From ea32e017e579f168d87732893335c38d539ac2f1 Mon Sep 17 00:00:00 2001 From: We-unite <3205135446@qq.com> Date: Wed, 7 Aug 2024 19:08:59 +0800 Subject: Print err in stderr, Find out docker rootfs. When I use godo, error infomation comes along with other output, so change all err report into stderr. And I listen to `pivot_root` sys- call to find out the root file system of dockers. However, I'm afraid of causing too more delay, so don't check rootfs of ppid and record in the pid. Besides, the method to deal with pivot_root is hardcoded, which may causes crush. Shall I listen to the chdir syscall to find out exact cwd? Maybe It's useful to the pivot_root? Next step: Find out appropriate data stracture, and add more file operations to be watched. This task must be completed this week. --- src/organize.go | 81 ++++++++++++++++++++++++++++++++++----------------------- 1 file changed, 49 insertions(+), 32 deletions(-) (limited to 'src/organize.go') diff --git a/src/organize.go b/src/organize.go index 12119ad..293371b 100644 --- a/src/organize.go +++ b/src/organize.go @@ -2,6 +2,7 @@ package main import ( "fmt" + "os" "regexp" "strconv" "strings" @@ -21,14 +22,15 @@ var ok bool var event Event var pEvent *Event var eventId, argc int -var errs [6]error + +// var errs [6]error // 要用的正则匹配列表 var ( - syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?$`) + syscallRegex = regexp.MustCompile(`audit\((\d+\.\d+):(\d+)\).*?syscall=(\d+)(?:.*?exit=([-+]?\d+))?.*?ppid=(\d+) pid=(\d+).*?subj=(.*?):(.*?):(.*?):(.*?) .*?$`) execveRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): argc=(\d+)`) argsRegex = regexp.MustCompile(`a\d+=("(.*?)"|([0-9a-fA-F]+))`) - pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\):.*?name="(.*?)"`) + pathRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): item=(\d+) name="(.*?)"`) cwdRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): cwd="(.*?)"`) proctitleRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\): proctitle=("(.*?)"|([0-9a-fA-F]+))$`) eoeRegex = regexp.MustCompile(`audit\(\d+\.\d+:(\d+)\)`) @@ -47,22 +49,22 @@ func orgnaze() { break } rawEvent = raw.(libaudit.RawAuditMessage) + // fmt.Printf("type=%v msg=%s\n", rawEvent.Type, rawEvent.Data) switch rawEvent.Type { case auparse.AUDIT_SYSCALL: - go syscallRaw(rawEvent) + syscallRaw(rawEvent) case auparse.AUDIT_EXECVE: - go execve(rawEvent) + execve(rawEvent) case auparse.AUDIT_CWD: - go cwd(rawEvent) + cwd(rawEvent) case auparse.AUDIT_PATH: - go path(rawEvent) + path(rawEvent) case auparse.AUDIT_PROCTITLE: - go proctitle(rawEvent) + proctitle(rawEvent) case auparse.AUDIT_EOE: - go eoe(rawEvent) + eoe(rawEvent) default: - // ATTENTION: 这里也需要做防护 } } } @@ -74,28 +76,34 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { var exit int var a [4]uint64 + var subj [4]string // 捕获基础信息 match := syscallRegex.FindSubmatch(rawEvent.Data) - event.timestamp, errs[0] = getTimeFromStr(string(match[1])) - eventId, errs[1] = strconv.Atoi(string(match[2])) - event.syscall, errs[2] = strconv.Atoi(string(match[3])) + event.timestamp, _ = getTimeFromStr(string(match[1])) + eventId, _ = strconv.Atoi(string(match[2])) + event.syscall, _ = strconv.Atoi(string(match[3])) if string(match[4]) == "" { // exit没捕获到 exit = 0 } else { - exit, errs[3] = strconv.Atoi(string(match[4])) + exit, _ = strconv.Atoi(string(match[4])) + } + event.ppid, _ = strconv.Atoi(string(match[5])) + event.pid, _ = strconv.Atoi(string(match[6])) + + // 几个subj,说不定会有用 + for i := 0; i < 4; i++ { + subj[i] = string(match[7+i]) } - event.ppid, errs[4] = strconv.Atoi(string(match[5])) - event.pid, errs[5] = strconv.Atoi(string(match[6])) // 捕获参数 if !argsRegex.Match(rawEvent.Data) { - fmt.Printf("Error: don't get args in syscall event!