1 files changed, 10 insertions, 14 deletions

diff --git a/src/godo.go b/src/godo.go
index 923ef85..a30aa88 100644
--- a/src/godo.go
+++ b/src/godo.go
@@ -27,14 +27,14 @@ var (
 func main() {
         // 检查用户身份，并添加auditd规则，监听所有syscall
         if os.Geteuid() != 0 {
-                fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid())
+                fmt.Fprintf(os.Stderr, "Err: Please run me as root, %d!\n", os.Getegid())
                 return
         }
 
         // 所有的系统调用号与名称的关系
         err := figureOutSyscalls()
         if err != nil {
-                fmt.Printf("Error figuring out syscall numbers: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Error figuring out syscall numbers: %v\n", err)
         }
 
         exec.Command("auditctl", "-D").Run()
@@ -43,7 +43,7 @@ func main() {
 
         var auditCmd *exec.Cmd
 
-        pidSyscall := []string{"execve"}
+        pidSyscall := []string{"execve", "pivot_root"}
         // // 设置监听规则
         for i := 0; i < len(pidSyscall); i++ {
                 auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i])
@@ -61,14 +61,10 @@ func main() {
         // 查找pid
         containerdPid, err = getPid()
         if err != nil {
-                fmt.Printf("Error finding containerd: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Error finding containerd: %v\n", err)
                 return
         }
 
-        // 创世之神，1号进程
-        // 1号进程还是不要在进程树上直接出现了，不然它的小儿子们都会出现
-        // /usr/bin/containerd，也就是我们最关注的进程
-
         // 开始运行，解析命令行参数后监听
         if err := fs.Parse(os.Args[1:]); err != nil {
                 log.Fatal(err)
@@ -81,8 +77,8 @@ func main() {
 
 func coroutine(client *libaudit.AuditClient) {
         // 各协程至此开始
-        rawChan = make(chan interface{})
-        cookedChan = make(chan Event)
+        rawChan = make(chan interface{}, 65536)
+        cookedChan = make(chan Event, 65536)
 
         wg.Add(1)
         go procWatch()
@@ -101,14 +97,14 @@ func coroutine(client *libaudit.AuditClient) {
 func procWatch() error {
         ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345)
         if err != nil {
-                fmt.Printf("Error creating socket: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Error creating socket: %v\n", err)
                 return err
         }
         defer ns.Close()
         for {
                 res, err := ns.Receive(20)
                 if err != nil {
-                        fmt.Printf("Error recv: %v\n", err)
+                        fmt.Fprintf(os.Stderr, "Error recv: %v\n", err)
                         continue
                 }
                 for i := 0; i < len(res); i++ {
@@ -146,7 +142,7 @@ func checkProc(pCooked *Event) {
         fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid)
         fd, err := os.Open(fileName)
         if err != nil {
-                fmt.Printf("Err: %v\n", err)
+                fmt.Fprintf(os.Stderr, "Err: %v\n", err)
                 return
         }
 
@@ -162,7 +158,7 @@ func checkProc(pCooked *Event) {
         fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid)
         pCooked.cwd, err = os.Readlink(fileName)
         if err != nil {
-                fmt.Printf("Err readlink %s: %v\n", fileName, err)
+                fmt.Fprintf(os.Stderr, "Err: %v\n", err)
                 pCooked.cwd = ""
         }
 }