summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorWe-unite <3205135446@qq.com>2024-08-07 19:08:59 +0800
committerWe-unite <3205135446@qq.com>2024-08-07 19:08:59 +0800
commitea32e017e579f168d87732893335c38d539ac2f1 (patch)
tree96a893ae0ffd4c5186e1c87f2fd7c60a125e970a
parent2104c8ac26f320eacc3fa04d608843c3bf0fdc57 (diff)
downloadgodo-ea32e017e579f168d87732893335c38d539ac2f1.tar.gz
godo-ea32e017e579f168d87732893335c38d539ac2f1.zip
Print err in stderr, Find out docker rootfs.collector
When I use godo, error infomation comes along with other output, so change all err report into stderr. And I listen to `pivot_root` sys- call to find out the root file system of dockers. However, I'm afraid of causing too more delay, so don't check rootfs of ppid and record in the pid. Besides, the method to deal with pivot_root is hardcoded, which may causes crush. Shall I listen to the chdir syscall to find out exact cwd? Maybe It's useful to the pivot_root? Next step: Find out appropriate data stracture, and add more file operations to be watched. This task must be completed this week.
Diffstat
-rw-r--r--src/deal.go51
-rw-r--r--src/global.go6
-rw-r--r--src/godo.go24
-rw-r--r--src/organize.go81
4 files changed, 103 insertions, 59 deletions
diff --git a/src/deal.go b/src/deal.go
index f2b7d4b..e553174 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -2,6 +2,7 @@ package main
2 2
3import ( 3import (
4 "fmt" 4 "fmt"
5 "os"
5 "syscall" 6 "syscall"
6 7
7 "go.mongodb.org/mongo-driver/bson" 8 "go.mongodb.org/mongo-driver/bson"
@@ -26,7 +27,7 @@ func deal() {
26 var ok bool 27 var ok bool
27 28
28 if err = pidCol.init(dbName, pidColName); err != nil { 29 if err = pidCol.init(dbName, pidColName); err != nil {
29 fmt.Printf("Error while initing the mongodb: %v\n", err) 30 fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err)
30 return 31 return
31 } 32 }
32 err = pidCol.InsertOne(bson.M{ 33 err = pidCol.InsertOne(bson.M{
@@ -37,16 +38,16 @@ func deal() {
37 "daemon": true, 38 "daemon": true,
38 }) 39 })
39 if err != nil { 40 if err != nil {
40 fmt.Printf("Error while initing the mongodb: %v\n", err) 41 fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err)
41 return 42 return
42 } 43 }
43 44
44 if err = fdCol.init(dbName, fdColName); err != nil { 45 if err = fdCol.init(dbName, fdColName); err != nil {
45 fmt.Printf("Error while initing the mongodb: %v\n", err) 46 fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err)
46 return 47 return
47 } 48 }
48 if err = fileCol.init(dbName, fileColName); err != nil { 49 if err = fileCol.init(dbName, fileColName); err != nil {
49 fmt.Printf("Error while initing the mongodb: %v\n", err) 50 fmt.Fprintf(os.Stderr, "Error while initing the mongodb: %v\n", err)
50 } 51 }
51 52
52 fmt.Printf("Containerd: %d\n", containerdPid) 53 fmt.Printf("Containerd: %d\n", containerdPid)
@@ -73,6 +74,8 @@ func deal() {
73 go fileWrite(cooked) 74 go fileWrite(cooked)
74 case FILECLOSE: 75 case FILECLOSE:
75 go fileClose(cooked) 76 go fileClose(cooked)
77 case PIVOTROOT:
78 go pivotRoot(cooked)
76 } 79 }
77 } 80 }
78} 81}
@@ -85,9 +88,6 @@ func deletePid(cooked Event) {
85 }, 88 },
86 }) 89 })
87 90
88 // 孩子们需要收容
89 // 不必到children里一个个找,直接看ppid即可
90 // pidCol.UpdateMany(bson.M{"ppid": cooked.pid}, bson.M{"ppid": 1})
91 // 在这套逻辑里,孩子是不需要收容的,因为我们根本就不看ppid来工作 91 // 在这套逻辑里,孩子是不需要收容的,因为我们根本就不看ppid来工作
