From c776f2ea2e6387b26994601cebde8819ab237a3f Mon Sep 17 00:00:00 2001
From: Baitinq <manuelpalenzuelamerino@gmail.com>
Date: Sun, 9 Jun 2024 23:23:52 +0200
Subject: fs-tracer: Handle open files state

---
 fs-tracer-common/src/lib.rs          |  5 ++---
 fs-tracer-ebpf/src/syscalls/open.rs  | 18 ++++++++---------
 fs-tracer-ebpf/src/syscalls/write.rs |  1 +
 fs-tracer/src/main.rs                |  5 +++--
 fs-tracer/src/syscall_handler.rs     | 39 +++++++++++++++++++++++-------------
 5 files changed, 40 insertions(+), 28 deletions(-)

diff --git a/fs-tracer-common/src/lib.rs b/fs-tracer-common/src/lib.rs
index cee95e1..3615dec 100644
--- a/fs-tracer-common/src/lib.rs
+++ b/fs-tracer-common/src/lib.rs
@@ -4,7 +4,6 @@
 use aya_ebpf::cty::c_long;
 use core::ffi::c_int;
 use core::ffi::c_size_t;
-use core::ffi::c_uint;
 use core::ffi::CStr;
 use core::fmt::{self, Formatter};
 use core::str;
@@ -21,7 +20,7 @@ pub enum SyscallInfo {
 #[derive(Clone, Copy)]
 pub struct WriteSyscallBPF {
     pub pid: u32,
-    pub fd: c_uint,
+    pub fd: c_int,
     pub buf: [u8; 96], //TODO: might want to use c_char here
     pub count: c_size_t,
 
@@ -49,7 +48,7 @@ pub struct OpenSyscallBPF {
     pub filename: [u8; 96],
     pub flags: c_int,
     pub mode: umode_t,
-    pub ret: c_long,
+    pub ret: c_int,
 }
 
 unsafe impl Sync for OpenSyscallBPF {}
diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs
index 8f48672..9d5280d 100644
--- a/fs-tracer-ebpf/src/syscalls/open.rs
+++ b/fs-tracer-ebpf/src/syscalls/open.rs
@@ -66,14 +66,14 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
         )
     };
 
-    info!(
-        &ctx,
-        "filename: {} dfd: {}, flags: {}, pid: {}",
-        filename,
-        args.dfd,
-        args.flags,
-        ctx.pid()
-    );
+    // info!(
+    //     &ctx,
+    //     "filename: {} dfd: {}, flags: {}, pid: {}",
+    //     filename,
+    //     args.dfd,
+    //     args.flags,
+    //     ctx.pid()
+    // );
 
     if filename.len() < 3 {
         return Ok(0);
@@ -116,7 +116,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
 
 unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_open_exit start");
-    let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
+    let ret = ctx.read_at::<c_int>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
 
     let tgid = ctx.tgid();
     if let Some(syscall) = SYSCALL_ENTERS.get(&tgid)
diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs
index efad6f8..232dfba 100644
--- a/fs-tracer-ebpf/src/syscalls/write.rs
+++ b/fs-tracer-ebpf/src/syscalls/write.rs
@@ -39,6 +39,7 @@ unsafe fn handle_sys_write_enter(ctx: TracePointContext) -> Result<c_long, c_lon
 
     let mut anotherbuf = [0u8; 96];
     let _ = bpf_probe_read_kernel_str_bytes(buf_ref.as_ptr(), &mut anotherbuf);
+    // info!(&ctx, "handle_sys_write fd: {} pid: {}", args.fd, ctx.pid());
 
