From 0b654a51fdd208f755a11938032f385075acb824 Mon Sep 17 00:00:00 2001
From: Baitinq <manuelpalenzuelamerino@gmail.com>
Date: Sun, 31 Mar 2024 12:14:56 +0200
Subject: TODO

---
 fs-tracer-ebpf/src/main.rs           |  8 +++---
 fs-tracer-ebpf/src/syscalls/mod.rs   |  3 ++-
 fs-tracer-ebpf/src/syscalls/open.rs  | 51 ++++++++++++++++++++++++++++--------
 fs-tracer-ebpf/src/syscalls/write.rs | 17 +++++++++---
 4 files changed, 59 insertions(+), 20 deletions(-)

(limited to 'fs-tracer-ebpf')

diff --git a/fs-tracer-ebpf/src/main.rs b/fs-tracer-ebpf/src/main.rs
index d6d6640..8287a7f 100644
--- a/fs-tracer-ebpf/src/main.rs
+++ b/fs-tracer-ebpf/src/main.rs
@@ -1,12 +1,11 @@
 #![no_std]
 #![no_main]
 #![feature(c_size_t)]
-
+#![feature(let_chains)]
 #![allow(warnings, unused)]
-mod vmlinux;
 mod syscalls;
+mod vmlinux;
 
-use core::str;
 use aya_ebpf::cty::{c_int, c_long};
 use aya_ebpf::maps::HashMap;
 use aya_ebpf::{
@@ -16,6 +15,7 @@ use aya_ebpf::{
     EbpfContext,
 };
 use aya_log_ebpf::info;
+use core::str;
 use fs_tracer_common::{SyscallInfo, WriteSyscallBPF};
 
 #[map]
@@ -52,7 +52,7 @@ pub fn fs_tracer_exit(ctx: TracePointContext) -> c_long {
 }
 
 fn try_fs_tracer(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> {
-    let syscall_nr = unsafe { ctx.read_at::<c_int>(8)? } ;
+    let syscall_nr = unsafe { ctx.read_at::<c_int>(8)? };
 
     handle_syscall(ctx, syscall_nr, syscall_type)
 }
diff --git a/fs-tracer-ebpf/src/syscalls/mod.rs b/fs-tracer-ebpf/src/syscalls/mod.rs
index 7bae953..de2224a 100644
--- a/fs-tracer-ebpf/src/syscalls/mod.rs
+++ b/fs-tracer-ebpf/src/syscalls/mod.rs
@@ -1,2 +1,3 @@
 pub mod open;
-pub mod write;
\ No newline at end of file
+pub mod write;
+
diff --git a/fs-tracer-ebpf/src/syscalls/open.rs b/fs-tracer-ebpf/src/syscalls/open.rs
index 41f0c5e..69458f5 100644
--- a/fs-tracer-ebpf/src/syscalls/open.rs
+++ b/fs-tracer-ebpf/src/syscalls/open.rs
@@ -6,6 +6,7 @@ use aya_ebpf::{
     },
     maps::PerCpuArray,
 };
+use fs_tracer_common::OpenSyscallBPF;
 
 use crate::{
     vmlinux::{task_struct, umode_t},
@@ -13,7 +14,7 @@ use crate::{
 };
 
 const AT_FDCWD: c_int = -100;
-const MAX_PATH: usize = 4096;
+const MAX_PATH: usize = 96; //TODO: 4096
 
 #[repr(C)]
 pub struct Buffer {
@@ -39,7 +40,6 @@ pub fn handle_sys_open(
 
 unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long> {
     //info!(&ctx, "handle_sys_open_enter start");
-    let mut task = bpf_get_current_task_btf() as *mut task_struct;
 
     #[repr(C)]
     #[derive(Clone, Copy)]
@@ -59,7 +59,7 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
     // TODO: If the path isnt relative, we already know the full path
 
     let buf = get_buf(&PATH_BUF)?;
-    let filename = unsafe {
+    let filename: &str = unsafe {
         core::str::from_utf8_unchecked(
             bpf_probe_read_user_str_bytes(args.filename as *const u8, &mut buf.buf)
                 .unwrap_unchecked(),
@@ -68,15 +68,43 @@ unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<c_long, c_long
 
     info!(&ctx, "filename: {} dfd: {}", filename, args.dfd);
 