92 92
93 // 可以去死了 93 // 可以去死了
@@ -98,13 +98,15 @@ func deletePid(cooked Event) {
98 "exit_signal": cooked.exit_signal, 98 "exit_signal": cooked.exit_signal,
99 }, 99 },
100 }) 100 })
101
102 // 理论上这里需要关闭所有文件描述符,但为了处理效率,留给后续流程
101} 103}
102 104
103func dealNewPid(cooked Event) { 105func dealNewPid(cooked Event) {
104 // 自身是否已经记录 106 // 自身是否已经记录
105 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) 107 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
106 if err != nil { 108 if err != nil {
107 fmt.Printf("Err finding: %v\n", err) 109 fmt.Fprintf(os.Stderr, "Err finding: %v\n", err)
108 return 110 return
109 } 111 }
110 112
@@ -189,7 +191,7 @@ func fileOpen(cooked Event) {
189 // 权限检查过了,不必再查 191 // 权限检查过了,不必再查
190 fdCol.InsertOne(bson.M{ 192 fdCol.InsertOne(bson.M{
191 "timestamp": cooked.timestamp, 193 "timestamp": cooked.timestamp,
192 "fileName": cooked.pathName, 194 "fileName": cooked.srcPath,
193 "pid": cooked.pid, 195 "pid": cooked.pid,
194 "fd": cooked.exit_code, 196 "fd": cooked.exit_code,
195 "flags": cooked.syscallParam, 197 "flags": cooked.syscallParam,
@@ -212,7 +214,7 @@ func fileClose(cooked Event) {
212 } 214 }
213 res["close_timestamp"] = cooked.timestamp 215 res["close_timestamp"] = cooked.timestamp
214 if err := fileCol.InsertOne(res); err != nil { 216 if err := fileCol.InsertOne(res); err != nil {
215 fmt.Printf("Err inserting files: %v\n", err) 217 fmt.Fprintf(os.Stderr, "Err inserting files: %v\n", err)
216 } 218 }
217} 219}
218 220
@@ -223,7 +225,7 @@ func fileWrite(cooked Event) {
223 "close_timestamp": bson.M{"$exists": false}, 225 "close_timestamp": bson.M{"$exists": false},
224 }) 226 })
225 if err != nil { 227 if err != nil {
226 fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err) 228 fmt.Fprintf(os.Stderr, "Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err)
227 } 229 }
228 if len(res) == 0 { 230 if len(res) == 0 {
229 return 231 return
@@ -234,3 +236,30 @@ func fileWrite(cooked Event) {
234 "close_timestamp": bson.M{"$exists": false}, 236 "close_timestamp": bson.M{"$exists": false},
235 }, bson.M{"$push": bson.M{"written": cooked.timestamp}}) 237 }, bson.M{"$push": bson.M{"written": cooked.timestamp}})
236} 238}
239
240func pivotRoot(cooked Event) {
241 // docker的根目录信息,记录
242 docRes, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
243 if err != nil {
244 fmt.Fprintf(os.Stderr, "Err finding: %v\n", err)
245 return
246 }
247
248 if len(docRes) == 0 {
249 // fork还没到,等一下
250 pidCol.InsertOne(bson.M{
251 "start_timestamp": cooked.timestamp,
252 "ppid": cooked.ppid,
253 "pid": cooked.pid,
254 "rootfs": "cwd",
255 })
256 } else {
257 // 读取已有的工作目录
258 cwd := docRes[0]["cwd"]
259 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
260 "$set": bson.M{
261 "rootfs": cwd,
262 },
263 })
264 }
265}
diff --git a/src/global.go b/src/global.go
index b6635c9..349ba6c 100644
--- a/src/global.go
+++ b/src/global.go
@@ -14,11 +14,12 @@ const (
14 FILEOPEN 14 FILEOPEN
15 FILECLOSE 15 FILECLOSE
16 FILEWRITE 16 FILEWRITE
17 PIVOTROOT
17 TYPENUM 18 TYPENUM
18) 19)
19 20
20func (et eventType) String() string { 21func (et eventType) String() string {
21 names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "TYPENUM"} 22 names := []string{"NEWPID", "PIDEXIT", "EXECVE", "FILEOPEN", "FILECLOSE", "FILEWRITE", "PIVOTROOT", "TYPENUM"}
