Skip to content

Commit

Permalink
apply suggestions
Browse files Browse the repository at this point in the history
  • Loading branch information
@mmat11
mmat11 committed Oct 25, 2023
1 parent 51c8c8a commit 70d5396
Show file tree
Hide file tree
Showing 4 changed files with 52 additions and 44 deletions.
12 changes: 9 additions & 3 deletions GPL/Events/EbpfEventProto.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -119,9 +119,14 @@ struct ebpf_tty_dev {
} __attribute__((packed));

enum ebpf_file_type {
EBPF_FILE_TYPE_FILE = 1,
EBPF_FILE_TYPE_DIR = 2,
EBPF_FILE_TYPE_SYMLINK = 3,
EBPF_FILE_TYPE_UNKNOWN = 0,
EBPF_FILE_TYPE_FILE = 1,
EBPF_FILE_TYPE_DIR = 2,
EBPF_FILE_TYPE_SYMLINK = 3,
EBPF_FILE_TYPE_CHARACTER_DEVICE = 4,
EBPF_FILE_TYPE_BLOCK_DEVICE = 5,
EBPF_FILE_TYPE_NAMED_PIPE = 6,
EBPF_FILE_TYPE_SOCKET = 7,
};

struct ebpf_file_info {
Expand All @@ -131,6 +136,7 @@ struct ebpf_file_info {
uint64_t size;
uint32_t uid;
uint32_t gid;
uint64_t atime;
uint64_t mtime;
uint64_t ctime;
} __attribute__((packed));
Expand Down
38 changes: 17 additions & 21 deletions GPL/Events/File/File.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,22 +35,9 @@
#define S_ISFIFO(m) (((m)&S_IFMT) == S_IFIFO)
#define S_ISSOCK(m) (((m)&S_IFMT) == S_IFSOCK)

#define S_IRWXU 00700
#define S_IRUSR 00400
#define S_IWUSR 00200
#define S_IXUSR 00100
#define NANOSECONDS_IN_SECOND 1000000000

#define S_IRWXG 00070
#define S_IRGRP 00040
#define S_IWGRP 00020
#define S_IXGRP 00010

#define S_IRWXO 00007
#define S_IROTH 00004
#define S_IWOTH 00002
#define S_IXOTH 00001

static int ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de)
static void ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de)
{
struct inode *ino = BPF_CORE_READ(de, d_inode);

Expand All @@ -59,21 +46,30 @@ static int ebpf_file_info__fill(struct ebpf_file_info *finfo, struct dentry *de)
finfo->size = BPF_CORE_READ(ino, i_size);
finfo->uid = BPF_CORE_READ(ino, i_uid.val);
finfo->gid = BPF_CORE_READ(ino, i_gid.val);
finfo->mtime = BPF_CORE_READ(ino, i_mtime.tv_nsec);
finfo->ctime = BPF_CORE_READ(ino, i_ctime.tv_nsec);
finfo->atime = BPF_CORE_READ(ino, i_atime.tv_sec) * NANOSECONDS_IN_SECOND +
BPF_CORE_READ(ino, i_atime.tv_nsec);
finfo->mtime = BPF_CORE_READ(ino, i_mtime.tv_sec) * NANOSECONDS_IN_SECOND +
BPF_CORE_READ(ino, i_mtime.tv_nsec);
finfo->ctime = BPF_CORE_READ(ino, i_ctime.tv_sec) * NANOSECONDS_IN_SECOND +
BPF_CORE_READ(ino, i_ctime.tv_nsec);

if (S_ISREG(finfo->mode)) {
finfo->type = EBPF_FILE_TYPE_FILE;
} else if (S_ISDIR(finfo->mode)) {
finfo->type = EBPF_FILE_TYPE_DIR;
} else if (S_ISLNK(finfo->mode)) {
finfo->type = EBPF_FILE_TYPE_SYMLINK;
} else if (S_ISCHR(finfo->mode)) {
finfo->type = EBPF_FILE_TYPE_CHARACTER_DEVICE;
} else if (S_ISBLK(finfo->mode)) {
finfo->type = EBPF_FILE_TYPE_BLOCK_DEVICE;
} else if (S_ISFIFO(finfo->mode)) {
finfo->type = EBPF_FILE_TYPE_NAMED_PIPE;
} else if (S_ISSOCK(finfo->mode)) {
finfo->type = EBPF_FILE_TYPE_SOCKET;
} else {
bpf_printk("unknown file type (mode=%d)", finfo->mode);
return -1;
finfo->type = EBPF_FILE_TYPE_UNKNOWN;
}

