summaryrefslogtreecommitdiffstats
path: root/src/deal.go
diff options
context:
space:
mode:
authorWe-unite <3205135446@qq.com>2024-07-26 17:23:53 +0800
committerWe-unite <3205135446@qq.com>2024-07-26 17:23:53 +0800
commitec260a31927ef77295eaa07ba370b58b416f47f5 (patch)
tree317dcc68bbeb095af71e5135bf57caefff0bd123 /src/deal.go
parentb765715b4795ce4bc8940c7b1a1092a78550de94 (diff)
downloadgodo-ec260a31927ef77295eaa07ba370b58b416f47f5.tar.gz
godo-ec260a31927ef77295eaa07ba370b58b416f47f5.zip
Fix execve before fork & Fix regex to match "exit"
There's 2 bugs from ancestor commits: - In the 'things_left' tag commit(the grandpa of this commit), we add a function that allows execve comes before fork, but when it happens, I forget to insert the basic info (pid, ppid, etc.), as a result of which it doesn't work in the designed way. Now it is well, insert execve with pid and ppid, so that the fork event can find it and finish other info. However, we shouldn't make start_stamp in this case, so that it's also a flag. I've not removed the unused execve info, waiting for the future. - In the parent commit, the syscallRegex is changed, because when we add more syscalls to be watched, we need more info about their params but not only the first one. Instead of keeping using single a0 to get the first param, i use argsRegex for all the params. But this change causes mismatch of syscallRegex. Now it's fixed.
Diffstat (limited to '')
-rw-r--r--src/deal.go226
1 files changed, 122 insertions, 104 deletions
diff --git a/src/deal.go b/src/deal.go
index db6fc26..a9861a5 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -16,32 +16,18 @@ const (
16var mongoMutex sync.Mutex 16var mongoMutex sync.Mutex
17var pidCol mongoClient 17var pidCol mongoClient
18 18
19var docRes []bson.M
20var err error
21
19func deal() { 22func deal() {
20 defer wg.Done() 23 defer wg.Done()
21 var cooked Event 24 var cooked Event
22 var ok bool 25 var ok bool
23 26
24 var err error 27 if err = initMongo(); err != nil {
25 var res []bson.M 28 fmt.Printf("Error while initing the mongodb: %v\n", err)
26
27 if err = pidCol.Connect(dbName, pidColName); err != nil {
28 fmt.Printf("Error connecting the mongodb: %v\n", err)
29 }
30 if err = pidCol.Drop(); err != nil {
31 fmt.Printf("Error drop the mongodb: %v\n", err)
32 }
33
34 err = pidCol.InsertOne(bson.M{
35 "ppid": 1,
36 "pid": containerdPid,
37 "cwd": "/",
38 "children": bson.M{},
39 })
40 if err != nil {
41 fmt.Printf("Err containerd: %v", err)
42 return 29 return
43 } 30 }
44 fmt.Printf("Containerd: %d\n", containerdPid)
45 defer pidCol.Disconnect() 31 defer pidCol.Disconnect()
46 32
47 for { 33 for {
@@ -50,91 +36,12 @@ func deal() {
50 break 36 break
51 } 37 }
52 38
53 switch syscallTable[cooked.syscall] { 39 switch cooked.tag {
54 case "clone": 40 case NEWPID:
55 // 有无父进程在观察中 41 dealNewPid(cooked)
56 res, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) 42 case EXECVE:
57 if err != nil || len(res) != 1 { 43 dealExecve(cooked)
58 break 44 case PIDEXIT:
59 }
60
61 // 自身是否已经记录
62 res, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
63 if err != nil {
64 fmt.Printf("Err finding: %v\n", err)
65 break
66 }
67 mongoMutex.Lock()
68 if len(res) != 0 {
69 // 进程原本就存在,换言之别的消息先到了
70 // 所有先行抵达的消息必须保留execve/children字段
71 // 此处不再更新
72 // 以防把原有信息更没了
73 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
74 "start_timestamp": cooked.timestamp,
75 "ppid": cooked.ppid,
76 "pid": cooked.pid,
77 "cwd": cooked.cwd,
78 // "execve": []bson.M{},
79 "args": cooked.argv,
80 // "children": []bson.M{},
81 })
82 } else {
83 // 这进程本是新修的
84 pidCol.InsertOne(bson.M{
85 "start_timestamp": cooked.timestamp,