22 if et < NEWPID || et > TYPENUM { 23 if et < NEWPID || et > TYPENUM {
23 return "Unknown" 24 return "Unknown"
24 } 25 }
@@ -32,12 +33,13 @@ type Event struct {
32 ppid, parentTgid int 33 ppid, parentTgid int
33 syscall int 34 syscall int
34 syscallParam [4]uint64 35 syscallParam [4]uint64
35 pathName string
36 argc int 36 argc int
37 argv []string 37 argv []string
38 cwd string 38 cwd string
39 exit_code uint64 39 exit_code uint64
40 exit_signal int 40 exit_signal int
41 srcPath string
42 destPath string
41} 43}
42 44
43var wg sync.WaitGroup // 掌管协程 45var wg sync.WaitGroup // 掌管协程
diff --git a/src/godo.go b/src/godo.go
index 923ef85..a30aa88 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -27,14 +27,14 @@ var (
27func main() { 27func main() {
28 // 检查用户身份,并添加auditd规则,监听所有syscall 28 // 检查用户身份,并添加auditd规则,监听所有syscall
29 if os.Geteuid() != 0 { 29 if os.Geteuid() != 0 {
30 fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid()) 30 fmt.Fprintf(os.Stderr, "Err: Please run me as root, %d!\n", os.Getegid())
31 return 31 return
32 } 32 }
33 33
34 // 所有的系统调用号与名称的关系 34 // 所有的系统调用号与名称的关系
35 err := figureOutSyscalls() 35 err := figureOutSyscalls()
36 if err != nil { 36 if err != nil {
37 fmt.Printf("Error figuring out syscall numbers: %v\n", err) 37 fmt.Fprintf(os.Stderr, "Error figuring out syscall numbers: %v\n", err)
38 } 38 }
39 39
40 exec.Command("auditctl", "-D").Run() 40 exec.Command("auditctl", "-D").Run()
@@ -43,7 +43,7 @@ func main() {
43 43
44 var auditCmd *exec.Cmd 44 var auditCmd *exec.Cmd
45 45
46 pidSyscall := []string{"execve"} 46 pidSyscall := []string{"execve", "pivot_root"}
47 // // 设置监听规则 47 // // 设置监听规则
48 for i := 0; i < len(pidSyscall); i++ { 48 for i := 0; i < len(pidSyscall); i++ {
49 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) 49 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i])
@@ -61,14 +61,10 @@ func main() {
61 // 查找pid 61 // 查找pid
62 containerdPid, err = getPid() 62 containerdPid, err = getPid()
63 if err != nil { 63 if err != nil {
64 fmt.Printf("Error finding containerd: %v\n", err) 64 fmt.Fprintf(os.Stderr, "Error finding containerd: %v\n", err)
65 return 65 return
66 } 66 }
67 67
68 // 创世之神,1号进程
69 // 1号进程还是不要在进程树上直接出现了,不然它的小儿子们都会出现
70 // /usr/bin/containerd,也就是我们最关注的进程
71
72 // 开始运行,解析命令行参数后监听 68 // 开始运行,解析命令行参数后监听
73 if err := fs.Parse(os.Args[1:]); err != nil { 69 if err := fs.Parse(os.Args[1:]); err != nil {
74 log.Fatal(err) 70 log.Fatal(err)
@@ -81,8 +77,8 @@ func main() {
81 77
82func coroutine(client *libaudit.AuditClient) { 78func coroutine(client *libaudit.AuditClient) {
83 // 各协程至此开始 79 // 各协程至此开始
84 rawChan = make(chan interface{}) 80 rawChan = make(chan interface{}, 65536)
85 cookedChan = make(chan Event) 81 cookedChan = make(chan Event, 65536)
86 82
87 wg.Add(1) 83 wg.Add(1)
88 go procWatch() 84 go procWatch()
@@ -101,14 +97,14 @@ func coroutine(client *libaudit.AuditClient) {
101func procWatch() error { 97func procWatch() error {
102 ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345) 98 ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345)
103 if err != nil { 99 if err != nil {
104 fmt.Printf("Error creating socket: %v\n", err) 100 fmt.Fprintf(os.Stderr, "Error creating socket: %v\n", err)
105 return err 101 return err
106 } 102 }
107 defer ns.Close() 103 defer ns.Close()
