The 1st prompt to record file changed by process

To record it, we must listen to open/write and several syscalls,
and now I've add open into the 2nd coroutine. In syscall open,
what we should do is to judge the permission flag (the 2nd param
in the syscall), to find out if it can write to the file. If so,
the exit code is its file descriptor, and when write is called, the
audit shows only file descriptor but no file name.

So the next step is to add things into 3rd coroutine, to make the
whole program running again, and find out bugs.

1 files changed, 26 insertions, 14 deletions

diff --git a/src/global.go b/src/global.go
index c3001ab..3ddbc79 100644
--- a/src/global.go
+++ b/src/global.go
@@ -5,23 +5,35 @@ import (
         "time"
 )
 
+type eventType int
+
+const (
+        NEWPID eventType = iota
+        PIDEXIT
+        FILEOPEN
+        FILEWRITE
+        TYPENUM
+)
+
 type Event struct {
-        timestamp time.Time
-        pid, ppid int
-        syscall   int
-        exit_code uint64
-        argc      int
-        argv      []string
-        cwd       string
+        tag          eventType
+        timestamp    time.Time
+        pid, ppid    int
+        syscall      int
+        exit_code    uint64
+        argc         int
+        argv         []string
+        cwd          string
+        syscallParam [4]uint64
+        pathName     string
 }
 
-type process struct {
-        timestamp time.Time
-        pid, ppid int
-        argv      []string
-        cwd       string
-        rootfs    string
-        children  []int
+func (et eventType) String() string {
+        names := []string{"newPid", "pidExit", "open", "write", "typeNum"}
+        if et < NEWPID || et > TYPENUM {
+                return "Unknown"
+        }
+        return names[et]
 }
 
 var wg sync.WaitGroup        // 掌管协程