-
Notifications
You must be signed in to change notification settings - Fork 173
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #826 from sf1999817/develop
fs_watcher:给open系统调用添加提取路径参数信息还有文件描述符
- Loading branch information
Showing
3 changed files
with
150 additions
and
96 deletions.
There are no files selected for viewing
108 changes: 61 additions & 47 deletions
108
eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/open.bpf.c
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,63 +1,77 @@ | ||
#include "vmlinux.h" | ||
#include <bpf/bpf_helpers.h> //包含了BPF 辅助函数 | ||
#define BPF_NO_GLOBAL_DATA | ||
#include <vmlinux.h> | ||
#include <bpf/bpf_helpers.h> | ||
#include <bpf/bpf_tracing.h> | ||
#include "open.h" | ||
#include <bpf/bpf_core_read.h> | ||
|
||
char LICENSE[] SEC("license") = "Dual BSD/GPL"; | ||
#define TASK_COMM_LEN 100 | ||
#define path_size 256 | ||
|
||
// 定义哈希映射 | ||
struct { | ||
__uint(type, BPF_MAP_TYPE_HASH); | ||
__uint(max_entries, 1024); | ||
__type(key, pid_t); | ||
__type(value, u64); | ||
} fdtmp SEC(".maps"); | ||
__type(value, char[TASK_COMM_LEN]); | ||
} data SEC(".maps"); | ||
|
||
struct event { | ||
int pid_; | ||
char path_name_[path_size]; | ||
int n_; | ||
char comm[TASK_COMM_LEN]; | ||
}; | ||
|
||
struct { | ||
__uint(type, BPF_MAP_TYPE_RINGBUF); | ||
__uint(max_entries, 256 * 1024); | ||
} rb SEC(".maps"); | ||
|
||
SEC("kprobe/do_sys_openat2") | ||
int BPF_KPROBE(do_sys_openat2) | ||
{ | ||
struct fs_t fs; | ||
pid_t pid; | ||
|
||
//pid | ||
pid = bpf_get_current_pid_tgid() >> 32; | ||
fs.pid = pid; | ||
|
||
//uid | ||
fs.uid = bpf_get_current_uid_gid(); | ||
|
||
//fd,file descriptor | ||
int fd = PT_REGS_RC(ctx); | ||
if (fd >= 0) | ||
fs.fd = fd; | ||
else | ||
fs.fd= -1; | ||
|
||
//time | ||
unsigned long long ts = bpf_ktime_get_ns(); | ||
fs.ts = ts; | ||
bpf_map_update_elem(&fdtmp, &pid, &ts, BPF_ANY); | ||
|
||
//从环形缓冲区(ring buffer)中分配一块内存来存储一个名为 struct fs_t 类型的数据,并将该内存块的指针赋值给指针变量 e | ||
struct fs_t *e; | ||
} rb SEC(".maps"); // 环形缓冲区 | ||
|
||
|
||
SEC("tracepoint/syscalls/sys_enter_openat") | ||
int do_syscall_trace(struct trace_event_raw_sys_enter *ctx) | ||
{ | ||
struct event *e; | ||
char comm[TASK_COMM_LEN]; | ||
bpf_get_current_comm(&comm,sizeof(comm)); | ||
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0); | ||
if (!e) return 0; | ||
|
||
//给变量e赋值 | ||
e->pid = fs.pid; | ||
e->uid = fs.uid; | ||
e->fd = fs.fd; | ||
e->ts = fs.ts; | ||
bpf_get_current_comm(e->comm, sizeof(e->comm)); | ||
|
||
// 成功地将其提交到用户空间进行后期处理 | ||
if (!e) | ||
return 0; | ||
|
||
char filename[path_size]; | ||
struct task_struct *task = (struct task_struct *)bpf_get_current_task(), | ||
*real_parent; | ||
if (task == NULL) { | ||
bpf_printk("task\n"); | ||
bpf_ringbuf_discard(e, 0); | ||
return 0; | ||
} | ||
int pid = bpf_get_current_pid_tgid() >> 32, tgid; | ||
|
||
bpf_map_update_elem(&data, &pid, &comm, BPF_ANY); | ||
|
||
int ppid = BPF_CORE_READ(task, real_parent, tgid); | ||
|
||
bpf_probe_read_str(e->path_name_, sizeof(e->path_name_), | ||
(void *)(ctx->args[1])); | ||
|
||
bpf_printk("path name: %s,pid:%d,ppid:%d\n", e->path_name_, pid, ppid); | ||
|
||
struct fdtable *fdt = BPF_CORE_READ(task, files, fdt); | ||
if (fdt == NULL) { | ||
bpf_printk("fdt\n"); | ||
bpf_ringbuf_discard(e, 0); | ||
return 0; | ||
} | ||
|
||
unsigned int i = 0, count = 0, n = BPF_CORE_READ(fdt, max_fds); | ||
bpf_printk("n:%d\n", n); | ||
|
||
e->n_ = n; | ||
e->pid_ = pid; | ||
|
||
bpf_ringbuf_submit(e, 0); | ||
|
||
return 0; | ||
return 0; | ||
} | ||
|
||
char LICENSE[] SEC("license") = "GPL"; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters