Merge pull request #102 from amosproj/TraceSendMsg

merge implementation of sendmsg and small fixes for vfs_write
amosproj · Nov 24, 2024 · 7b84f2f · 7b84f2f
2 parents aad8641 + 6c8737f
commit 7b84f2f
Show file tree

Hide file tree

Showing 6 changed files with 133 additions and 32 deletions.
diff --git a/rust/backend/common/src/lib.rs b/rust/backend/common/src/lib.rs
@@ -7,25 +7,36 @@
 //
 // SPDX-License-Identifier: MIT
 
-#[derive(Debug, Copy, Clone)]
-pub enum KProbeTypes {
-    Poll,
-    VfsWrite,
-}
+pub const TIME_LIMIT_NS: u64 = 100_000_000;
 
 #[repr(C)]
 #[derive(Debug, Copy, Clone)]
 pub struct VfsWriteCall {
-    pid: u32,
-    tid: u32,
-    begin_time_stamp: u64,
-    fd: i32,
-    bytes_written: usize,
+    pub pid: u32,
+    pub tid: u32,
+    pub begin_time_stamp: u64,
+    pub fp: u64,
+    pub bytes_written: usize,
 }
 
 impl VfsWriteCall {
-    pub fn new(pid: u32, tid: u32, begin_time_stamp: u64, fd: i32, bytes_written: usize) -> Self {
-        Self { pid, tid, begin_time_stamp, fd, bytes_written}
+    pub fn new(pid: u32, tid: u32, begin_time_stamp: u64, fp: u64, bytes_written: usize) -> Self {
+        Self { pid, tid, begin_time_stamp, fp, bytes_written}
+    }
+}
+
+#[repr(C)]
+#[derive(Debug, Copy, Clone)]
+pub struct SysSendmsgCall {
+    pub pid: u32,
+    pub tid: u32,
+    pub begin_time_stamp: u64,
+    pub fd: i32,
+}
+
+impl SysSendmsgCall {
+    pub fn new(pid: u32, tid: u32, begin_time_stamp: u64, fd: i32) -> Self {
+        Self { pid, tid, begin_time_stamp, fd}
     }
 }
 
@@ -35,6 +46,4 @@ pub fn generate_id(pid: u32, tgid: u32) -> u64{
     let tgid_u64 = tgid as u64;
 
     (pid_u64 << 32) | tgid_u64
-}
-
-
+}
diff --git a/rust/backend/ebpf/README.md b/rust/backend/ebpf/README.md
@@ -0,0 +1,18 @@
+
+<!--  
+SPDX-FileCopyrightText: 2024 Tom Weisshuhn <[email protected]>  
+  
+SPDX-License-Identifier: MIT  
+-->  
+
+# eBPF programs
+
+The entries in the maps are the structs defined in `../common/src/lib.rs`.
+
+## overview by hook name
+
+|            |type        | functions to hook                                  |map                 |  
+|-----------|-----------|---------------------------------------|-------------------|  
+|vfs_write  |KProbe          |`vfs_write`, `vfs_write_ret`                |`VFS_WRITE_MAP`    |  
+|sendmsg       |Tracepoint    |`sys_enter_sendmsg`, `sys_exit_sendmsg`|`SYS_SENDMSG_MAP`  |  
+|...          |...            |...                                                      |...                        |
diff --git a/rust/backend/ebpf/src/lib.rs b/rust/backend/ebpf/src/lib.rs
@@ -8,6 +8,5 @@
 
 // This file exists to enable the library target.
 
-mod vfs_tracing;
-
-pub use vfs_tracing::{vfs_write, VFS_WRITE_MAP};
+pub mod vfs_write;
+pub mod sys_sendmsg;
diff --git a/rust/backend/ebpf/src/main.rs b/rust/backend/ebpf/src/main.rs
@@ -14,7 +14,7 @@ use aya_ebpf::{
     maps::{PerCpuArray, RingBuf},
     programs::XdpContext,
 };
-pub use backend_ebpf::{vfs_write, VFS_WRITE_MAP};
+pub use backend_ebpf::{vfs_write, sys_sendmsg};
 
 #[map(name = "COUNTER")]
 static PACKET_COUNTER: PerCpuArray<u32> = PerCpuArray::with_max_entries(1, 0);

diff --git a/rust/backend/ebpf/src/sys_sendmsg.rs b/rust/backend/ebpf/src/sys_sendmsg.rs
@@ -0,0 +1,67 @@
+// SPDX-FileCopyrightText: 2024 Tom Weisshuhn <[email protected]>
+//
+// SPDX-License-Identifier: MIT
+
+use aya_ebpf::{macros::{tracepoint, map}, maps::{HashMap, RingBuf}, programs::{TracePointContext}, EbpfContext, helpers::gen::bpf_ktime_get_ns};
+use backend_common::{generate_id, SysSendmsgCall};
+
+#[map(name = "SYS_SENDMSG_MAP")]
+pub static SYS_SENDMSG_MAP: RingBuf = RingBuf::with_byte_size(1024, 0);
+
+
+#[map]
+static SYS_SENDMSG_TIMESTAMPS: HashMap<u64, SysSendmsgIntern> = HashMap::with_max_entries(1024, 0);
+
+
+struct SysSendmsgIntern {
+    begin_time_stamp: u64,
+    fd: i32,
+}
+
+#[tracepoint]
+pub fn sys_enter_sendmsg(ctx: TracePointContext) -> u32 {
+    let id = generate_id(ctx.pid(), ctx.tgid());
+
+    let begin_time_stamp;
+    let fd: i32;
+    unsafe {
+        begin_time_stamp = bpf_ktime_get_ns();
+        fd = match ctx.read_at(16) {
+            Ok(arg) => arg,
+            Err(_) => return 1,
+        };
+    }
+
+    let data: SysSendmsgIntern = SysSendmsgIntern {begin_time_stamp, fd};
+
+    match SYS_SENDMSG_TIMESTAMPS.insert(&id, &data, 0) {
+            Ok(_) => 0,
+            Err(_) => 1,
+    }
+}
+
+
+#[tracepoint]
+pub fn sys_exit_sendmsg(ctx: TracePointContext) -> u32 {
+    let pid = ctx.pid();
+    let tgid = ctx.tgid();
+    let call_id = generate_id(pid, tgid);
+    let data = match unsafe { SYS_SENDMSG_TIMESTAMPS.get(&call_id) } {
+        None => {return 1}
+        Some(entry) => {entry}
+    };
+
+
+    let result_data = SysSendmsgCall::new(pid, tgid, data.begin_time_stamp, data.fd);
+
+    let mut entry = match SYS_SENDMSG_MAP.reserve::<SysSendmsgCall>(0) {
+        Some(entry) => entry,
+        None => return 1,
+    };
+
+    entry.write(result_data);
+    entry.submit(0);
+
+
+    0
+}
diff --git a/rust/backend/ebpf/src/vfs_tracing.rs → rust/backend/ebpf/src/vfs_write.rs b/rust/backend/ebpf/src/vfs_tracing.rs → rust/backend/ebpf/src/vfs_write.rs
@@ -2,19 +2,14 @@
 //
 // SPDX-License-Identifier: MIT
 
-
-
-const TIME_LIMIT_NS: u64 = 100_000_000;
-
 use aya_ebpf::{
     macros::{kprobe, map, kretprobe},
     maps::{HashMap, RingBuf},
     programs::{ProbeContext, RetProbeContext},
     EbpfContext,
     helpers::gen::bpf_ktime_get_ns,
 };
-use aya_log_ebpf::info;
-use backend_common::{generate_id, VfsWriteCall};
+use backend_common::{generate_id, VfsWriteCall, TIME_LIMIT_NS};
 
 
 
@@ -28,18 +23,31 @@ static VFS_WRITE_TIMESTAMPS: HashMap<u64, VfsWriteIntern> = HashMap::with_max_en
 
 struct VfsWriteIntern {
     begin_time_stamp: u64,
-    fd: i32,
+    fp: u64,
     bytes_written: usize,
 }
 
 #[kprobe]
 pub fn vfs_write(ctx: ProbeContext) -> Result<(), u32> {
     let id = generate_id(ctx.pid(), ctx.tgid());
-    let data = VfsWriteIntern {
-        begin_time_stamp: unsafe {bpf_ktime_get_ns()},
-        fd: ctx.arg(0).unwrap_or(-1),
-        bytes_written: ctx.arg(2).unwrap_or(usize::MAX) as usize,
-    };
+
+    let begin_time_stamp: u64;
+    let fp: u64;
+    let bytes_written: usize;
+    unsafe {
+        begin_time_stamp = bpf_ktime_get_ns();
+        fp = match ctx.arg(0) {
+            Some(arg) => arg,
+            None => return Err(0),
+        };
+        bytes_written = match ctx.arg(2) {
+            Some(arg) => arg,
+            None => return Err(0),
+        };
+    }
+
+
+    let data = VfsWriteIntern { begin_time_stamp, fp, bytes_written };
 
     match VFS_WRITE_TIMESTAMPS.insert(&id, &data, 0) {
         Ok(_) => Ok(()),
@@ -62,7 +70,7 @@ pub fn vfs_write_ret(ctx: RetProbeContext) -> Result<(), u32> {
     };
 
     if  probe_end - data.begin_time_stamp > TIME_LIMIT_NS {
-        let data = VfsWriteCall::new(pid, tgid, data.begin_time_stamp, data.fd, data.bytes_written);
+        let data = VfsWriteCall::new(pid, tgid, data.begin_time_stamp, data.fp, data.bytes_written);
 
         let mut entry = match VFS_WRITE_MAP.reserve::<VfsWriteCall>(0) {
             Some(entry) => entry,