Added new kprobe to the filesystem ebpf section. Now receiving read events, and storing them in a map for later use, along with a reference to the user-space memory buffer

2025-12-24 18:33:08 +08:00 · 2022-01-14 21:18:51 -05:00
parent 193d9ec28f
commit 106f141c7e
21 changed files with 1131 additions and 1051 deletions
--- a/src/.output/xdp_filter.bpf.o
+++ b/src/.output/xdp_filter.bpf.o
--- a/src/.output/xdp_filter.o
+++ b/src/.output/xdp_filter.o
--- a/src/.output/xdp_filter.skel.h
+++ b/src/.output/xdp_filter.skel.h
--- a/src/Makefile
+++ b/src/Makefile
@@ -9,7 +9,7 @@ USER_INCLUDES_DIR := $(abspath ./user/include/)
 USER_INCLUDES_HDR := $(wildcard $(USER_INCLUDES_DIR)/**/*.h)
 USER_INCLUDES_SRC := $(wildcard $(USER_INCLUDES_DIR)/**/*.c)
 USER_INCLUDES_OBJ := $(USER_INCLUDES_SRC:.c=.o) 
-VMLINUX := ./vmlinux/newnewvmlinux.h
+VMLINUX := ./vmlinux/headervmlinux.h
 USER := user
 EBPF := ebpf
 COMMON_INCLUDES := -I$(abspath ./ebpf/include) -I$(abspath ./user/include)
--- a/src/bin/xdp_filter
+++ b/src/bin/xdp_filter
--- a/src/common/map_common.h
+++ b/src/common/map_common.h
@@ -0,0 +1,23 @@
+#ifndef __MAP_COMMON_H
+#define __MAP_COMMON_H
+
+#define RB_EVENT_MAX_MESSAGE_SIZE 512
+
+
+// Ring buffer for kernel->user communication
+typedef enum {
+    INFO,
+    DEBUG,
+    EXIT,
+    ERROR
+} event_type_t;
+
+struct rb_event {
+	int pid;
+    char message[RB_EVENT_MAX_MESSAGE_SIZE];
+    int code;
+    event_type_t event_type;
+};
+
+
+#endif
--- a/src/common/map_defs.h
+++ b/src/common/map_defs.h
@@ -1,37 +0,0 @@
-#ifndef __MAP_DEFS_H
-#define __MAP_DEFS_H
-
-#define RB_EVENT_MAX_MESSAGE_SIZE 512
-
-// Ring buffer for kernel->user communication
-typedef enum {
-    INFO,
-    DEBUG,
-    EXIT,
-    ERROR
-} event_type_t;
-
-struct rb_event {
-	int pid;
-    char message[RB_EVENT_MAX_MESSAGE_SIZE];
-    int code;
-    event_type_t event_type;
-};
-
-//sched_process_exec tracepoint contents
-//now included in vmlinux
-/*struct trace_entry {
-	short unsigned int type;
-	unsigned char flags;
-	unsigned char preempt_count;
-	int pid;
-};
-struct trace_event_raw_sched_process_exec {
-	struct trace_entry ent;
-	unsigned int __data_loc_filename;
-	int pid;
-	int old_pid;
-	char __data[0];
-};*/
-
-#endif
--- a/src/ebpf/include/bpf/bpf_defs.h
+++ b/src/ebpf/include/bpf/bpf_defs.h
@@ -1,9 +0,0 @@
-#ifndef __BPF_DEFS_H
-#define __BPF_DEFS_H
-
-/*#define PT_REGS_PARM1(x) ((x)->rdi)
-#define PT_REGS_PARM2(x) ((x)->rsi)
-#define PT_REGS_PARM3(x) ((x)->rdx)
-#define PT_REGS_PARM4(x) ((x)->rcx)*/
-
-#endif
--- a/src/ebpf/include/bpf/fs.h
+++ b/src/ebpf/include/bpf/fs.h
@@ -1,7 +1,7 @@
 #ifndef __FS_H
 #define __FS_H

-#include "newnewvmlinux.h"
+#include "headervmlinux.h"
 /*#include <stdio.h>
 #include <linux/types.h>
 #include <unistd.h>
@@ -14,18 +14,32 @@
 #include <bpf/bpf_core_read.h>

 #include "../../../common/constants.h"
-#include "../../../common/map_defs.h"
+#include "../../../common/map_common.h"
 #include "../data/ring_buffer.h"
-#include "bpf_defs.h"
-
-#define FS_MAX_SEGMENT_LENGTH 32
+#include "map_defs.h"
+#include "../utils/strings.h"


-SEC("kprobe/vfs_open") 
-int kprobe__64_sys_read(struct pt_regs *ctx){
-    //struct path *path = (struct path *)PT_REGS_PARM1(ctx);
-    return 0;//fa_access_path(path);
+static __always_inline int handle_sys_read(struct pt_regs *ctx, int fd, char* buf){
+    __u64 pid_tgid = bpf_get_current_pid_tgid();
+    __u32 pid = pid_tgid >> 32;
+    struct fs_open_data data = {
+        .buf = buf,
+        .fd = fd,
+        .pid = pid
+    };
+    bpf_map_update_elem(&fs_open, &pid_tgid, &data, BPF_ANY);
+    bpf_printk("PID: %u, FS:%u\n", pid, fd);
+    return 0;
 }