108 for { 104 for {
109 res, err := ns.Receive(20) 105 res, err := ns.Receive(20)
110 if err != nil { 106 if err != nil {
111 fmt.Printf("Error recv: %v\n", err) 107 fmt.Fprintf(os.Stderr, "Error recv: %v\n", err)
112 continue 108 continue
113 } 109 }
114 for i := 0; i < len(res); i++ { 110 for i := 0; i < len(res); i++ {
@@ -146,7 +142,7 @@ func checkProc(pCooked *Event) {
146 fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid) 142 fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid)
147 fd, err := os.Open(fileName) 143 fd, err := os.Open(fileName)
148 if err != nil { 144 if err != nil {
149 fmt.Printf("Err: %v\n", err) 145 fmt.Fprintf(os.Stderr, "Err: %v\n", err)
150 return 146 return
151 } 147 }
152 148
@@ -162,7 +158,7 @@ func checkProc(pCooked *Event) {
162 fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid) 158 fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid)
163 pCooked.cwd, err = os.Readlink(fileName) 159 pCooked.cwd, err = os.Readlink(fileName)
164 if err != nil { 160 if err != nil {
165 fmt.Printf("Err readlink %s: %v\n", fileName, err) 161 fmt.Fprintf(os.Stderr, "Err: %v\n", err)
166 pCooked.cwd = "" 162 pCooked.cwd = ""
167 } 163 }
168} 164}
diff --git a/src/organize.go b/src/organize.go
index 12119ad..293371b 100644
--- a/src/organize.go
+++ b/src/organize.go
@@ -2,6 +2,7 @@ package main
2 2
3import ( 3import (
4 "fmt" 4 "fmt"
5 "os"
5 "regexp" 6 "regexp"
6 "strconv" 7 "strconv"
7 "strings" 8 "strings"
@@ -21,14 +22,15 @@ var ok bool
21var event Event 22var event Event
22var pEvent *Event 23var pEvent *Event
23var eventId, argc int 24var eventId, argc int
24var errs [6]error 25
26// var errs [6]error
25 27
26// 要用的正则匹配列表 28// 要用的正则匹配列表
27var ( 29var (
28 syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`) 30 syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`)
29 execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) 31 execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`)
30 argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) 32 argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`)
31 pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`) 33 pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`)
32 cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) 34 cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`)
33 proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) 35 proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`)
34 eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) 36 eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`)
@@ -47,22 +49,22 @@ func orgnaze() {
47 break 49 break
48 } 50 }
49 rawEvent = raw.(libaudit.RawAuditMessage) 51 rawEvent = raw.(libaudit.RawAuditMessage)
52 // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data)
50 53
51 switch rawEvent.Type { 54 switch rawEvent.Type {
52 case auparse.AUDIT_SYSCALL: 55 case auparse.AUDIT_SYSCALL:
53 go syscallRaw(rawEvent) 56 syscallRaw(rawEvent)
54 case auparse.AUDIT_EXECVE: 57 case auparse.AUDIT_EXECVE:
55 go execve(rawEvent) 58 execve(rawEvent)
56 case auparse.AUDIT_CWD: 59 case auparse.AUDIT_CWD:
57 go cwd(rawEvent) 60 cwd(rawEvent)
58 case auparse.AUDIT_PATH: 61 case auparse.AUDIT_PATH:
59 go path(rawEvent) 62 path(rawEvent)
60 case auparse.AUDIT_PROCTITLE: 63 case auparse.AUDIT_PROCTITLE:
