Startseite Erkunden Hilfe
Registrieren Anmelden
root
/
ebpf
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Branch: dev-XLsmart
Branches Tags
ebpf
/
ebpftracer
/
ebpf
/
file.c

file.c 2.3 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102 
  1. #include <asm-generic/fcntl.h>
    2. 

  2. 

  3. struct file_event {
    4. 

  4. 	__u32 type;
    5. 

  5. 	__u32 pid;
    6. 

  6. 	__u64 fd;
    7. 

  7. };
    8. 

  8. 

  9. struct {
    10. 

  10. 	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
    11. 

  11. 	__uint(key_size, sizeof(int));
    12. 

  12. 	__uint(value_size, sizeof(int));
    13. 

  13. } file_events SEC(".maps");
    14. 

  14. 

  15. struct {
    16. 

  16. 	__uint(type, BPF_MAP_TYPE_HASH);
    17. 

  17. 	__uint(key_size, sizeof(__u64));
    18. 

  18. 	__uint(value_size, sizeof(__u32));
    19. 

  19. 	__uint(max_entries, 10240);
    20. 

  20. } open_file_info SEC(".maps");
    21. 

  21. 

  22. struct trace_event_raw_sys_enter__stub {
    23. 

  23. 	__u64 unused;
    24. 

  24. 	long int id;
    25. 

  25. 	long unsigned int args[6];
    26. 

  26. };
    27. 

  27. 

  28. struct trace_event_raw_sys_exit__stub {
    29. 

  29. 	__u64 unused;
    30. 

  30. 	long int id;
    31. 

  31. 	long int ret;
    32. 

  32. };
    33. 

  33. 

  34. static __always_inline
    35. 

  35. int trace_enter(struct trace_event_raw_sys_enter__stub* ctx, int at)
    36. 

  36. {
    37. 

  37. 	int flags = (int)ctx->args[at+1];
    38. 

  38. 	if (!(flags & O_ACCMODE & (O_WRONLY | O_RDWR))) {
    39. 

  39. 		return 0;
    40. 

  40. 	}
    41. 

  41. 	char p[7];
    42. 

  42. //	long res = bpf_probe_read_str(&p, sizeof(p), (void *)ctx->args[at]);
    43. 

  43. 	if (p[0]=='/' && p[1]=='p' && p[2]=='r' && p[3]=='o' && p[4]=='c' && p[5]=='/') {
    44. 

  44. 		return 0;
    45. 

  45. 	}
    46. 

  46. 	if (p[0]=='/' && p[1]=='d' && p[2]=='e' && p[3]=='v' && p[4]=='/') {
    47. 

  47. 		return 0;
    48. 

  48. 	}
    49. 

  49. 	if (p[0]=='/' && p[1]=='s' && p[2]=='y' && p[3]=='s' && p[4]=='/') {
    50. 

  50. 		return 0;
    51. 

  51. 	}
    52. 

  52. 	__u64 id = bpf_get_current_pid_tgid();
    53. 

  53. 	__u32 v = 1;
    54. 

  54. 	bpf_map_update_elem(&open_file_info, &id, &v, BPF_ANY);
    55. 

  55. 	return 0;
    56. 

  56. }
    57. 

  57. 

  58. static __always_inline
    59. 

  59. int trace_exit(struct trace_event_raw_sys_exit__stub* ctx)
    60. 

  60. {
    61. 

  61. 	__u64 id = bpf_get_current_pid_tgid();
    62. 

  62. 	if (!bpf_map_lookup_elem(&open_file_info, &id)) {
    63. 

  63. 		return 0;
    64. 

  64. 	}
    65. 

  65. 	bpf_map_delete_elem(&open_file_info, &id);
    66. 

  66. 	if (ctx->ret < 0) {
    67. 

  67. 		return 0;
    68. 

  68. 	}
    69. 

  69. 	struct file_event e = {
    70. 

  70. 		.type = EVENT_TYPE_FILE_OPEN,
    71. 

  71. 		.pid = id >> 32,
    72. 

  72. 		.fd = ctx->ret,
    73. 

  73. 	};
    74. 

  74. 	bpf_perf_event_output(ctx, &file_events, BPF_F_CURRENT_CPU, &e, sizeof(e));
    75. 

  75. 	return 0;
    76. 

  76. }
    77. 

  77. 

  78. #if defined(__TARGET_ARCH_x86)
    79. 

  79. SEC("tracepoint/syscalls/sys_enter_open")
    80. 

  80. int sys_enter_open(struct trace_event_raw_sys_enter__stub* ctx)
    81. 

  81. {
    82. 

  82. 	return trace_enter(ctx, 0);
    83. 

  83. }
    84. 

  84. 

  85. SEC("tracepoint/syscalls/sys_exit_open")
    86. 

  86. int sys_exit_open(struct trace_event_raw_sys_exit__stub* ctx)
    87. 

  87. {
    88. 

  88. 	return trace_exit(ctx);
    89. 

  89. }
    90. 

  90. #endif
    91. 

  91. 

  92. SEC("tracepoint/syscalls/sys_enter_openat")
    93. 

  93. int sys_enter_openat(struct trace_event_raw_sys_enter__stub* ctx)
    94. 

  94. {
    95. 

  95. 	return trace_enter(ctx, 1);
    96. 

  96. }
    97. 

  97. 

  98. SEC("tracepoint/syscalls/sys_exit_openat")
    99. 

  99. int sys_exit_openat(struct trace_event_raw_sys_exit__stub* ctx)
    100. 

  100. {
    101. 

  101. 	return trace_exit(ctx);
    102. 

  102. }
    103.