diff options
| author |   We-unite <3205135446@qq.com> | 2024-07-23 19:32:09 +0800 |
|---|---|---|
| committer | We-unite <3205135446@qq.com> | 2024-07-25 17:09:45 +0800 |
| commit | fc61a4a525846fa31ee2288df4e82f745bb39c95 (patch) | |
| tree | e97c7b942c7e843782efbcc48882e6c0854df473 /src/global.go | |
| parent | cf5618ff2e2a183c5bdf6444787dccdcbf26ce76 (diff) | |
| download | godo-fc61a4a525846fa31ee2288df4e82f745bb39c95.tar.gz godo-fc61a4a525846fa31ee2288df4e82f745bb39c95.zip | |
Try ot fix the out-of-order bug, add EXECVE to itthings_left
The Most important work during this time is to find out solution
to the out-of-order bug. Discribe it here in detail: info from
audit may be out of order, which means fork may comes after execve,
even after exit. What an absurd penomenon to see a process not yet
created to work or exit!
To deal with this problem, I've tried several ways:
- in the 2nd coroutine, when EOE msg comes, if it's a fork/clone
event, send it immediately, otherwise wait for some time(such as
100 ms). But after all it delays longer, and has other problems.
- the 2nd coroutine doesn't send directly, but record all the finished
event id in a slice, and another thread checks once every one second,
if there are sth in slice, send corresponding events in the order of
event id. But: event that happens first doesn't always has lower id
or time, for example, 1 forks 2, then 2 execve, the audit in kernel
it self may gets execve before fork(maybe fork makes other settings),
which means execve has earlier timestamp and lower event id. The out-
of-order problem is not completely resolved. If we then add delays
to non-clone event, a more serious problem happens: we must use mutex
to lock the slice recording finished event id to prevent crush between
send thread and wait thread, but the wait thread can't get the mutex
again, because there are to much clone event and frequent send!
- So I use no delay but mongodb, when an execve comes, if pid is not
recorded, just insert it and wait for the fork. It does works, but
some other works is still left to do:
- what should i do if 2 forks 3 comes before 1 forks 2? Now I
suggest it doesn't happen, but what if?
- when execve comes before fork, i recorded it, but if this process
has a parent i don't care, delete, or stays there?
Also, as mentioned above, I've add EXECVE field in process into db,
records all the execve(time, and args) from the same process. Besides,
exit_timestamp and exit_code can be caught now, but too many process
has no exit info. This is also to be fixed.
Now, let's listen to the file changed by process. Don't forget the
to-do works listed above!
Diffstat (limited to 'src/global.go')
| -rw-r--r-- | src/global.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/global.go b/src/global.go index 0439df6..c3001ab 100644 --- a/src/global.go +++ b/src/global.go | |||
| @@ -9,6 +9,7 @@ type Event struct { | |||
| 9 | timestamp time.Time | 9 | timestamp time.Time |
| 10 | pid, ppid int | 10 | pid, ppid int |
| 11 | syscall int | 11 | syscall int |
| 12 | exit_code uint64 | ||
| 12 | argc int | 13 | argc int |
| 13 | argv []string | 14 | argv []string |
| 14 | cwd string | 15 | cwd string |
| @@ -23,7 +24,6 @@ type process struct { | |||
| 23 | children []int | 24 | children []int |
| 24 | } | 25 | } |
| 25 | 26 | ||
| 26 | var pids sync.Map // 古希腊掌管进程的神,int->*process | ||
| 27 | var wg sync.WaitGroup // 掌管协程 | 27 | var wg sync.WaitGroup // 掌管协程 |
| 28 | var rawChan chan interface{} // 从接收到整理的管道 | 28 | var rawChan chan interface{} // 从接收到整理的管道 |
| 29 | var cookedChan chan Event // 整理好的信息的管道 | 29 | var cookedChan chan Event // 整理好的信息的管道 |