summaryrefslogtreecommitdiffstats
path: root/src/deal.go
diff options
context:
space:
mode:
authorWe-unite <3205135446@qq.com>2024-07-29 11:46:02 +0800
committerWe-unite <3205135446@qq.com>2024-07-29 11:46:02 +0800
commita345258c3082903702c81c6c830ff1fd35758861 (patch)
treea8521e954630b299c85adc10182ee3470a982415 /src/deal.go
parentec260a31927ef77295eaa07ba370b58b416f47f5 (diff)
downloadgodo-a345258c3082903702c81c6c830ff1fd35758861.tar.gz
godo-a345258c3082903702c81c6c830ff1fd35758861.zip
Hear file Open and close, especially O_TRUNC
this commit i successfully catch open/close syscall, and insert them as an independent collection in mongodb otherwise along with pids. and now I've record those open flag "O_TRUNC" as written.
Diffstat (limited to '')
-rw-r--r--src/deal.go101
1 files changed, 77 insertions, 24 deletions
diff --git a/src/deal.go b/src/deal.go
index a9861a5..d3b5da0 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -3,6 +3,7 @@ package main
3import ( 3import (
4 "fmt" 4 "fmt"
5 "sync" 5 "sync"
6 "syscall"
6 "time" 7 "time"
7 8
8 "go.mongodb.org/mongo-driver/bson" 9 "go.mongodb.org/mongo-driver/bson"
@@ -11,10 +12,11 @@ import (
11const ( 12const (
12 dbName string = "test" 13 dbName string = "test"
13 pidColName string = "pids" 14 pidColName string = "pids"
15 fdColName string = "fds"
14) 16)
15 17
16var mongoMutex sync.Mutex 18var mongoMutex sync.Mutex
17var pidCol mongoClient 19var pidCol, fdCol mongoClient
18 20
19var docRes []bson.M 21var docRes []bson.M
20var err error 22var err error
@@ -24,11 +26,29 @@ func deal() {
24 var cooked Event 26 var cooked Event
25 var ok bool 27 var ok bool
26 28
27 if err = initMongo(); err != nil { 29 if err = pidCol.init(dbName, pidColName); err != nil {
28 fmt.Printf("Error while initing the mongodb: %v\n", err) 30 fmt.Printf("Error while initing the mongodb: %v\n", err)
29 return 31 return
30 } 32 }
33 err = pidCol.InsertOne(bson.M{
34 "ppid": 1,
35 "pid": containerdPid,
36 "cwd": "/",
37 "children": []bson.M{},
38 })
39 if err != nil {
40 fmt.Printf("Error while initing the mongodb: %v\n", err)
41 return
42 }
43
44 if err = fdCol.init(dbName, fdColName); err != nil {
45 fmt.Printf("Error while initing the mongodb: %v\n", err)
46 return
47 }
48
49 fmt.Printf("Containerd: %d\n", containerdPid)
31 defer pidCol.Disconnect() 50 defer pidCol.Disconnect()
51 defer fdCol.Disconnect()
32 52
33 for { 53 for {
34 cooked, ok = <-cookedChan 54 cooked, ok = <-cookedChan
@@ -43,6 +63,10 @@ func deal() {
43 dealExecve(cooked) 63 dealExecve(cooked)
44 case PIDEXIT: 64 case PIDEXIT:
45 go deletePid(cooked) 65 go deletePid(cooked)
66 case FILEOPEN:
67 fileOpen(cooked)
68 case FILECLOSE:
69 fileClose(cooked)
46 } 70 }
47 } 71 }
48} 72}
@@ -71,28 +95,6 @@ func deletePid(cooked Event) {
71 mongoMutex.Unlock() 95 mongoMutex.Unlock()
72} 96}
73 97
74func initMongo() error {
75 var err error
76 if err = pidCol.Connect(dbName, pidColName); err != nil {
77 return err
78 }
79 if err = pidCol.Drop(); err != nil {
80 return err
81 }
82
83 err = pidCol.InsertOne(bson.M{
84 "ppid": 1,
85 "pid": containerdPid,
86 "cwd": "/",
87 "children": bson.M{},
88 })
89 if err != nil {
90 return err
91 }
92 fmt.Printf("Containerd: %d\n", containerdPid)
93 return nil
94}
95
96func dealNewPid(cooked Event) { 98func dealNewPid(cooked Event) {
97 // 有无父进程在观察中 99 // 有无父进程在观察中
98 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) 100 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
@@ -181,3 +183,54 @@ func dealExecve(cooked Event) {
181 } 183 }
182 mongoMutex.Unlock() 184 mongoMutex.Unlock()
183} 185}
186
187func fileOpen(cooked Event) {
188 // 查看是否记录了该进程
189 res, err := pidCol.Finddoc(bson.M{"pid": cooked.pid})
190 if err != nil {
191 fmt.Printf("Error finding pid %d: %v\n", cooked.pid, err)
192 }
193 if len(res) == 0 {
194 // 没找着,滚
195 return
196 }
197
198 // 确有该进程
199 // 权限检查过了,不必再查
200 fdCol.InsertOne(bson.M{
201 "timestamp": cooked.timestamp,
202 "fileName": cooked.pathName,
203 "pid": cooked.pid,
204 "fd": cooked.exit_code,
205 "flags": cooked.syscallParam,
206 "written": []bson.M{},
207 })
208
209 if cooked.syscallParam[1]&syscall.O_TRUNC != 0 {
210 fdCol.UpdateOne(bson.M{"pid": cooked.pid, "fd": cooked.exit_code}, bson.M{
211 "$push": bson.M{
212 "written": cooked.timestamp,
213 },
214 })
215 }
216}
217
218func fileClose(cooked Event) {
219 // 直接看文件表有无记录
220 res, err := fdCol.Finddoc(bson.M{
221 "pid": cooked.pid,
222 "fd": cooked.syscallParam[0],
223 "close_timestamp": bson.M{"$exists": false},
224 })
225 if err != nil {
226 fmt.Printf("Err closing fd %d of pid %d: %v\n", cooked.syscallParam[0], cooked.pid, err)
227 }
228 if len(res) == 0 {
229 return
230 }
231 fdCol.UpdateOne(bson.M{
232 "pid": cooked.pid,
233 "fd": cooked.syscallParam[0],
234 "close_timestamp": bson.M{"$exists": false},
235 }, bson.M{"$set": bson.M{"close_timestamp": cooked.timestamp}})
236}