The 1st prompt to record file changed by process

To record it, we must listen to open/write and several syscalls,
and now I've add open into the 2nd coroutine. In syscall open,
what we should do is to judge the permission flag (the 2nd param
in the syscall), to find out if it can write to the file. If so,
the exit code is its file descriptor, and when write is called, the
audit shows only file descriptor but no file name.

So the next step is to add things into 3rd coroutine, to make the
whole program running again, and find out bugs.

1 files changed, 11 insertions, 3 deletions

diff --git a/src/godo.go b/src/godo.go
index cc29a01..2a00dad 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -33,16 +33,24 @@ func main() {
                 fmt.Printf("Error figuring out syscall numbers: %v\n", err)
         }
 
-        syscall := [6]string{"fork", "vfork", "clone", "execve", "exit", "exit_group"}
         var auditCmd *exec.Cmd
         auditCmd = exec.Command("auditctl", "-D") // 清空所有规则
         auditCmd.Run()
+
+        pidSyscall := []string{"fork", "vfork", "clone", "execve", "exit", "exit_group"}
         // 设置监听规则
-        for i := 0; i < len(syscall); i++ {
-                auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", syscall[i])
+        for i := 0; i < len(pidSyscall); i++ {
+                auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i])
                 auditCmd.Run()
         }
 
+        // // 监听文件的消息
+        // fileSyscall := []string{"open", "write", "creat", "unlink", "opendir", "mkdir", "rmdir", "chmod", "fchmod", "chown", "fchown", "lchown", "flock"}
+        // for i := 0; i < len(fileSyscall); i++ {
+        //      auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i])
+        //      auditCmd.Run()
+        // }
+
         // 查找pid
         containerdPid, err = getPid()
         if err != nil {