61 go proctitle(rawEvent) 64 proctitle(rawEvent)
62 case auparse.AUDIT_EOE: 65 case auparse.AUDIT_EOE:
63 go eoe(rawEvent) 66 eoe(rawEvent)
64 default: 67 default:
65 // ATTENTION: 这里也需要做防护
66 } 68 }
67 } 69 }
68} 70}
@@ -74,28 +76,34 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
74 76
75 var exit int 77 var exit int
76 var a [4]uint64 78 var a [4]uint64
79 var subj [4]string
77 // 捕获基础信息 80 // 捕获基础信息
78 match := syscallRegex.FindSubmatch(rawEvent.Data) 81 match := syscallRegex.FindSubmatch(rawEvent.Data)
79 event.timestamp, errs[0] = getTimeFromStr(string(match[1])) 82 event.timestamp, _ = getTimeFromStr(string(match[1]))
80 eventId, errs[1] = strconv.Atoi(string(match[2])) 83 eventId, _ = strconv.Atoi(string(match[2]))
81 event.syscall, errs[2] = strconv.Atoi(string(match[3])) 84 event.syscall, _ = strconv.Atoi(string(match[3]))
82 if string(match[4]) == "" { 85 if string(match[4]) == "" {
83 // exit没捕获到 86 // exit没捕获到
84 exit = 0 87 exit = 0
85 } else { 88 } else {
86 exit, errs[3] = strconv.Atoi(string(match[4])) 89 exit, _ = strconv.Atoi(string(match[4]))
90 }
91 event.ppid, _ = strconv.Atoi(string(match[5]))
92 event.pid, _ = strconv.Atoi(string(match[6]))
93
94 // 几个subj,说不定会有用
95 for i := 0; i < 4; i++ {
96 subj[i] = string(match[7+i])
87 } 97 }
88 event.ppid, errs[4] = strconv.Atoi(string(match[5]))
89 event.pid, errs[5] = strconv.Atoi(string(match[6]))
90 98
91 // 捕获参数 99 // 捕获参数
92 if !argsRegex.Match(rawEvent.Data) { 100 if !argsRegex.Match(rawEvent.Data) {
93 fmt.Printf("Error: don't get args in syscall event!\n") 101 fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n")
94 return 102 return
95 } 103 }
96 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) 104 argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
97 for i := 0; i < 4; i++ { 105 for i := 0; i < 4; i++ {
98 a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) 106 a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64)
99 } 107 }
100 108
101 switch syscallTable[event.syscall] { 109 switch syscallTable[event.syscall] {
@@ -128,7 +136,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
128 argv: make([]string, 0), 136 argv: make([]string, 0),
129 cwd: "", 137 cwd: "",
130 syscallParam: a, 138 syscallParam: a,
131 pathName: "", 139 srcPath: "",
132 }) 140 })
133 case "write": 141 case "write":
134 eventTable.Store(eventId, &Event{ 142 eventTable.Store(eventId, &Event{
@@ -142,7 +150,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
142 argv: make([]string, 0), 150 argv: make([]string, 0),
143 cwd: "", 151 cwd: "",
144 syscallParam: a, 152 syscallParam: a,
145 // pathName: "",
146 }) 153 })
147 case "close": 154 case "close":
148 // 文件关闭 155 // 文件关闭
@@ -157,8 +164,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) {
157 argv: make([]string, 0), 164 argv: make([]string, 0),
158 cwd: "", 165 cwd: "",
159 syscallParam: a, 166 syscallParam: a,
160 // pathName: "",
161 }) 167 })
168 case "pivot_root":
169 if subj[2] == "container_runtime_t" {
170 eventTable.Store(eventId, &Event{
171 tag: PIVOTROOT,
172 timestamp: event.timestamp,
173 syscall: event.syscall,
174 ppid: event.ppid,
175 pid: event.pid,
176 syscallParam: a,
177 })
178 }
162 } 179 }
163} 180}
164 181
@@ -168,14 +185,14 @@ func execve(rawEvent libaudit.RawAuditMessage) {
168 } 185 }
169 186
