From 52185ca810a9a92536a8cdeec4756418525385a8 Mon Sep 17 00:00:00 2001 From: Tom Weisshuhn Date: Wed, 20 Nov 2024 10:51:07 +0100 Subject: [PATCH] [none working] implemented tracepoint for syscall write Signed-off-by: Tom Weisshuhn --- rust/backend/common/src/lib.rs | 29 ++++++-- rust/backend/ebpf/src/lib.rs | 6 +- rust/backend/ebpf/src/main.rs | 2 +- rust/backend/ebpf/src/sys_write.rs | 72 +++++++++++++++++++ .../ebpf/src/{vfs_tracing.rs => vfs_write.rs} | 7 +- 5 files changed, 102 insertions(+), 14 deletions(-) create mode 100644 rust/backend/ebpf/src/sys_write.rs rename rust/backend/ebpf/src/{vfs_tracing.rs => vfs_write.rs} (93%) diff --git a/rust/backend/common/src/lib.rs b/rust/backend/common/src/lib.rs index 232e0ebe..a42521f5 100644 --- a/rust/backend/common/src/lib.rs +++ b/rust/backend/common/src/lib.rs @@ -16,11 +16,11 @@ pub enum KProbeTypes { #[repr(C)] #[derive(Debug, Copy, Clone)] pub struct VfsWriteCall { - pid: u32, - tid: u32, - begin_time_stamp: u64, - fd: i32, - bytes_written: usize, + pub pid: u32, + pub tid: u32, + pub begin_time_stamp: u64, + pub fd: i32, + pub bytes_written: usize, } impl VfsWriteCall { @@ -29,6 +29,22 @@ impl VfsWriteCall { } } +#[repr(C)] +#[derive(Debug, Copy, Clone)] +pub struct SysWriteCall { + pub pid: u32, + pub tid: u32, + pub begin_time_stamp: u64, + pub fd: i32, + pub bytes_written: usize, +} + +impl crate::SysWriteCall { + pub fn new(pid: u32, tid: u32, begin_time_stamp: u64, fd: i32, bytes_written: usize) -> Self { + Self { pid, tid, begin_time_stamp, fd, bytes_written} + } +} + #[inline(always)] pub fn generate_id(pid: u32, tgid: u32) -> u64{ let pid_u64 = pid as u64; @@ -37,4 +53,7 @@ pub fn generate_id(pid: u32, tgid: u32) -> u64{ (pid_u64 << 32) | tgid_u64 } +pub const TIME_LIMIT_NS: u64 = 100_000_000; + + diff --git a/rust/backend/ebpf/src/lib.rs b/rust/backend/ebpf/src/lib.rs index 3b6efc19..2bc57097 100644 --- a/rust/backend/ebpf/src/lib.rs +++ b/rust/backend/ebpf/src/lib.rs @@ -8,6 +8,8 @@ // This file exists to enable the library target. -mod vfs_tracing; +mod vfs_write; +pub mod sys_write; -pub use vfs_tracing::{vfs_write, VFS_WRITE_MAP}; +pub use vfs_write::{vfs_write, VFS_WRITE_MAP}; +pub use sys_write::{SYS_WRITE_MAP}; diff --git a/rust/backend/ebpf/src/main.rs b/rust/backend/ebpf/src/main.rs index cc2d9e11..b236a4c0 100644 --- a/rust/backend/ebpf/src/main.rs +++ b/rust/backend/ebpf/src/main.rs @@ -14,7 +14,7 @@ use aya_ebpf::{ maps::{PerCpuArray, RingBuf}, programs::XdpContext, }; -pub use backend_ebpf::{vfs_write, VFS_WRITE_MAP}; +pub use backend_ebpf::{vfs_write, VFS_WRITE_MAP, sys_write, SYS_WRITE_MAP}; #[map(name = "COUNTER")] static PACKET_COUNTER: PerCpuArray = PerCpuArray::with_max_entries(1, 0); diff --git a/rust/backend/ebpf/src/sys_write.rs b/rust/backend/ebpf/src/sys_write.rs new file mode 100644 index 00000000..713d4c18 --- /dev/null +++ b/rust/backend/ebpf/src/sys_write.rs @@ -0,0 +1,72 @@ +// SPDX-FileCopyrightText: 2024 Tom Weisshuhn +// +// SPDX-License-Identifier: MIT + +use aya_ebpf::{ + macros::{btf_tracepoint, map}, + maps::{HashMap, RingBuf}, + programs::{BtfTracePointContext}, + EbpfContext, + helpers::gen::bpf_ktime_get_ns, +}; +use backend_common::{generate_id, SysWriteCall, TIME_LIMIT_NS}; + +#[map(name = "SYS_WRITE_MAP")] +pub static SYS_WRITE_MAP: RingBuf = RingBuf::with_byte_size(1024, 0); + + +#[map(name = "SysWriteIntern")] +static SYS_WRITE_TIMESTAMPS: HashMap = HashMap::with_max_entries(1024, 0); + + +struct SysWriteIntern { + begin_time_stamp: u64, + fd: i32, + bytes_written: usize, +} + + +#[btf_tracepoint] +pub fn sys_enter_write(ctx: BtfTracePointContext) -> Result<(), u32> { + let id = generate_id(ctx.pid(), ctx.tgid()); + unsafe { + let data = SysWriteIntern { + begin_time_stamp: bpf_ktime_get_ns(), + fd: ctx.arg(0), + bytes_written: ctx.arg(2), + }; + + match SYS_WRITE_TIMESTAMPS.insert(&id, &data, 0) { + Ok(_) => Ok(()), + Err(_) => Err(0), + } + } +} + + +#[btf_tracepoint] +pub fn sys_exit_write(ctx: BtfTracePointContext) -> Result<(), u32> { + let probe_end = unsafe { bpf_ktime_get_ns() }; + + let pid = ctx.pid(); + let tgid = ctx.tgid(); + let call_id = generate_id(pid, tgid); + let data = match unsafe { SYS_WRITE_TIMESTAMPS.get(&call_id) } { + None => {return Err(0)} + Some(entry) => {entry} + }; + + if probe_end - data.begin_time_stamp > TIME_LIMIT_NS || data.bytes_written == 187 { + let data = SysWriteCall::new(pid, tgid, data.begin_time_stamp, data.fd, data.bytes_written); + + let mut entry = match SYS_WRITE_MAP.reserve::(0) { + Some(entry) => entry, + None => return Err(0), + }; + + entry.write(data); + entry.submit(0); + } + + Ok(()) +} \ No newline at end of file diff --git a/rust/backend/ebpf/src/vfs_tracing.rs b/rust/backend/ebpf/src/vfs_write.rs similarity index 93% rename from rust/backend/ebpf/src/vfs_tracing.rs rename to rust/backend/ebpf/src/vfs_write.rs index 61a1747d..4811cf4b 100644 --- a/rust/backend/ebpf/src/vfs_tracing.rs +++ b/rust/backend/ebpf/src/vfs_write.rs @@ -2,10 +2,6 @@ // // SPDX-License-Identifier: MIT - - -const TIME_LIMIT_NS: u64 = 100_000_000; - use aya_ebpf::{ macros::{kprobe, map, kretprobe}, maps::{HashMap, RingBuf}, @@ -13,8 +9,7 @@ use aya_ebpf::{ EbpfContext, helpers::gen::bpf_ktime_get_ns, }; -use aya_log_ebpf::info; -use backend_common::{generate_id, VfsWriteCall}; +use backend_common::{generate_id, VfsWriteCall, TIME_LIMIT_NS};