\n") + fmt.Fprintf(os.Stderr, "Error: don't get args in syscall event!\n") return } argsMatch := argsRegex.FindAllSubmatch(rawEvent.Data, -1) for i := 0; i < 4; i++ { - a[i], errs[0] = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) + a[i], _ = strconv.ParseUint(string(argsMatch[i][3]), 16, 64) } switch syscallTable[event.syscall] { @@ -128,7 +136,7 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { argv: make([]string, 0), cwd: "", syscallParam: a, - pathName: "", + srcPath: "", }) case "write": eventTable.Store(eventId, &Event{ @@ -142,7 +150,6 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { argv: make([]string, 0), cwd: "", syscallParam: a, - // pathName: "", }) case "close": // 文件关闭 @@ -157,8 +164,18 @@ func syscallRaw(rawEvent libaudit.RawAuditMessage) { argv: make([]string, 0), cwd: "", syscallParam: a, - // pathName: "", }) + case "pivot_root": + if subj[2] == "container_runtime_t" { + eventTable.Store(eventId, &Event{ + tag: PIVOTROOT, + timestamp: event.timestamp, + syscall: event.syscall, + ppid: event.ppid, + pid: event.pid, + syscallParam: a, + }) + } } } @@ -168,14 +185,14 @@ func execve(rawEvent libaudit.RawAuditMessage) { } match := execveRegex.FindSubmatch(rawEvent.Data) - eventId, errs[0] = strconv.Atoi(string(match[1])) - argc, errs[1] = strconv.Atoi(string(match[2])) + eventId, _ = strconv.Atoi(string(match[1])) + argc, _ = strconv.Atoi(string(match[2])) tmp, ok = eventTable.Load(eventId) if !ok { return } pEvent = tmp.(*Event) - if errs[0] == nil && errs[1] == nil && argsRegex.Match(rawEvent.Data) { + if argsRegex.Match(rawEvent.Data) { match := argsRegex.FindAllSubmatch(rawEvent.Data, -1) for i := 0; i < argc; i++ { if len(match[i][2]) == 0 { @@ -196,7 +213,7 @@ func cwd(rawEvent libaudit.RawAuditMessage) { } match := cwdRegex.FindSubmatch(rawEvent.Data) - eventId, errs[0] = strconv.Atoi(string(match[1])) + eventId, _ = strconv.Atoi(string(match[1])) tmp, ok = eventTable.Load(eventId) if !ok { return @@ -211,7 +228,7 @@ func proctitle(rawEvent libaudit.RawAuditMessage) { var cmdline string match := proctitleRegex.FindSubmatch(rawEvent.Data) - eventId, errs[0] = strconv.Atoi(string(match[1])) + eventId, _ = strconv.Atoi(string(match[1])) tmp, ok = eventTable.Load(eventId) if !ok { return @@ -236,14 +253,13 @@ func eoe(rawEvent libaudit.RawAuditMessage) { } match := eoeRegex.FindSubmatch(rawEvent.Data) - eventId, errs[0] = strconv.Atoi(string(match[1])) + eventId, _ = strconv.Atoi(string(match[1])) tmp, ok = eventTable.Load(eventId) if !ok { return } cooked := *(tmp.(*Event)) cookedChan <- cooked - // fmt.Printf("Send: %10d\t%v\t%7d\t%7d\n", eventId, cooked.tag, cooked.ppid, cooked.pid) eventTable.Delete(eventId) // 死人别占地 } @@ -252,8 +268,9 @@ func path(rawEvent libaudit.RawAuditMessage) { return } match := pathRegex.FindSubmatch(rawEvent.Data) - eventId, errs[0] = strconv.Atoi(string(match[1])) - name := string(match[2]) + eventId, _ = strconv.Atoi(string(match[1])) + // item, _ := strconv.Atoi(string(match[2])) + name := string(match[3]) tmp, ok = eventTable.Load(eventId) if !ok { @@ -267,8 +284,8 @@ func path(rawEvent libaudit.RawAuditMessage) { } if name[0] == '/' { - pEvent.pathName = name + pEvent.srcPath = name } else { - pEvent.pathName += "/" + name + pEvent.srcPath += "/" + name } } -- cgit v1.2.3-70-g09d2