170 match := execveRegex.FindSubmatch(rawEvent.Data) 187 match := execveRegex.FindSubmatch(rawEvent.Data)
171 eventId, errs[0] = strconv.Atoi(string(match[1])) 188 eventId, _ = strconv.Atoi(string(match[1]))
172 argc, errs[1] = strconv.Atoi(string(match[2])) 189 argc, _ = strconv.Atoi(string(match[2]))
173 tmp, ok = eventTable.Load(eventId) 190 tmp, ok = eventTable.Load(eventId)
174 if !ok { 191 if !ok {
175 return 192 return
176 } 193 }
177 pEvent = tmp.(*Event) 194 pEvent = tmp.(*Event)
178 if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) { 195 if argsRegex.Match(rawEvent.Data) {
179 match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) 196 match := argsRegex.FindAllSubmatch(rawEvent.Data, -1)
180 for i := 0; i < argc; i++ { 197 for i := 0; i < argc; i++ {
181 if len(match[i][2]) == 0 { 198 if len(match[i][2]) == 0 {
@@ -196,7 +213,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) {
196 } 213 }
197 214
198 match := cwdRegex.FindSubmatch(rawEvent.Data) 215 match := cwdRegex.FindSubmatch(rawEvent.Data)
199 eventId, errs[0] = strconv.Atoi(string(match[1])) 216 eventId, _ = strconv.Atoi(string(match[1]))
200 tmp, ok = eventTable.Load(eventId) 217 tmp, ok = eventTable.Load(eventId)
201 if !ok { 218 if !ok {
202 return 219 return
@@ -211,7 +228,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) {
211 228
212 var cmdline string 229 var cmdline string
213 match := proctitleRegex.FindSubmatch(rawEvent.Data) 230 match := proctitleRegex.FindSubmatch(rawEvent.Data)
214 eventId, errs[0] = strconv.Atoi(string(match[1])) 231 eventId, _ = strconv.Atoi(string(match[1]))
215 tmp, ok = eventTable.Load(eventId) 232 tmp, ok = eventTable.Load(eventId)
216 if !ok { 233 if !ok {
217 return 234 return
@@ -236,14 +253,13 @@ func eoe(rawEvent libaudit.RawAuditMessage) {
236 } 253 }
237 254
238 match := eoeRegex.FindSubmatch(rawEvent.Data) 255 match := eoeRegex.FindSubmatch(rawEvent.Data)
239 eventId, errs[0] = strconv.Atoi(string(match[1])) 256 eventId, _ = strconv.Atoi(string(match[1]))
240 tmp, ok = eventTable.Load(eventId) 257 tmp, ok = eventTable.Load(eventId)
241 if !ok { 258 if !ok {
242 return 259 return
243 } 260 }
244 cooked := *(tmp.(*Event)) 261 cooked := *(tmp.(*Event))
245 cookedChan <- cooked 262 cookedChan <- cooked
246 // fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid)
247 eventTable.Delete(eventId) // 死人别占地 263 eventTable.Delete(eventId) // 死人别占地
248} 264}
249 265
@@ -252,8 +268,9 @@ func path(rawEvent libaudit.RawAuditMessage) {
252 return 268 return
253 } 269 }
254 match := pathRegex.FindSubmatch(rawEvent.Data) 270 match := pathRegex.FindSubmatch(rawEvent.Data)
255 eventId, errs[0] = strconv.Atoi(string(match[1])) 271 eventId, _ = strconv.Atoi(string(match[1]))
256 name := string(match[2]) 272 // item, _ := strconv.Atoi(string(match[2]))
273 name := string(match[3])
257 274
258 tmp, ok = eventTable.Load(eventId) 275 tmp, ok = eventTable.Load(eventId)
259 if !ok { 276 if !ok {
@@ -267,8 +284,8 @@ func path(rawEvent libaudit.RawAuditMessage) {
267 } 284 }
268 285
269 if name[0] == '/' { 286 if name[0] == '/' {
270 pEvent.pathName = name 287 pEvent.srcPath = name
271 } else { 288 } else {
272 pEvent.pathName += "/" + name 289 pEvent.srcPath += "/" + name
273 } 290 }
274} 291}
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-06 02:07:45 +0800