-
Notifications
You must be signed in to change notification settings - Fork 4
Expand file tree
/
Copy pathevents.h
More file actions
45 lines (36 loc) · 1.1 KB
/
events.h
File metadata and controls
45 lines (36 loc) · 1.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#pragma once
#include <bpf/bpf_helpers.h>
#include "maps.h"
#include "process.h"
#include "types.h"
#include "vmlinux.h"
__always_inline static void submit_event(struct metrics_by_hook_t* m, file_activity_type_t event_type, const char filename[PATH_MAX], struct dentry* dentry, bool use_bpf_d_path) {
struct event_t* event = bpf_ringbuf_reserve(&rb, sizeof(struct event_t), 0);
if (event == NULL) {
m->ringbuffer_full++;
return;
}
event->type = event_type;
event->timestamp = bpf_ktime_get_boot_ns();
event->dev = BPF_CORE_READ(dentry, d_sb, s_dev);
bpf_probe_read_str(event->filename, PATH_MAX, filename);
struct helper_t* helper = get_helper();
if (helper == NULL) {
goto error;
}
const char* p = get_host_path(helper->buf, dentry);
if (p != NULL) {
bpf_probe_read_str(event->host_file, PATH_MAX, p);
}
int64_t err = process_fill(&event->process, use_bpf_d_path);
if (err) {
bpf_printk("Failed to fill process information: %d", err);
goto error;
}
m->added++;
bpf_ringbuf_submit(event, 0);
return;
error:
m->error++;
bpf_ringbuf_discard(event, 0);
}