86 "ppid": cooked.ppid,
87 "pid": cooked.pid,
88 "cwd": cooked.cwd,
89 "execve": []bson.M{},
90 "args": cooked.argv,
91 "children": []bson.M{},
92 })
93 }
94
95 pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{
96 "$push": bson.M{
97 "children": cooked.pid,
98 },
99 })
100 mongoMutex.Unlock()
101 case "execve":
102 // 父进程在不在?不在扔
103 res, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
104 if err != nil || len(res) != 1 {
105 break
106 }
107
108 // 首先检查进程是否存在,如不存在则为之创建
109 res, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
110 if err != nil {
111 break
112 }
113 mongoMutex.Lock()
114 if len(res) == 1 {
115 // 自身已在,直接记录
116 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
117 "$push": bson.M{
118 "execve": bson.M{
119 "timestamp": cooked.timestamp,
120 "args": cooked.argv,
121 },
122 },
123 })
124 } else {
125 // 先fork抵达,插入
126 pidCol.InsertOne(bson.M{
127 "children": []bson.M{},
128 "exe_args": []bson.M{
129 {
130 "timestamp": cooked.timestamp,
131 "execve": cooked.argv,
132 },
133 },
134 })
135 }
136 mongoMutex.Unlock()
137 case "exit", "exit_group":
138 go deletePid(cooked) 45 go deletePid(cooked)
139 } 46 }
140 } 47 }
@@ -163,3 +70,114 @@ func deletePid(cooked Event) {
163 }) 70 })
164 mongoMutex.Unlock() 71 mongoMutex.Unlock()
165} 72}
73
74func initMongo() error {
75 var err error
76 if err = pidCol.Connect(dbName, pidColName); err != nil {
77 return err
78 }
79 if err = pidCol.Drop(); err != nil {
80 return err
81 }
82
83 err = pidCol.InsertOne(bson.M{
84 "ppid": 1,
85 "pid": containerdPid,
86 "cwd": "/",
87 "children": bson.M{},
88 })
89 if err != nil {
90 return err
91 }
92 fmt.Printf("Containerd: %d\n", containerdPid)
93 return nil
94}
95
96func dealNewPid(cooked Event) {
97 // 有无父进程在观察中
98 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
99 if err != nil || len(docRes) != 1 {
100 return
101 }
102
103 // 自身是否已经记录
104 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
105 if err != nil {
106 fmt.Printf("Err finding: %v\n", err)
107 return
108 }
109 mongoMutex.Lock()
110 if len(docRes) != 0 {
111 // 进程原本就存在,换言之别的消息先到了
112 // 所有先行抵达的消息必须保留execve/children字段
113 // 此处不再更新
114 // 以防把原有信息更没了
115 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
116 "start_timestamp": cooked.timestamp,
117 "ppid": cooked.ppid,
118 "pid": cooked.pid,
119 "cwd": cooked.cwd,
120 // "execve": []bson.M{},
121 "args": cooked.argv,
122 // "children": []bson.M{},
123 })
124 } else {
125 // 这进程本是新修的
126 pidCol.InsertOne(bson.M{
127 "start_timestamp": cooked.timestamp,
128 "ppid": cooked.ppid,
129 "pid": cooked.pid,
130 "cwd": cooked.cwd,
131 "execve": []bson.M{},
132 "args": cooked.argv,
133 "children": []bson.M{},
134 })
135 }
136
137 pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{
138 "$push": bson.M{
139 "children": cooked.pid,
140 },
141 })
142 mongoMutex.Unlock()
143}
144
145func dealExecve(cooked Event) {
146 // 父进程在不在?不在扔
147 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
148 if err != nil || len(docRes) != 1 {
149 return
150 }
151
152 // 首先检查进程是否存在,如不存在则为之创建
153 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
154 if err != nil {
155 return
156 }
157 mongoMutex.Lock()
158 if len(docRes) == 1 {
159 // 自身已在,直接记录
160 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
161 "$push": bson.M{
162 "execve": bson.M{
163 "timestamp": cooked.timestamp,
164 "execArgs": cooked.argv,
165 },
166 },
167 })
168 } else {
169 // 先fork抵达,插入
170 pidCol.InsertOne(bson.M{
171 "ppid": cooked.ppid,
172 "pid": cooked.pid,
173 "children": []bson.M{},
174 "execve": []bson.M{
175 {
176 "timestamp": cooked.timestamp,
177 "execArgs": cooked.argv,
178 },
179 },
180 })
181 }
182 mongoMutex.Unlock()
183}