Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

enhance: process tracking #142

Merged
merged 2 commits into from
Nov 19, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions kunai-common/src/bpf_events.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ use crate::buffer::Buffer;
use crate::errors::ProbeError;
use crate::macros::test_flag;
use crate::macros::{bpf_target_code, not_bpf_target_code};
use crate::uuid::{TaskUuid, Uuid};
use crate::uuid::{ProcUuid, Uuid};
use kunai_macros::{BpfError, StrEnum};

not_bpf_target_code! {
Expand Down Expand Up @@ -173,13 +173,13 @@ pub struct TaskInfo {
pub comm: [u8; COMM_SIZE],
pub uid: u32,
pub gid: u32,
// task group id
// task group id in kernel or pid in userland
// when program is single threaded tgid == pid
pub tgid: i32,
// task pid -> pid of the thread
// task pid -> pid of the thread == thread id
pub pid: i32,
// task group uuid -> used to group tasks
pub tg_uuid: TaskUuid,
pub tg_uuid: ProcUuid,
pub namespaces: Option<Namespaces>,
pub start_time: u64,
}
Expand Down
40 changes: 23 additions & 17 deletions kunai-common/src/uuid.rs
Original file line number Diff line number Diff line change
Expand Up @@ -13,42 +13,48 @@ bpf_target_code! {
#[derive(Debug, Default, Clone, Copy)]
pub struct Uuid([u8; 16]);

/// Represents a UUID for a given task group / process
#[repr(C)]
#[derive(Debug, Default, Clone, Copy)]
pub struct TaskUuid {
pub start_time_ns: u64,
pub struct ProcUuid {
// start time of the task group leader
pub leader_start_time_ns: u64,
// a random part to make this unique across machines
pub random: u32,
pub pid: u32,
// task group id in kernel or PID in userland
pub tgid: u32,
}

impl TaskUuid {
pub fn new(high: u64, random: u32, low: u32) -> Self {
TaskUuid {
start_time_ns: high,
impl ProcUuid {
pub fn new(leader_start_time_ns: u64, random: u32, tgid: u32) -> Self {
ProcUuid {
leader_start_time_ns,
random,
pid: low,
tgid,
}
}

#[allow(dead_code)]
pub fn init(&mut self, high: u64, low: u32) {
self.start_time_ns = high;
self.pid = low;
pub fn init(&mut self, start_time_ns: u64, tgid: u32) {
self.leader_start_time_ns = start_time_ns;
self.tgid = tgid;
}
}

impl From<TaskUuid> for u128 {
fn from(value: TaskUuid) -> Self {
(value.start_time_ns as u128) << 64 | (value.random as u128) << 32 | value.pid as u128
impl From<ProcUuid> for u128 {
fn from(value: ProcUuid) -> Self {
(value.leader_start_time_ns as u128) << 64
| (value.random as u128) << 32
| value.tgid as u128
}
}

impl From<u128> for TaskUuid {
impl From<u128> for ProcUuid {
fn from(value: u128) -> Self {
Self {
start_time_ns: (value >> 64) as u64,
leader_start_time_ns: (value >> 64) as u64,
random: (value >> 32) as u32,
pid: value as u32,
tgid: value as u32,
}
}
}
8 changes: 4 additions & 4 deletions kunai-common/src/uuid/user.rs
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
use uuid;

use super::{Uuid, TaskUuid};
use super::{ProcUuid, Uuid};

impl From<Uuid> for uuid::Uuid {
fn from(value: Uuid) -> Self {
Expand All @@ -24,13 +24,13 @@ impl Uuid {
}
}

impl From<TaskUuid> for uuid::Uuid {
fn from(value: TaskUuid) -> Self {
impl From<ProcUuid> for uuid::Uuid {
fn from(value: ProcUuid) -> Self {
unsafe { core::mem::transmute(value) }
}
}

impl TaskUuid {
impl ProcUuid {
pub fn into_uuid(self) -> uuid::Uuid {
self.into()
}
Expand Down
4 changes: 4 additions & 0 deletions kunai-ebpf/src/probes/exit.rs
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@ use super::*;
use aya_ebpf::programs::TracePointContext;
use kunai_common::syscalls::{SysEnterArgs, Syscall};

// this is important not to filter out exit event as those
// are used to clean up some structure in userland
#[tracepoint(name = "sys_enter_exit", category = "syscalls")]
pub fn syscalls_sys_enter_exit(ctx: TracePointContext) -> u32 {
if is_current_loader_task() {
Expand All @@ -17,6 +19,8 @@ pub fn syscalls_sys_enter_exit(ctx: TracePointContext) -> u32 {
}
}

// this is important not to filter out exit_group event as those
// are used to clean up some structure in userland
#[tracepoint(name = "sys_enter_exit_group", category = "syscalls")]
pub fn syscalls_sys_enter_exit_group(ctx: TracePointContext) -> u32 {
if is_current_loader_task() {
Expand Down
Loading
Loading