+SEC("kprobe/ksys_read") 
+int kprobe__64_sys_read(struct pt_regs *ctx) { 
+    struct pt_regs *rctx = ctx; 
+    if (!rctx) return 0; 
+    int fd = (int) PT_REGS_PARM1(ctx); 
+    char *buf = (char *) PT_REGS_PARM2(ctx); 
+    return handle_sys_read(ctx, fd, buf); 
+} 

 #endif
--- a/src/ebpf/include/bpf/map_defs.h
+++ b/src/ebpf/include/bpf/map_defs.h
@@ -0,0 +1,20 @@
+#ifndef __BPF_MAP_DEFS_H
+#define __BPF_MAP_DEFS_H
+
+#include "headervmlinux.h"
+
+//File system
+struct fs_open_data{
+	char* buf;
+	int fd;
+	__u32 pid;
+};
+
+struct fs_open{
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1024*sizeof(struct fs_open_data));
+	__type(key, __u64); //thread group id(MSB) + pid (LSB)
+	__type(value, struct fs_open_data);
+} fs_open SEC(".maps");
+
+#endif
--- a/src/ebpf/include/bpf/sched.h
+++ b/src/ebpf/include/bpf/sched.h
@@ -7,14 +7,14 @@
 #include <string.h>

 #include <linux/bpf.h>*/
-#include "newnewvmlinux.h"
+#include "headervmlinux.h"

 #include <bpf/bpf_helpers.h>
 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>

 #include "../../../common/constants.h"
-#include "../../../common/map_defs.h"
+#include "../../../common/map_common.h"
 #include "../data/ring_buffer.h"

 //BPF map
--- a/src/ebpf/include/data/ring_buffer.h
+++ b/src/ebpf/include/data/ring_buffer.h
@@ -3,12 +3,12 @@

 /*#include <linux/bpf.h>
 #include <bpf/bpf_helpers.h>*/
-#include "newnewvmlinux.h"
+#include "headervmlinux.h"

 #include <bpf/bpf_tracing.h>
 #include <bpf/bpf_core_read.h>

-#include "../../../common/map_defs.h"
+#include "../../../common/map_common.h"

 #define RING_BUFFER_MAX_ELEMS 256

--- a/src/ebpf/include/packet/packet_manager.h
+++ b/src/ebpf/include/packet/packet_manager.h
@@ -4,7 +4,7 @@
 #include <linux/if_ether.h>
 #include <linux/if.h>
 #include <linux/limits.h>*/
-#include "newnewvmlinux.h"
+#include "headervmlinux.h"

 /* BOUND CHECKING*/

--- a/src/ebpf/include/packet/protocol/ip_helper.h
+++ b/src/ebpf/include/packet/protocol/ip_helper.h
@@ -7,7 +7,7 @@
 #include <linux/bpf.h>*/
 #include <bpf/bpf_endian.h>
 #include <bpf/bpf_helpers.h>
-#include "newnewvmlinux.h"
+#include "headervmlinux.h"

 /**
 * IP checksum calculation.
--- a/src/ebpf/include/packet/protocol/tcp_helper.h
+++ b/src/ebpf/include/packet/protocol/tcp_helper.h
@@ -3,7 +3,7 @@

 /*#include <linux/tcp.h>
 #include <linux/ip.h>*/
-#include "newnewvmlinux.h"
+#include "headervmlinux.h"

 static __always_inline int get_tcp_src_port(struct tcphdr *tcp){
    return bpf_ntohs(tcp->source);
--- a/src/ebpf/include/utils/strings.h
+++ b/src/ebpf/include/utils/strings.h
@@ -6,14 +6,15 @@
 * Yes, we cannot use strcmp from ebpf.
 * https://github.com/iovisor/bcc/issues/691
 *
-* Misteriouslly we can from xdp_filter, but it might not work somewhere else.
-* However it is the verifier which does not let us call strncmp without 
+* Misteriouslly it works sometimes due to compiler optimizations, but it might not work somewhere else.
+* It is the verifier which does not let us call strncmp without 
 * additional checks so we will use this one anyway.
 *
 * @param str1
 * @param str1len //Just to please the ebpf verifier
 * @param str2
 * @param str2len //Just to please the ebpf verifier
+* @param size Number of bytes to check
 * @return 0 if equal, -1 if false
 */
 static __always_inline int str_n_compare(char* str1, int str1len, char* str2, int str2len, int size){
--- a/src/ebpf/include/xdp/xdp_helper.h
+++ b/src/ebpf/include/xdp/xdp_helper.h
@@ -2,7 +2,7 @@
 #define __XDP_HELPER_H__

 //#include <linux/types.h>
-#include "newnewvmlinux.h"
+#include "headervmlinux.h"

 #include <bpf/bpf_helpers.h>

--- a/src/ebpf/xdp_filter.bpf.c
+++ b/src/ebpf/xdp_filter.bpf.c
@@ -16,7 +16,7 @@
 #include <linux/udp.h>*/


-#include "newnewvmlinux.h"
+#include "headervmlinux.h"

 //BPF & libbpf dependencies
 #include <bpf/bpf_helpers.h>
--- a/src/user/xdp_filter.c
+++ b/src/user/xdp_filter.c
@@ -14,7 +14,7 @@

 #include "include/xdp_filter.h"
 #include "../common/constants.h"
-#include "../common/map_defs.h"
+#include "../common/map_common.h"
 #include "include/utils/files/path.h"
 #include "include/utils/strings/regex.h"
 #include "include/utils/structures/fdlist.h"
--- a/src/vmlinux/headervmlinux.h
+++ b/src/vmlinux/headervmlinux.h