-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathevents.h
More file actions
133 lines (108 loc) · 3.79 KB
/
events.h
File metadata and controls
133 lines (108 loc) · 3.79 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
#pragma once
// clang-format off
#include "vmlinux.h"
#include "bound_path.h"
#include "inode.h"
#include "maps.h"
#include "process.h"
#include "types.h"
#include <bpf/bpf_helpers.h>
// clang-format on
struct submit_event_args_t {
struct event_t* event;
struct metrics_by_hook_t* metrics;
const char* filename;
inode_key_t inode;
inode_key_t parent_inode;
};
__always_inline static bool reserve_event(struct submit_event_args_t* args) {
args->event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
if (args->event == NULL) {
args->metrics->ringbuffer_full++;
return false;
}
return true;
}
__always_inline static void __submit_event(struct submit_event_args_t* args,
bool use_bpf_d_path) {
struct event_t* event = args->event;
event->timestamp = bpf_ktime_get_boot_ns();
inode_copy(&event->inode, &args->inode);
inode_copy(&event->parent_inode, &args->parent_inode);
bpf_probe_read_str(event->filename, PATH_MAX, args->filename);
struct helper_t* helper = get_helper();
if (helper == NULL) {
goto error;
}
int64_t err = process_fill(&event->process, use_bpf_d_path);
if (err) {
bpf_printk("Failed to fill process information: %d", err);
goto error;
}
args->metrics->added++;
bpf_ringbuf_submit(event, 0);
return;
error:
args->metrics->error++;
bpf_ringbuf_discard(event, 0);
}
__always_inline static void submit_open_event(struct submit_event_args_t* args,
file_activity_type_t event_type) {
if (!reserve_event(args)) {
return;
}
args->event->type = event_type;
__submit_event(args, true);
}
__always_inline static void submit_unlink_event(struct submit_event_args_t* args) {
if (!reserve_event(args)) {
return;
}
args->event->type = FILE_ACTIVITY_UNLINK;
__submit_event(args, path_hooks_support_bpf_d_path);
}
__always_inline static void submit_mode_event(struct submit_event_args_t* args,
umode_t mode,
umode_t old_mode) {
if (!reserve_event(args)) {
return;
}
args->event->type = FILE_ACTIVITY_CHMOD;
args->event->chmod.new = mode;
args->event->chmod.old = old_mode;
__submit_event(args, path_hooks_support_bpf_d_path);
}
__always_inline static void submit_ownership_event(struct submit_event_args_t* args,
unsigned long long uid,
unsigned long long gid,
unsigned long long old_uid,
unsigned long long old_gid) {
if (!reserve_event(args)) {
return;
}
args->event->type = FILE_ACTIVITY_CHOWN;
args->event->chown.new.uid = uid;
args->event->chown.new.gid = gid;
args->event->chown.old.uid = old_uid;
args->event->chown.old.gid = old_gid;
__submit_event(args, path_hooks_support_bpf_d_path);
}
__always_inline static void submit_rename_event(struct submit_event_args_t* args,
const char old_filename[PATH_MAX],
inode_key_t* old_inode) {
if (!reserve_event(args)) {
return;
}
args->event->type = FILE_ACTIVITY_RENAME;
bpf_probe_read_str(args->event->rename.old_filename, PATH_MAX, old_filename);
inode_copy(&args->event->rename.old_inode, old_inode);
__submit_event(args, path_hooks_support_bpf_d_path);
}
__always_inline static void submit_mkdir_event(struct submit_event_args_t* args) {
if (!reserve_event(args)) {
return;
}
args->event->type = DIR_ACTIVITY_CREATION;
// d_instantiate doesn't support bpf_d_path, so we use false and rely on the stashed path from path_mkdir
__submit_event(args, false);
}