From ea32e017e579f168d87732893335c38d539ac2f1 Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Wed, 7 Aug 2024 19:08:59 +0800 Subject: Print err in stderr, Find out docker rootfs. When I use godo, error infomation comes along with other output, so change all err report into stderr. And I listen to `pivot_root` sys- call to find out the root file system of dockers. However, I'm afraid of causing too more delay, so don't check rootfs of ppid and record in the pid. Besides, the method to deal with pivot_root is hardcoded, which may causes crush. Shall I listen to the chdir syscall to find out exact cwd? Maybe It's useful to the pivot_root? Next step: Find out appropriate data stracture, and add more file operations to be watched. This task must be completed this week. --- src/godo.go | 24 ++++++++++-------------- 1 file changed, 10 insertions(+), 14 deletions(-) (limited to 'src/godo.go') diff --git a/src/godo.go b/src/godo.go index 923ef85..a30aa88 100644 --- a/src/godo.go +++ b/src/godo.go @@ -27,14 +27,14 @@ var ( func main() { // 检查用户身份,并添加auditd规则,监听所有syscall if os.Geteuid() != 0 { - fmt.Printf("Err: Please run me as root, %d!\n", os.Getegid()) + fmt.Fprintf(os.Stderr, "Err: Please run me as root, %d!\n", os.Getegid()) return } // 所有的系统调用号与名称的关系 err := figureOutSyscalls() if err != nil { - fmt.Printf("Error figuring out syscall numbers: %v\n", err) + fmt.Fprintf(os.Stderr, "Error figuring out syscall numbers: %v\n", err) } exec.Command("auditctl", "-D").Run() @@ -43,7 +43,7 @@ func main() { var auditCmd *exec.Cmd - pidSyscall := []string{"execve"} + pidSyscall := []string{"execve", "pivot_root"} // // 设置监听规则 for i := 0; i < len(pidSyscall); i++ { auditCmd = exec.Command("auditctl", "-a", "exit,always", "-F", "arch=b64", "-S", pidSyscall[i]) @@ -61,14 +61,10 @@ func main() { // 查找pid containerdPid, err = getPid() if err != nil { - fmt.Printf("Error finding containerd: %v\n", err) + fmt.Fprintf(os.Stderr, "Error finding containerd: %v\n", err) return } - // 创世之神,1号进程 - // 1号进程还是不要在进程树上直接出现了,不然它的小儿子们都会出现 - // /usr/bin/containerd,也就是我们最关注的进程 - // 开始运行,解析命令行参数后监听 if err := fs.Parse(os.Args[1:]); err != nil { log.Fatal(err) @@ -81,8 +77,8 @@ func main() { func coroutine(client *libaudit.AuditClient) { // 各协程至此开始 - rawChan = make(chan interface{}) - cookedChan = make(chan Event) + rawChan = make(chan interface{}, 65536) + cookedChan = make(chan Event, 65536) wg.Add(1) go procWatch() @@ -101,14 +97,14 @@ func coroutine(client *libaudit.AuditClient) { func procWatch() error { ns, err := netlink.NewNetlinkSocket(syscall.NETLINK_CONNECTOR, 12345) if err != nil { - fmt.Printf("Error creating socket: %v\n", err) + fmt.Fprintf(os.Stderr, "Error creating socket: %v\n", err) return err } defer ns.Close() for { res, err := ns.Receive(20) if err != nil { - fmt.Printf("Error recv: %v\n", err) + fmt.Fprintf(os.Stderr, "Error recv: %v\n", err) continue } for i := 0; i < len(res); i++ { @@ -146,7 +142,7 @@ func checkProc(pCooked *Event) { fileName := fmt.Sprintf("/proc/%d/task/%d/cmdline", pCooked.tgid, pCooked.pid) fd, err := os.Open(fileName) if err != nil { - fmt.Printf("Err: %v\n", err) + fmt.Fprintf(os.Stderr, "Err: %v\n", err) return } @@ -162,7 +158,7 @@ func checkProc(pCooked *Event) { fileName = fmt.Sprintf("/proc/%d/task/%d/cwd", pCooked.tgid, pCooked.pid) pCooked.cwd, err = os.Readlink(fileName) if err != nil { - fmt.Printf("Err readlink %s: %v\n", fileName, err) + fmt.Fprintf(os.Stderr, "Err: %v\n", err) pCooked.cwd = "" } } -- cgit v1.2.3-70-g09d2