     }
 }
 
+#[inline(always)]
+fn ptr_at<T>(ctx: &TracePointContext, offset: usize) -> Option<*const T> {
+    let start = ctx.as_ptr();
+
+    Some(unsafe { start.add(offset) } as *const T)
+}
+
 fn try_fs_tracer(ctx: TracePointContext) -> Result<u32, u32> {
-    info!(&ctx, "tracepoint syscalls called");
-    Ok(0)
+    let syscall_nr = unsafe { * ptr_at::<int32_t>(&ctx, 8).unwrap() };
+    
+    return handle_syscall(ctx, syscall_nr);
+}
+
+fn handle_syscall(ctx: TracePointContext, syscall_nr: i32) -> Result<u32, u32> {
+    match syscall_nr {
+        1 => { //i dont think the numbers are right
+            return handle_sys_write(ctx);
+        },
+        3 => {
+            return Ok(0)
+            //handle_sys_open(ctx);
+        },
+        8 => {
+            return Ok(0)
+            //handle_sys_lseek(ctx);
+        },
+        57 => {
+            return Ok(0)
+            //handle_sys_close(ctx);
+        },
+        _ => {
+            panic!("syscall: {}",syscall_nr);
+        }
+    }
+}
+
+#[derive(Clone, Copy)]
+struct WriteArgs {
+    fd: int32_t,
+    buf: *const u8,
+    count: uint32_t,
+}
+
+fn handle_sys_write(ctx: TracePointContext) -> Result<u32, u32> {
+    info!(&ctx, "handle_sys_write");
+    let args = unsafe { *ptr_at::<WriteArgs>(&ctx, 0).unwrap() };
+    
+    info!(&ctx, "fd: {}", args.fd);
+
+    return Ok(0)
 }
 
 #[panic_handler]