diff --git a/GPL/Events/EbpfEventProto.h b/GPL/Events/EbpfEventProto.h index e1780321..d9a77087 100644 --- a/GPL/Events/EbpfEventProto.h +++ b/GPL/Events/EbpfEventProto.h @@ -119,9 +119,14 @@ struct ebpf_tty_dev { } __attribute__((packed)); enum ebpf_file_type { - EBPF_FILE_TYPE_FILE = 1, - EBPF_FILE_TYPE_DIR = 2, - EBPF_FILE_TYPE_SYMLINK = 3, + EBPF_FILE_TYPE_UNKNOWN = 0, + EBPF_FILE_TYPE_FILE = 1, + EBPF_FILE_TYPE_DIR = 2, + EBPF_FILE_TYPE_SYMLINK = 3, + EBPF_FILE_TYPE_CHARACTER_DEVICE = 4, + EBPF_FILE_TYPE_BLOCK_DEVICE = 5, + EBPF_FILE_TYPE_NAMED_PIPE = 6, + EBPF_FILE_TYPE_SOCKET = 7, }; struct ebpf_file_info { @@ -131,6 +136,7 @@ struct ebpf_file_info { uint64_t size; uint32_t uid; uint32_t gid; + uint64_t atime; uint64_t mtime; uint64_t ctime; } __attribute__((packed)); diff --git a/GPL/Events/File/File.h b/GPL/Events/File/File.h index 95a6c2e4..71717ef9 100644 --- a/GPL/Events/File/File.h +++ b/GPL/Events/File/File.h @@ -35,22 +35,9 @@ #define S_ISFIFO(m) (((m)&S_IFMT) == S_IFIFO) #define S_ISSOCK(m) (((m)&S_IFMT) == S_IFSOCK) -#define S_IRWXU 00700 -#define S_IRUSR 00400 -#define S_IWUSR 00200 -#define S_IXUSR 00100 +#define NANOSECONDS_IN_SECOND 1000000000 -#define S_IRWXG 00070 -#define S_IRGRP 00040 -#define S_IWGRP 00020 -#define S_IXGRP 00010 - -#define S_IRWXO 00007 -#define S_IROTH 00004 -#define S_IWOTH 00002 -#define S_IXOTH 00001 - -static int ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de) +static void ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de) { struct inode *ino = BPF_CORE_READ(de, d_inode); @@ -59,8 +46,12 @@ static int ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de) finfo->size = BPF_CORE_READ(ino, i_size); finfo->uid = BPF_CORE_READ(ino, i_uid.val); finfo->gid = BPF_CORE_READ(ino, i_gid.val); - finfo->mtime = BPF_CORE_READ(ino, i_mtime.tv_nsec); - finfo->ctime = BPF_CORE_READ(ino, i_ctime.tv_nsec); + finfo->atime = BPF_CORE_READ(ino, i_atime.tv_sec) * NANOSECONDS_IN_SECOND + + BPF_CORE_READ(ino, i_atime.tv_nsec); + finfo->mtime = BPF_CORE_READ(ino, i_mtime.tv_sec) * NANOSECONDS_IN_SECOND + + BPF_CORE_READ(ino, i_mtime.tv_nsec); + finfo->ctime = BPF_CORE_READ(ino, i_ctime.tv_sec) * NANOSECONDS_IN_SECOND + + BPF_CORE_READ(ino, i_ctime.tv_nsec); if (S_ISREG(finfo->mode)) { finfo->type = EBPF_FILE_TYPE_FILE; @@ -68,12 +59,17 @@ static int ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de) finfo->type = EBPF_FILE_TYPE_DIR; } else if (S_ISLNK(finfo->mode)) { finfo->type = EBPF_FILE_TYPE_SYMLINK; + } else if (S_ISCHR(finfo->mode)) { + finfo->type = EBPF_FILE_TYPE_CHARACTER_DEVICE; + } else if (S_ISBLK(finfo->mode)) { + finfo->type = EBPF_FILE_TYPE_BLOCK_DEVICE; + } else if (S_ISFIFO(finfo->mode)) { + finfo->type = EBPF_FILE_TYPE_NAMED_PIPE; + } else if (S_ISSOCK(finfo->mode)) { + finfo->type = EBPF_FILE_TYPE_SOCKET; } else { - bpf_printk("unknown file type (mode=%d)", finfo->mode); - return -1; + finfo->type = EBPF_FILE_TYPE_UNKNOWN; } - - return 0; } #endif // EBPF_EVENTPROBE_FILE_H diff --git a/GPL/Events/File/Probe.bpf.c b/GPL/Events/File/Probe.bpf.c index 57f0fc5e..b6db600c 100644 --- a/GPL/Events/File/Probe.bpf.c +++ b/GPL/Events/File/Probe.bpf.c @@ -128,11 +128,7 @@ static int vfs_unlink__exit(int ret) p.mnt = state->unlink.mnt; event->mntns = mntns(task); bpf_get_current_comm(event->comm, TASK_COMM_LEN); - - if (ebpf_file_info__fill(&event->finfo, p.dentry)) { - bpf_printk("vfs_unlink__exit: failed to fill file info\n"); - goto out; - } + ebpf_file_info__fill(&event->finfo, p.dentry); // Variable length fields ebpf_vl_fields__init(&event->vl_fields); @@ -239,11 +235,7 @@ static int do_filp_open__exit(struct file *f) ebpf_pid_info__fill(&event->pids, task); event->mntns = mntns(task); bpf_get_current_comm(event->comm, TASK_COMM_LEN); - - if (ebpf_file_info__fill(&event->finfo, p.dentry)) { - bpf_printk("do_filp_open__exit: failed to fill file info\n"); - goto out; - } + ebpf_file_info__fill(&event->finfo, p.dentry); // Variable length fields ebpf_vl_fields__init(&event->vl_fields); @@ -421,11 +413,7 @@ static int vfs_rename__exit(int ret) ebpf_pid_info__fill(&event->pids, task); event->mntns = mntns(task); bpf_get_current_comm(event->comm, TASK_COMM_LEN); - - if (ebpf_file_info__fill(&event->finfo, state->rename.de)) { - bpf_printk("vfs_rename__exit: failed to fill file info\n"); - goto out; - } + ebpf_file_info__fill(&event->finfo, state->rename.de); // Variable length fields ebpf_vl_fields__init(&event->vl_fields); diff --git a/non-GPL/Events/EventsTrace/EventsTrace.c b/non-GPL/Events/EventsTrace/EventsTrace.c index aad1e910..5a5fd715 100644 --- a/non-GPL/Events/EventsTrace/EventsTrace.c +++ b/non-GPL/Events/EventsTrace/EventsTrace.c @@ -322,6 +322,21 @@ static void out_file_info(const char *name, struct ebpf_file_info *finfo) case EBPF_FILE_TYPE_SYMLINK: out_string("type", "SYMLINK"); break; + case EBPF_FILE_TYPE_CHARACTER_DEVICE: + out_string("type", "CHARACTER_DEVICE"); + break; + case EBPF_FILE_TYPE_BLOCK_DEVICE: + out_string("type", "BLOCK_DEVICE"); + break; + case EBPF_FILE_TYPE_NAMED_PIPE: + out_string("type", "NAMED_PIPE"); + break; + case EBPF_FILE_TYPE_SOCKET: + out_string("type", "SOCKET"); + break; + case EBPF_FILE_TYPE_UNKNOWN: + out_string("type", "UNKNOWN"); + break; } out_comma(); @@ -340,6 +355,9 @@ static void out_file_info(const char *name, struct ebpf_file_info *finfo) out_int("gid", finfo->gid); out_comma(); + out_uint("atime", finfo->atime); + out_comma(); + out_uint("mtime", finfo->mtime); out_comma();