From 2104c8ac26f320eacc3fa04d608843c3bf0fdc57 Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Tue, 6 Aug 2024 19:45:04 +0800 Subject: Basically fixed info lost As previous envisioned, the lost is caused by slow consumption. So I make several changes: - Delete all the mutexs, especially those in the mongodb. There seems to have no necessity to use thread mutex, because execve, fork and exit has no conflicton(really?) - Insert all pid info into db, just ws what we do to file infos. So we should filter out useful info from them, but this does works to decrease lost infos. Besides, the problem that recvfrom is always blocked may got solved. When the machine is just started, it's blocked; but after i run the C program to connect to ketlink connector and listen to it, both C program and godo can recv infos well. Also, left questions: - Now i use many coroutine in 2nd and 3rd coroutines in the hope that there will be less time to deal info and hear the kernel again as quick as possible. But does it work? As we know, too much thread will slower the program, because too frequent switch between threads or processes. - Sometimes the eventTable has bugs, when eoe is recvd, the pointer in it is null. It may be out of thread confliction? But it's unreasonable, there's only one place to delete the event, that's just in eoe, after it's sent. Or the eoe info is got more than once? - For some processes, when i look into /proc to find cwd and cmeline, it has exited. If i go back to use audit for pid info, it will be hard to distinguish between thread and process. Anyway, It doesn't matter now, but what if? Next step: Figure out the root fs of a docker, and its name. --- src/deal.go | 20 +------------------- src/mongo.go | 16 ---------------- src/organize.go | 1 - 3 files changed, 1 insertion(+), 36 deletions(-) diff --git a/src/deal.go b/src/deal.go index 1dd309c..f2b7d4b 100644 --- a/src/deal.go +++ b/src/deal.go @@ -34,6 +34,7 @@ func deal() { "pid": containerdPid, "cwd": "/", "children": []bson.M{}, + "daemon": true, }) if err != nil { fmt.Printf("Error while initing the mongodb: %v\n", err) @@ -77,9 +78,6 @@ func deal() { } func deletePid(cooked Event) { - if !pidCol.GetLock() { - return - } // 先从老爹那里销户 pidCol.UpdateOne(bson.M{"pid": cooked.ppid}, bson.M{ "$pull": bson.M{ @@ -100,17 +98,9 @@ func deletePid(cooked Event) { "exit_signal": cooked.exit_signal, }, }) - pidCol.Mutex.Unlock() } func dealNewPid(cooked Event) { - fmt.Printf("Fork\t%6d\t%6d\t%6d\t%6d\n", cooked.ppid, cooked.parentTgid, cooked.pid, cooked.tgid) - // 有无父进程在观察中 - docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.parentTgid}) - if err != nil || len(docRes) != 1 { - return - } - // 自身是否已经记录 docRes, err = pidCol.Finddoc(bson.M{"pid": cooked.pid}) if err != nil { @@ -118,9 +108,6 @@ func dealNewPid(cooked Event) { return } - if !pidCol.GetLock() { - return - } if len(docRes) != 0 { // 进程原本就存在,换言之别的消息先到了 // 所有先行抵达的消息必须保留execve/children字段 @@ -157,7 +144,6 @@ func dealNewPid(cooked Event) { "children": cooked.pid, }, }) - pidCol.Mutex.Unlock() } func dealExecve(cooked Event) { @@ -173,9 +159,6 @@ func dealExecve(cooked Event) { return } - if !pidCol.GetLock() { - return - } if len(docRes) == 1 { // 自身已在,直接记录 pidCol.UpdateOne(bson.M{"pid": cooked.pid}, bson.M{ @@ -200,7 +183,6 @@ func dealExecve(cooked Event) { }, }) } - pidCol.Mutex.Unlock() } func fileOpen(cooked Event) { diff --git a/src/mongo.go b/src/mongo.go index 764f877..1d9f74f 100644 --- a/src/mongo.go +++ b/src/mongo.go @@ -2,8 +2,6 @@ package main import ( "context" - "fmt" - "sync" "time" "go.mongodb.org/mongo-driver/bson" @@ -15,8 +13,6 @@ type mongoClient struct { dbName, colName string client *mongo.Client col *mongo.Collection - Mutex sync.Mutex - // Attention: 这把锁是否有必要? } func (mc *mongoClient) init(dbName, colName string) error { @@ -100,15 +96,3 @@ func (mc *mongoClient) Disconnect() error { mc.colName = "" return nil } - -func (mc *mongoClient) GetLock() bool { - for i := 0; i < 200000; { - if !mc.Mutex.TryLock() { - i++ - } else { - return true - } - } - fmt.Printf("Die...\n") - return false -} diff --git a/src/organize.go b/src/organize.go index 5268a90..12119ad 100644 --- a/src/organize.go +++ b/src/organize.go @@ -47,7 +47,6 @@ func orgnaze() { break } rawEvent = raw.(libaudit.RawAuditMessage) - fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data) switch rawEvent.Type { case auparse.AUDIT_SYSCALL: -- cgit v1.2.3-70-g09d2