diff options
Diffstat (limited to 'fs-tracer-ebpf')
| -rw-r--r-- | fs-tracer-ebpf/src/main.rs | 5 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/close.rs | 57 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/mod.rs | 2 | ||||
| -rw-r--r-- | fs-tracer-ebpf/src/syscalls/write.rs | 2 |
4 files changed, 59 insertions, 7 deletions
diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs index 8287a7f..a6794f5 100644 --- a/fs-tracer-ebpf/src/main.rs +++ b/fs-tracer-ebpf/src/main.rs @@ -68,11 +68,8 @@ fn handle_syscall( /*8 => { Ok(0) //handle_sys_lseek(ctx); - } - 3 => { - Ok(0) - //handle_sys_close(ctx); }*/ + 3 => syscalls::close::handle_sys_close(ctx, syscall_type), _ => { info!(&ctx, "unhandled syscall: {}", syscall_nr); Err(1) diff --git a/fs-tracer-ebpf/src/syscalls/close.rs b/fs-tracer-ebpf/src/syscalls/close.rs new file mode 100644 index 0000000..020ad64 --- /dev/null +++ b/fs-tracer-ebpf/src/syscalls/close.rs @@ -0,0 +1,57 @@ +use aya_ebpf::{ + cty::{c_char, c_uint}, + helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}, +}; +use core::ffi::c_size_t; +use fs_tracer_common::CloseSyscallBPF; + +use crate::*; + +pub fn handle_sys_close( + ctx: TracePointContext, + syscall_type: SyscallType, +) -> Result<c_long, c_long> { + match syscall_type { + SyscallType::Enter => unsafe { handle_sys_close_enter(ctx) }, + SyscallType::Exit => unsafe { handle_sys_close_exit(ctx) }, + } +} + +unsafe fn handle_sys_close_enter(ctx: TracePointContext) -> Result<c_long, c_long> { + info!(&ctx, "handle_sys_close start"); + #[repr(C)] + #[derive(Clone, Copy)] + struct CloseSyscallArgs { + fd: c_int, + } + let args = ctx.read_at::<CloseSyscallArgs>(16)?; + let tgid: u32 = ctx.tgid(); + let _ = SYSCALL_ENTERS.insert( + &tgid, + &SyscallInfo::Close(CloseSyscallBPF { + pid: ctx.pid(), + fd: args.fd, + ret: -9999, + }), + 0, + ); + + Ok(0) +} + +unsafe fn handle_sys_close_exit(ctx: TracePointContext) -> Result<c_long, c_long> { + info!(&ctx, "handle_sys_close_exit start"); + let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns + + let tgid = ctx.tgid(); + if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) + && let SyscallInfo::Close(mut syscall_close) = syscall + { + syscall_close.ret = ret; + EVENTS.output(&ctx, &SyscallInfo::Close(syscall_close), 0); + let _ = SYSCALL_ENTERS.remove(&tgid); + return Ok(0); + } + + Err(0) +} diff --git a/fs-tracer-ebpf/src/syscalls/mod.rs b/fs-tracer-ebpf/src/syscalls/mod.rs index de2224a..8661535 100644 --- a/fs-tracer-ebpf/src/syscalls/mod.rs +++ b/fs-tracer-ebpf/src/syscalls/mod.rs @@ -1,3 +1,3 @@ +pub mod close; pub mod open; pub mod write; - diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs index 951b297..6010dce 100644 --- a/fs-tracer-ebpf/src/syscalls/write.rs +++ b/fs-tracer-ebpf/src/syscalls/write.rs @@ -1,5 +1,3 @@ -#![feature(let_chains)] - use aya_ebpf::{ cty::{c_char, c_uint}, helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}, |