fs-tracer-ebpf/src/syscalls/open.rs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79

#![feature(ptr_metadata)]

use aya_bpf::helpers::{bpf_d_path, bpf_probe_read};

use crate::*;

pub fn handle_sys_open(ctx: TracePointContext, syscall_type: SyscallType) -> Result<u32, u32> {
    //info!(&ctx, "called");
    match syscall_type {
        SyscallType::Enter => unsafe { handle_sys_open_enter(ctx) },
        SyscallType::Exit => unsafe { handle_sys_open_exit(ctx) },
    }
}

unsafe fn handle_sys_open_enter(ctx: TracePointContext) -> Result<u32, u32> {
    //info!(&ctx, "handle_sys_open_enter start");
    let x = bpf_get_current_task_btf() as *const task_struct;
    let pid = (*x).fs as *const fs_struct;
    let uwu = (*pid).pwd;
    let ra = uwu.dentry as *const dentry;
    let ma = str::from_utf8_unchecked(&(*ra).d_iname);
    let mut buf = [0u8; 120];
    #[derive(Clone, Copy)]
    struct OpenAtSyscallArgs {
        dfd: i64,
        filename: *const u8,
        flags: u64,
        mode: u64,
    }

    //TODO: Check if the flags is relative

    let args = *ptr_at::<OpenAtSyscallArgs>(&ctx, 16).unwrap_unchecked();

    if args.dfd == -100 {
        info!(&ctx, "wat")
    } else {
        info!(&ctx, "not relative {}", args.dfd);
        let files = (*x).files;
        let fdt = (*files).fdt;
        let fdd = (*fdt).fd;
        let file = (*fdd).add(args.dfd as usize * 8);
        let pat = (*file).f_path;
        let pathname = pat.dentry;
        let mut huh = [0u8; 64];
        let xxxx = (*pathname).d_name.name;
        let aa = core::slice::from_raw_parts(xxxx, 10);
        info!(&ctx, "dawdwa: {}", str::from_utf8_unchecked(aa))
        //let filename = bpf_probe_read_kernel_str_bytes(xxxx.name, &mut huh);
    }

    let _ = bpf_probe_read_user_str_bytes(args.filename, &mut buf);
    let xd = &buf;
    info!(
        &ctx,
        "Tf {} {} dfd: {}",
        ma,
        str::from_utf8_unchecked(xd),
        args.dfd
    );

    Ok(0)
}

unsafe fn handle_sys_open_exit(ctx: TracePointContext) -> Result<u32, u32> {
    info!(&ctx, "handle_sys_open_exit start");
    let ret = *ptr_at::<i64>(&ctx, 16).unwrap_unchecked(); //TODO: We cant use unwrap, thats why we couldnt use the aya helper fns

    let tgid = ctx.tgid();
    if let Some(syscall) = SYSCALL_ENTERS.get(&tgid) {
        let SyscallInfo::Write(mut syscall_write) = syscall;
        syscall_write.ret = ret;
        EVENTS.output(&ctx, &SyscallInfo::Write(syscall_write), 0);
        let _ = SYSCALL_ENTERS.remove(&tgid);
        return Ok(0);
    }

    Err(0)
}