     let tgid: u32 = ctx.tgid();
     let _ = SYSCALL_ENTERS.insert(
diff --git a/fs-tracer/src/main.rs b/fs-tracer/src/main.rs
index ba2f855..bc3eae9 100644
--- a/fs-tracer/src/main.rs
+++ b/fs-tracer/src/main.rs
@@ -51,7 +51,7 @@ async fn main() -> Result<(), anyhow::Error> {
     let trace_enters_program: &mut TracePoint =
         bpf.program_mut("fs_tracer_enter").unwrap().try_into()?;
     trace_enters_program.load()?;
-    // trace_enters_program.attach("syscalls", "sys_enter_openat")?;
+    trace_enters_program.attach("syscalls", "sys_enter_openat")?;
     trace_enters_program.attach("syscalls", "sys_enter_write")?;
     // program.attach("syscalls", "sys_exit_write")?;
     //trace_enters_program.attach("syscalls", "sys_enter_lseek")?;
@@ -60,7 +60,7 @@ async fn main() -> Result<(), anyhow::Error> {
     let trace_exits_program: &mut TracePoint =
         bpf.program_mut("fs_tracer_exit").unwrap().try_into()?;
     trace_exits_program.load()?;
-    // trace_exits_program.attach("syscalls", "sys_exit_openat")?;
+    trace_exits_program.attach("syscalls", "sys_exit_openat")?;
     trace_exits_program.attach("syscalls", "sys_exit_write")?;
 
     println!("Num of cpus: {}", online_cpus()?.len());
@@ -116,6 +116,7 @@ async fn main() -> Result<(), anyhow::Error> {
         // Batching. TODO: we can probably increase this value but we need to increase max message
         // in kafka or compress or smth. We should probably batch taking into account the message
         // size and also sent messages from multiple threads somehow.
+        // We might just need websockets
         if i % 4000 != 0 {
             continue;
         }
diff --git a/fs-tracer/src/syscall_handler.rs b/fs-tracer/src/syscall_handler.rs
index fec8ecc..12c218e 100644
--- a/fs-tracer/src/syscall_handler.rs
+++ b/fs-tracer/src/syscall_handler.rs
@@ -1,23 +1,35 @@
-use std::{collections::HashMap, sync::mpsc::Sender};
+use std::{collections::HashMap, ffi::CStr, sync::mpsc::Sender};
 
 use fs_tracer_common::SyscallInfo;
 
 pub struct SyscallHandler {
     resolved_files: Sender<String>,
-    syscall_map: HashMap<u64, fn([u64; 6]) -> u64>, //TODO
+    open_files: HashMap<i32, String>,
 }
 
 impl SyscallHandler {
     pub fn new(resolved_files: Sender<String>) -> Self {
         Self {
             resolved_files,
-            syscall_map: HashMap::new(),
+            open_files: HashMap::new(),
         }
     }
 
-    pub fn handle_syscall(&self, data: SyscallInfo) -> u64 {
+    pub fn handle_syscall(&mut self, data: SyscallInfo) -> u64 {
         match data {
             SyscallInfo::Write(x) => {
+                let filename = self.open_files.get(&x.fd);
+                let filename = match filename {
+                    None => {
+                        println!("DIDNT FIND AN OPEN FILE FOR THE WRITE SYSCALL");
+                        return 0;
+                    }
+                    Some(x) => x,
+                };
+                let contents = CStr::from_bytes_until_nul(&x.buf)
+                    .unwrap_or_default()
+                    .to_str()
+                    .unwrap_or_default();
                 println!("WRITE KERNEL: DATA {:?}", x);
                 let _ = self.resolved_files.send(format!(
                     r#"
@@ -28,22 +40,21 @@ impl SyscallHandler {
                 }}
                 "#,
                     chrono::Utc::now().to_rfc3339(),
-                    "/tmp/file.txt",
-                    "some contents!!"
+                    filename,
+                    contents,
                 ));
                 return 0;
             }
             SyscallInfo::Open(x) => {
-                // if !CStr::from_bytes_until_nul(&x.filename)
-                //     .unwrap_or_default()
-                //     .to_str()
-                //     .unwrap_or_default()
-                //     .starts_with('/')
-                // {
+                let filename = CStr::from_bytes_until_nul(&x.filename)
+                    .unwrap_or_default()
+                    .to_str()
+                    .unwrap_or_default();
                 println!("OPEN KERNEL DATA: {:?}", x);
+                println!("OPEN FILENAME: {:?}", filename);
+                self.open_files.insert(x.ret, filename.to_string());
                 return 0;
-                // }
-            }
+            } //SyscallInfo::Close
         }
     }
 }
-- 
cgit 1.4.1