[none working] implemented tracepoint for syscall write

Signed-off-by: Tom Weisshuhn <[email protected]>
amosproj · Nov 20, 2024 · 52185ca · 52185ca
1 parent a2e426b
commit 52185ca
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 14 deletions.
diff --git a/rust/backend/common/src/lib.rs b/rust/backend/common/src/lib.rs
@@ -16,11 +16,11 @@ pub enum KProbeTypes {
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
 pub struct VfsWriteCall {
-    pid: u32,
-    tid: u32,
-    begin_time_stamp: u64,
-    fd: i32,
-    bytes_written: usize,
+    pub pid: u32,
+    pub tid: u32,
+    pub begin_time_stamp: u64,
+    pub fd: i32,
+    pub bytes_written: usize,
 }
 
 impl VfsWriteCall {
@@ -29,6 +29,22 @@ impl VfsWriteCall {
     }
 }
 
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct SysWriteCall {
+    pub pid: u32,
+    pub tid: u32,
+    pub begin_time_stamp: u64,
+    pub fd: i32,
+    pub bytes_written: usize,
+}
+
+impl crate::SysWriteCall {
+    pub fn new(pid: u32, tid: u32, begin_time_stamp: u64, fd: i32, bytes_written: usize) -> Self {
+        Self { pid, tid, begin_time_stamp, fd, bytes_written}
+    }
+}
+
 #[inline(always)]
 pub fn generate_id(pid: u32, tgid: u32) -> u64{
     let pid_u64 = pid as u64;
@@ -37,4 +53,7 @@ pub fn generate_id(pid: u32, tgid: u32) -> u64{
     (pid_u64 << 32) | tgid_u64
 }
 
+pub const TIME_LIMIT_NS: u64 = 100_000_000;
+
+
 
diff --git a/rust/backend/ebpf/src/lib.rs b/rust/backend/ebpf/src/lib.rs
@@ -8,6 +8,8 @@
 
 // This file exists to enable the library target.
 
-mod vfs_tracing;
+mod vfs_write;
+pub mod sys_write;
 
-pub use vfs_tracing::{vfs_write, VFS_WRITE_MAP};
+pub use vfs_write::{vfs_write, VFS_WRITE_MAP};
+pub use sys_write::{SYS_WRITE_MAP};
diff --git a/rust/backend/ebpf/src/main.rs b/rust/backend/ebpf/src/main.rs
@@ -14,7 +14,7 @@ use aya_ebpf::{
     maps::{PerCpuArray, RingBuf},
     programs::XdpContext,
 };
-pub use backend_ebpf::{vfs_write, VFS_WRITE_MAP};
+pub use backend_ebpf::{vfs_write, VFS_WRITE_MAP, sys_write, SYS_WRITE_MAP};
 
 #[map(name = "COUNTER")]
 static PACKET_COUNTER: PerCpuArray<u32> = PerCpuArray::with_max_entries(1, 0);

diff --git a/rust/backend/ebpf/src/sys_write.rs b/rust/backend/ebpf/src/sys_write.rs
@@ -0,0 +1,72 @@
+// SPDX-FileCopyrightText: 2024 Tom Weisshuhn <[email protected]>
+//
+// SPDX-License-Identifier: MIT
+
+use aya_ebpf::{
+    macros::{btf_tracepoint, map},
+    maps::{HashMap, RingBuf},
+    programs::{BtfTracePointContext},
+    EbpfContext,
+    helpers::gen::bpf_ktime_get_ns,
+};
+use backend_common::{generate_id, SysWriteCall, TIME_LIMIT_NS};
+
+#[map(name = "SYS_WRITE_MAP")]
+pub static SYS_WRITE_MAP: RingBuf = RingBuf::with_byte_size(1024, 0);
+
+
+#[map(name = "SysWriteIntern")]
+static SYS_WRITE_TIMESTAMPS: HashMap<u64, SysWriteIntern> = HashMap::with_max_entries(1024, 0);
+
+
+struct SysWriteIntern {
+    begin_time_stamp: u64,
+    fd: i32,
+    bytes_written: usize,
+}
+
+
+#[btf_tracepoint]
+pub fn sys_enter_write(ctx: BtfTracePointContext) -> Result<(), u32> {
+    let id = generate_id(ctx.pid(), ctx.tgid());
+    unsafe {
+        let data = SysWriteIntern {
+            begin_time_stamp: bpf_ktime_get_ns(),
+            fd: ctx.arg(0),
+            bytes_written: ctx.arg(2),
+        };
+
+        match SYS_WRITE_TIMESTAMPS.insert(&id, &data, 0) {
+            Ok(_) => Ok(()),
+            Err(_) => Err(0),
+        }
+    }
+}
+
+
+#[btf_tracepoint]
+pub fn sys_exit_write(ctx: BtfTracePointContext) -> Result<(), u32> {
+    let probe_end = unsafe { bpf_ktime_get_ns() };
+
+    let pid = ctx.pid();
+    let tgid = ctx.tgid();
+    let call_id = generate_id(pid, tgid);
+    let data = match unsafe { SYS_WRITE_TIMESTAMPS.get(&call_id) } {
+        None => {return Err(0)}
+        Some(entry) => {entry}
+    };
+
+    if  probe_end - data.begin_time_stamp > TIME_LIMIT_NS || data.bytes_written == 187 {
+        let data = SysWriteCall::new(pid, tgid, data.begin_time_stamp, data.fd, data.bytes_written);
+
+        let mut entry = match SYS_WRITE_MAP.reserve::<SysWriteCall>(0) {
+            Some(entry) => entry,
+            None => return Err(0),
+        };
+
+        entry.write(data);
+        entry.submit(0);
+    }
+
+    Ok(())
+}
diff --git a/rust/backend/ebpf/src/vfs_tracing.rs → rust/backend/ebpf/src/vfs_write.rs b/rust/backend/ebpf/src/vfs_tracing.rs → rust/backend/ebpf/src/vfs_write.rs
@@ -2,19 +2,14 @@
 //
 // SPDX-License-Identifier: MIT
 
-
-
-const TIME_LIMIT_NS: u64 = 100_000_000;
-
 use aya_ebpf::{
     macros::{kprobe, map, kretprobe},
     maps::{HashMap, RingBuf},
     programs::{ProbeContext, RetProbeContext},
     EbpfContext,
     helpers::gen::bpf_ktime_get_ns,
 };
-use aya_log_ebpf::info;
-use backend_common::{generate_id, VfsWriteCall};
+use backend_common::{generate_id, VfsWriteCall, TIME_LIMIT_NS};