- //   if !filename.is_empty() && filename.chars().next().unwrap_unchecked() == '/' {
-  //      return Ok(0);
+    if filename.len() < 3 {
+        return Ok(0);
+    }
+
+    //let kbuf = get_buf(&PATH_BUF)?;
+    //info!(&ctx, "count: {}", kbuf.buf.len());
+    let (s, s1) = filename.split_at(0); //tODO this doesnt work
+    if s == "/" {
+        info!(&ctx, "SHIITT AINT RELATIVE BOIIIIIIIIIIIIIIIIIIIIIIII");
+        return Ok(0);
+    } else {
+        info!(&ctx, "relative call! {} {}", s, s1);
+    }
+
+    //TODO
+    //    if filename.get(0).unwrap_unchecked() == '/' {
+    //      return Ok(0);
     //}
 
-    info!(&ctx, "relative call!");
+    let mut task = bpf_get_current_task_btf() as *mut task_struct;
     let pwd = get_task_pwd(&ctx, task)?;
 
     info!(&ctx, "PWD: {}", pwd);
 
+    let tgid: u32 = ctx.tgid();
+    let _ = SYSCALL_ENTERS.insert(
+        &tgid,
+        &SyscallInfo::Open(OpenSyscallBPF {
+            pid: ctx.pid(),
+            dfd: args.dfd,
+            filename: buf.buf,
+            mode: args.mode,
+            flags: args.flags,
+            ret: -9999,
+        }),
+        0,
+    );
     Ok(0)
 }
 
@@ -85,10 +113,11 @@ unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<c_long, c_long>
     let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
 
     let tgid = ctx.tgid();
-    if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) {
-        let SyscallInfo::Write(mut syscall_write) = syscall;
-        syscall_write.ret = ret;
-        EVENTS.output(&ctx, &SyscallInfo::Write(syscall_write), 0);
+    if let Some(syscall) = SYSCALL_ENTERS.get(&tgid)
+        && let SyscallInfo::Open(mut syscall_open) = syscall
+    {
+        syscall_open.ret = ret;
+        EVENTS.output(&ctx, &SyscallInfo::Open(syscall_open), 0);
         let _ = SYSCALL_ENTERS.remove(&tgid);
         return Ok(0);
     }
@@ -118,7 +147,7 @@ unsafe fn get_task_pwd<'a>(
             break;
         }
 
-        *result.buf.as_mut_ptr().add(num_chars) = '/' as u8;
+        *result.buf.as_mut_ptr().add(num_chars) = '/' as u8; //TODO: Look at this to get char
         num_chars += 1;
         for i in 0..iname.len() {
             *result.buf.as_mut_ptr().add(num_chars) = iname[i]; //we shouldnt append but prepend
diff --git a/fs-tracer-ebpf/src/syscalls/write.rs b/fs-tracer-ebpf/src/syscalls/write.rs
index b7e7a89..efad6f8 100644
--- a/fs-tracer-ebpf/src/syscalls/write.rs
+++ b/fs-tracer-ebpf/src/syscalls/write.rs
@@ -1,9 +1,17 @@
+#![feature(let_chains)]
+
+use aya_ebpf::{
+    cty::{c_char, c_uint},
+    helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes},
+};
 use core::ffi::c_size_t;
-use aya_ebpf::{cty::{c_char, c_uint}, helpers::{bpf_probe_read_kernel_str_bytes, bpf_probe_read_user_str_bytes}};
 
 use crate::*;
 
-pub fn handle_sys_write(ctx: TracePointContext, syscall_type: SyscallType) -> Result<c_long, c_long> {
+pub fn handle_sys_write(
+    ctx: TracePointContext,
+    syscall_type: SyscallType,
+) -> Result<c_long, c_long> {
     match syscall_type {
         SyscallType::Enter => unsafe { handle_sys_write_enter(ctx) },
         SyscallType::Exit => unsafe { handle_sys_write_exit(ctx) },
@@ -53,8 +61,9 @@ unsafe fn handle_sys_write_exit(ctx: TracePointContext) -> Result<c_long, c_long
     let ret = ctx.read_at::<c_long>(16)?; //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns
 
     let tgid = ctx.tgid();
-    if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) {
-        let SyscallInfo::Write(mut syscall_write) = syscall;
+    if let Some(syscall) = SYSCALL_ENTERS.get(&tgid)
+        && let SyscallInfo::Write(mut syscall_write) = syscall
+    {
         syscall_write.ret = ret;
         EVENTS.output(&ctx, &SyscallInfo::Write(syscall_write), 0);
         let _ = SYSCALL_ENTERS.remove(&tgid);
-- 
cgit 1.4.1