From 5e58b43bed63457acc33c2ee2f5852148b96bac7 Mon Sep 17 00:00:00 2001 From: qjerome Date: Mon, 4 Nov 2024 15:28:59 +0100 Subject: [PATCH 1/2] refactor: write_and_close -> write_close --- kunai-common/src/bpf_events.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kunai-common/src/bpf_events.rs b/kunai-common/src/bpf_events.rs index 176e0ad..3905639 100644 --- a/kunai-common/src/bpf_events.rs +++ b/kunai-common/src/bpf_events.rs @@ -113,7 +113,7 @@ pub enum Type { FileRename, #[str("file_unlink")] FileUnlink, - #[str("write_and_close")] + #[str("write_close")] WriteAndClose, // specific userland events From 88328d94e11a59daa560bc9d0e3de27e73860f55 Mon Sep 17 00:00:00 2001 From: qjerome Date: Mon, 4 Nov 2024 15:59:19 +0100 Subject: [PATCH 2/2] refactor: Type::WriteAndClose -> Type::WriteClose --- kunai-common/src/bpf_events.rs | 2 +- kunai-common/src/bpf_events/events.rs | 8 +++----- kunai-ebpf/src/probes/fs.rs | 4 ++-- kunai/src/bin/main.rs | 20 +++++++++----------- kunai/src/config.rs | 2 +- 5 files changed, 16 insertions(+), 20 deletions(-) diff --git a/kunai-common/src/bpf_events.rs b/kunai-common/src/bpf_events.rs index 3905639..51626fd 100644 --- a/kunai-common/src/bpf_events.rs +++ b/kunai-common/src/bpf_events.rs @@ -114,7 +114,7 @@ pub enum Type { #[str("file_unlink")] FileUnlink, #[str("write_close")] - WriteAndClose, + WriteClose, // specific userland events // those should never be used in eBPF diff --git a/kunai-common/src/bpf_events/events.rs b/kunai-common/src/bpf_events/events.rs index cac6206..cf7540c 100644 --- a/kunai-common/src/bpf_events/events.rs +++ b/kunai-common/src/bpf_events/events.rs @@ -77,11 +77,9 @@ const fn max_bpf_event_size() -> usize { Type::Connect => ConnectEvent::size_of(), Type::DnsQuery => DnsQueryEvent::size_of(), Type::SendData => SendEntropyEvent::size_of(), - Type::Read - | Type::ReadConfig - | Type::Write - | Type::WriteConfig - | Type::WriteAndClose => FileEvent::size_of(), + Type::Read | Type::ReadConfig | Type::Write | Type::WriteConfig | Type::WriteClose => { + FileEvent::size_of() + } Type::FileRename => FileRenameEvent::size_of(), Type::FileUnlink => UnlinkEvent::size_of(), Type::Error => ErrorEvent::size_of(), diff --git a/kunai-ebpf/src/probes/fs.rs b/kunai-ebpf/src/probes/fs.rs index 53c78ad..a6df71e 100644 --- a/kunai-ebpf/src/probes/fs.rs +++ b/kunai-ebpf/src/probes/fs.rs @@ -412,7 +412,7 @@ pub fn fs_enter_fput_sync(ctx: ProbeContext) -> u32 { unsafe fn try_enter_fput(ctx: &ProbeContext) -> ProbeResult<()> { // if event is disabled we return early - if get_cfg!().map(|c| c.is_event_disabled(Type::WriteAndClose))? { + if get_cfg!().map(|c| c.is_event_disabled(Type::WriteClose))? { return Ok(()); } @@ -432,7 +432,7 @@ unsafe fn try_enter_fput(ctx: &ProbeContext) -> ProbeResult<()> { let event = alloc::alloc_zero::()?; - event.init_from_current_task(Type::WriteAndClose)?; + event.init_from_current_task(Type::WriteClose)?; ignore_result!(inspect_err!( event.data.path.core_resolve_file(&file, MAX_PATH_DEPTH), diff --git a/kunai/src/bin/main.rs b/kunai/src/bin/main.rs index 686db47..d06ae28 100644 --- a/kunai/src/bin/main.rs +++ b/kunai/src/bin/main.rs @@ -1793,17 +1793,15 @@ impl<'s> EventConsumer<'s> { Err(e) => error!("failed to decode {} event: {:?}", etype, e), }, - Type::WriteConfig - | Type::Write - | Type::ReadConfig - | Type::Read - | Type::WriteAndClose => match event!(enc_event, bpf_events::FileEvent) { - Ok(e) => { - let mut e = self.file_event(std_info, e); - self.scan_and_print(&mut e); + Type::WriteConfig | Type::Write | Type::ReadConfig | Type::Read | Type::WriteClose => { + match event!(enc_event, bpf_events::FileEvent) { + Ok(e) => { + let mut e = self.file_event(std_info, e); + self.scan_and_print(&mut e); + } + Err(e) => error!("failed to decode {} event: {:?}", etype, e), } - Err(e) => error!("failed to decode {} event: {:?}", etype, e), - }, + } Type::FileUnlink => match event!(enc_event, bpf_events::UnlinkEvent) { Ok(e) => { @@ -2576,7 +2574,7 @@ impl Command { | Type::Write | Type::ReadConfig | Type::Read - | Type::WriteAndClose => { + | Type::WriteClose => { scan_event!(p, FileData) } Type::FileUnlink => scan_event!(p, UnlinkData), diff --git a/kunai/src/config.rs b/kunai/src/config.rs index 91d5ab4..6948698 100644 --- a/kunai/src/config.rs +++ b/kunai/src/config.rs @@ -70,7 +70,7 @@ impl Default for Config { // some events get disabled by default because there are too many let en = !matches!( v, - bpf_events::Type::Read | bpf_events::Type::Write | bpf_events::Type::WriteAndClose + bpf_events::Type::Read | bpf_events::Type::Write | bpf_events::Type::WriteClose ); if v.is_configurable() {