summaryrefslogtreecommitdiffstats
path: root/src/deal.go
diff options
context:
space:
mode:
Diffstat (limited to 'src/deal.go')
-rw-r--r--src/deal.go226
1 files changed, 122 insertions, 104 deletions
diff --git a/src/deal.go b/src/deal.go
index db6fc26..a9861a5 100644
--- a/src/deal.go
+++ b/src/deal.go
@@ -16,32 +16,18 @@ const (
16var mongoMutex sync.Mutex 16var mongoMutex sync.Mutex
17var pidCol mongoClient 17var pidCol mongoClient
18 18
19var docRes []bson.M
20var err error
21
19func deal() { 22func deal() {
20 defer wg.Done() 23 defer wg.Done()
21 var cooked Event 24 var cooked Event
22 var ok bool 25 var ok bool
23 26
24 var err error 27 if err = initMongo(); err != nil {
25 var res []bson.M 28 fmt.Printf("Error while initing the mongodb: %v\n", err)
26
27 if err = pidCol.Connect(dbName, pidColName); err != nil {
28 fmt.Printf("Error connecting the mongodb: %v\n", err)
29 }
30 if err = pidCol.Drop(); err != nil {
31 fmt.Printf("Error drop the mongodb: %v\n", err)
32 }
33
34 err = pidCol.InsertOne(bson.M{
35 "ppid": 1,
36 "pid": containerdPid,
37 "cwd": "/",
38 "children": bson.M{},
39 })
40 if err != nil {
41 fmt.Printf("Err containerd: %v", err)
42 return 29 return
43 } 30 }
44 fmt.Printf("Containerd: %d\n", containerdPid)
45 defer pidCol.Disconnect() 31 defer pidCol.Disconnect()
46 32
47 for { 33 for {
@@ -50,91 +36,12 @@ func deal() {
50 break 36 break
51 } 37 }
52 38
53 switch syscallTable[cooked.syscall] { 39 switch cooked.tag {
54 case "clone": 40 case NEWPID:
55 // 有无父进程在观察中 41 dealNewPid(cooked)
56 res, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid}) 42 case EXECVE:
57 if err != nil || len(res) != 1 { 43 dealExecve(cooked)
58 break 44 case PIDEXIT:
59 }
60
61 // 自身是否已经记录
62 res, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
63 if err != nil {
64 fmt.Printf("Err finding: %v\n", err)
65 break
66 }
67 mongoMutex.Lock()
68 if len(res) != 0 {
69 // 进程原本就存在,换言之别的消息先到了
70 // 所有先行抵达的消息必须保留execve/children字段
71 // 此处不再更新
72 // 以防把原有信息更没了
73 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
74 "start_timestamp": cooked.timestamp,
75 "ppid": cooked.ppid,
76 "pid": cooked.pid,
77 "cwd": cooked.cwd,
78 // "execve": []bson.M{},
79 "args": cooked.argv,
80 // "children": []bson.M{},
81 })
82 } else {
83 // 这进程本是新修的
84 pidCol.InsertOne(bson.M{
85 "start_timestamp": cooked.timestamp,
86 "ppid": cooked.ppid,
87 "pid": cooked.pid,
88 "cwd": cooked.cwd,
89 "execve": []bson.M{},
90 "args": cooked.argv,
91 "children": []bson.M{},
92 })
93 }
94
95 pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{
96 "$push": bson.M{
97 "children": cooked.pid,
98 },
99 })
100 mongoMutex.Unlock()
101 case "execve":
102 // 父进程在不在?不在扔
103 res, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
104 if err != nil || len(res) != 1 {
105 break
106 }
107
108 // 首先检查进程是否存在,如不存在则为之创建
109 res, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
110 if err != nil {
111 break
112 }
113 mongoMutex.Lock()
114 if len(res) == 1 {
115 // 自身已在,直接记录
116 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
