diff --git a/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.bpf.c b/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.bpf.c index 2ed6badfe..514bc3350 100644 --- a/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.bpf.c +++ b/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.bpf.c @@ -17,60 +17,44 @@ struct { __uint(max_entries,256 * 1024); } rb SEC(".maps"); - -SEC("kprobe/do_sys_openat2") -int BPF_KPROBE(do_sys_openat2) +SEC("kretprobe/do_sys_openat2") +int BPF_KRETPROBE(do_sys_openat2_exit,long fd) { - int value = 1; struct fs_t *e; pid_t pid; - + pid = bpf_get_current_pid_tgid() >> 32; - int fd = PT_REGS_RC(ctx); - if(fd >= 0){ - //将PID和文件描述符存入哈希映射 - e->fd = fd; - bpf_map_update_elem(&data,&pid,&value,BPF_ANY); - } - return 0; + bpf_printk("pid = %d",pid); + + e = bpf_ringbuf_reserve(&rb,sizeof(*e),0); + if(!e) + return 0; + + bpf_map_update_elem(&data,&pid,&fd,BPF_ANY); + bpf_ringbuf_submit(e,0); } SEC("kprobe/vfs_write") - -int kprobe_vfs_write(struct pt_regs *ctx) +int BPF_KPROBE(vfs_write) { - struct file *filp; - pid_t pid; struct fs_t *e; int *fd_ptr; + pid_t pid; - //探测的是第一个参数,文件指针 - filp = PT_REGS_PARM1(ctx); - - //探测的是第三个参数,要写入的字节数 - size_t count = (size_t)PT_REGS_PARM3(ctx); - - //这是vfs_write的返回值,它是一个实际写入的字节数 - size_t real_count = PT_REGS_RC(ctx); - pid = bpf_get_current_pid_tgid() >> 32; - - //获取文件描述符指针 - fd_ptr = bpf_map_lookup_elem(&data,&pid); - e = bpf_ringbuf_reserve(&rb,sizeof(*e),0); + fd_ptr = bpf_map_lookup_elem(&data,&pid); + e = bpf_ringbuf_reserve(&rb,sizeof(*e),0); if(!e) return 0; - //如果探测到的指针不为空 if(fd_ptr){ - int fd = *fd_ptr; - e->fd = fd; - e->real_count = real_count; - e->count = count; + int fd_value = *fd_ptr; + e->fd = fd_value; e->pid = pid; - } + } bpf_ringbuf_submit(e,0); return 0; -} \ No newline at end of file +} + diff --git a/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.c b/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.c index b1d9c5fe4..17214a5f4 100644 --- a/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.c +++ b/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.c @@ -7,7 +7,6 @@ #include "write.h" #include "write.skel.h" -#define PATH_MAX 128 static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args) { @@ -27,19 +26,10 @@ static int write_event(void *ctx, void *data, size_t data_sz) struct tm *tm; char ts[32]; time_t t; - char path[PATH_MAX]; time(&t); tm = localtime(&t); strftime(ts, sizeof(ts), "%H:%M:%S", tm); - //获取文件真实路径 - snprintf(path,sizeof(path),"/proc/self/fd/%d",e->fd); - //通过realpath来合并文件路径 - char *real_path = realpath(path,NULL); - if(real_path != NULL){ - printf("%-8s %-7d %-7ld %-7ld %-7s\n", ts, e->pid,e->real_count,e->count,real_path); - free(real_path); - } - + printf("%-8s %-7ld %-7ld\n", ts, e->pid,e->fd); return 0; } @@ -87,7 +77,7 @@ int main(int argc, char **argv) } /* Process events */ - printf("%-8s %-7s %-7s %-7s %-7s %-7s\n", "TIME", "PID","Real_Count","Count","Real_Path"); + // printf("%-8s %-7s %-7s %-7s %-7s %-7s\n", "TIME", "PID","Count","Real_Path"); while (!exiting) { err = ring_buffer__poll(rb, 100 /* timeout, ms */); /* Ctrl-C will cause -EINTR */ @@ -102,9 +92,17 @@ int main(int argc, char **argv) } } + // printf("Successfully started! Please run `sudo cat /sys/kernel/debug/tracing/trace_pipe` to see output of the BPF programs.\n"); + // for (;;) { + // /* trigger our BPF program */ + // fprintf(stderr, "."); + // sleep(1); + // } + cleanup: /* Clean up */ ring_buffer__free(rb); write_bpf__destroy(skel); + return err < 0 ? -err : 0; } \ No newline at end of file diff --git a/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.h b/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.h index 8e6d94343..7c757439e 100644 --- a/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.h +++ b/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.h @@ -1,13 +1,9 @@ #ifndef __WRITE_H #define __WRITE_H - -//获取vfs_write各个参数信息 +// #define PATH_MAX 256 struct fs_t { int fd; - int pid; - - size_t real_count; - size_t count; + pid_t pid; }; #endif /* __WRITE_H */ \ No newline at end of file