return 0;
}

#endif // EBPF_EVENTPROBE_FILE_H
28 changes: 8 additions & 20 deletions GPL/Events/File/Probe.bpf.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -128,11 +128,7 @@ static int vfs_unlink__exit(int ret)
p.mnt = state->unlink.mnt;
event->mntns = mntns(task);
bpf_get_current_comm(event->comm, TASK_COMM_LEN);

if (ebpf_file_info__fill(&event->finfo, p.dentry)) {
bpf_printk("vfs_unlink__exit: failed to fill file info\n");
goto out;
}
ebpf_file_info__fill(&event->finfo, p.dentry);

// Variable length fields
ebpf_vl_fields__init(&event->vl_fields);
Expand Down Expand Up @@ -239,11 +235,7 @@ static int do_filp_open__exit(struct file *f)
ebpf_pid_info__fill(&event->pids, task);
event->mntns = mntns(task);
bpf_get_current_comm(event->comm, TASK_COMM_LEN);

if (ebpf_file_info__fill(&event->finfo, p.dentry)) {
bpf_printk("do_filp_open__exit: failed to fill file info\n");
goto out;
}
ebpf_file_info__fill(&event->finfo, p.dentry);

// Variable length fields
ebpf_vl_fields__init(&event->vl_fields);
Expand Down Expand Up @@ -415,17 +407,15 @@ static int vfs_rename__exit(int ret)
goto out;

struct task_struct *task = (struct task_struct *)bpf_get_current_task();
// NOTE: this temp variable is necessary to keep the verifier happy
struct dentry *de = (struct dentry *)state->rename.de;

event->hdr.type = EBPF_EVENT_FILE_RENAME;
event->hdr.ts = bpf_ktime_get_ns();
ebpf_pid_info__fill(&event->pids, task);
event->mntns = mntns(task);
bpf_get_current_comm(event->comm, TASK_COMM_LEN);

if (ebpf_file_info__fill(&event->finfo, state->rename.de)) {
bpf_printk("vfs_rename__exit: failed to fill file info\n");
goto out;
}
ebpf_file_info__fill(&event->finfo, de);

// Variable length fields
ebpf_vl_fields__init(&event->vl_fields);
Expand All @@ -443,11 +433,9 @@ static int vfs_rename__exit(int ret)
ebpf_vl_field__set_size(&event->vl_fields, field, size);

// symlink_target_path
field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_SYMLINK_TARGET_PATH);
// NOTE: this temp variable is necessary to keep the verifier happy
struct dentry *tmp = (struct dentry *)state->rename.de;
char *link = BPF_CORE_READ(tmp, d_inode, i_link);
size = read_kernel_str_or_empty_str(field->data, PATH_MAX, link);
field = ebpf_vl_field__add(&event->vl_fields, EBPF_VL_FIELD_SYMLINK_TARGET_PATH);
char *link = BPF_CORE_READ(de, d_inode, i_link);
size = read_kernel_str_or_empty_str(field->data, PATH_MAX, link);
ebpf_vl_field__set_size(&event->vl_fields, field, size);

bpf_ringbuf_output(&ringbuf, event, EVENT_SIZE(event), 0);
Expand Down
18 changes: 18 additions & 0 deletions non-GPL/Events/EventsTrace/EventsTrace.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -322,6 +322,21 @@ static void out_file_info(const char *name, struct ebpf_file_info *finfo)
case EBPF_FILE_TYPE_SYMLINK:
out_string("type", "SYMLINK");
break;
case EBPF_FILE_TYPE_CHARACTER_DEVICE:
out_string("type", "CHARACTER_DEVICE");
break;
case EBPF_FILE_TYPE_BLOCK_DEVICE:
out_string("type", "BLOCK_DEVICE");
break;
case EBPF_FILE_TYPE_NAMED_PIPE:
out_string("type", "NAMED_PIPE");
break;
case EBPF_FILE_TYPE_SOCKET:
out_string("type", "SOCKET");
break;
case EBPF_FILE_TYPE_UNKNOWN:
out_string("type", "UNKNOWN");
break;
}
out_comma();

Expand All @@ -340,6 +355,9 @@ static void out_file_info(const char *name, struct ebpf_file_info *finfo)
out_int("gid", finfo->gid);
out_comma();

out_uint("atime", finfo->atime);
out_comma();

out_uint("mtime", finfo->mtime);
out_comma();

Expand Down

0 comments on commit 70d5396

Please sign in to comment.