117 "$push": bson.M{
118 "execve": bson.M{
119 "timestamp": cooked.timestamp,
120 "args": cooked.argv,
121 },
122 },
123 })
124 } else {
125 // 先fork抵达,插入
126 pidCol.InsertOne(bson.M{
127 "children": []bson.M{},
128 "exe_args": []bson.M{
129 {
130 "timestamp": cooked.timestamp,
131 "execve": cooked.argv,
132 },
133 },
134 })
135 }
136 mongoMutex.Unlock()
137 case "exit", "exit_group":
138 go deletePid(cooked) 45 go deletePid(cooked)
139 } 46 }
140 } 47 }
@@ -163,3 +70,114 @@ func deletePid(cooked Event) {
163 }) 70 })
164 mongoMutex.Unlock() 71 mongoMutex.Unlock()
165} 72}
73
74func initMongo() error {
75 var err error
76 if err = pidCol.Connect(dbName, pidColName); err != nil {
77 return err
78 }
79 if err = pidCol.Drop(); err != nil {
80 return err
81 }
82
83 err = pidCol.InsertOne(bson.M{
84 "ppid": 1,
85 "pid": containerdPid,
86 "cwd": "/",
87 "children": bson.M{},
88 })
89 if err != nil {
90 return err
91 }
92 fmt.Printf("Containerd: %d\n", containerdPid)
93 return nil
94}
95
96func dealNewPid(cooked Event) {
97 // 有无父进程在观察中
98 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
99 if err != nil || len(docRes) != 1 {
100 return
101 }
102
103 // 自身是否已经记录
104 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
105 if err != nil {
106 fmt.Printf("Err finding: %v\n", err)
107 return
108 }
109 mongoMutex.Lock()
110 if len(docRes) != 0 {
111 // 进程原本就存在,换言之别的消息先到了
112 // 所有先行抵达的消息必须保留execve/children字段
113 // 此处不再更新
114 // 以防把原有信息更没了
115 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
116 "start_timestamp": cooked.timestamp,
117 "ppid": cooked.ppid,
118 "pid": cooked.pid,
119 "cwd": cooked.cwd,
120 // "execve": []bson.M{},
121 "args": cooked.argv,
122 // "children": []bson.M{},
123 })
124 } else {
125 // 这进程本是新修的
126 pidCol.InsertOne(bson.M{
127 "start_timestamp": cooked.timestamp,
128 "ppid": cooked.ppid,
129 "pid": cooked.pid,
130 "cwd": cooked.cwd,
131 "execve": []bson.M{},
132 "args": cooked.argv,
133 "children": []bson.M{},
134 })
135 }
136
137 pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{
138 "$push": bson.M{
139 "children": cooked.pid,
140 },
141 })
142 mongoMutex.Unlock()
143}
144
145func dealExecve(cooked Event) {
146 // 父进程在不在?不在扔
147 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.ppid})
148 if err != nil || len(docRes) != 1 {
149 return
150 }
151
152 // 首先检查进程是否存在,如不存在则为之创建
153 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid})
154 if err != nil {
155 return
156 }
157 mongoMutex.Lock()
158 if len(docRes) == 1 {
159 // 自身已在,直接记录
160 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{
161 "$push": bson.M{
162 "execve": bson.M{
163 "timestamp": cooked.timestamp,
164 "execArgs": cooked.argv,
165 },
166 },
167 })
168 } else {
169 // 先fork抵达,插入
170 pidCol.InsertOne(bson.M{
171 "ppid": cooked.ppid,
172 "pid": cooked.pid,
173 "children": []bson.M{},
174 "execve": []bson.M{
175 {
176 "timestamp": cooked.timestamp,
177 "execArgs": cooked.argv,
178 },
179 },
180 })
181 }
182 mongoMutex.Unlock()
183}
generated by cgit v1.2.3-70-g09d2 (git 2.46.0) at 2025-01-08 18:22:31 +0800