fix bash module

cli/cmd/bash.go

@@ -18,11 +18,12 @@ import (
 	"context"
 	"ecapture/user/config"
 	"ecapture/user/module"
-	"github.com/spf13/cobra"
 	"log"
 	"os"
 	"os/signal"
 	"syscall"
+
+	"github.com/spf13/cobra"
 )
 
 var bc = config.NewBashConfig()
@@ -55,10 +56,11 @@ func init() {
 
 // bashCommandFunc executes the "bash" command.
 func bashCommandFunc(command *cobra.Command, args []string) {
+
 	stopper := make(chan os.Signal, 1)
 	signal.Notify(stopper, os.Interrupt, syscall.SIGTERM)
 	ctx, cancelFun := context.WithCancel(context.TODO())
-
+	ctx = context.WithValue(ctx, config.CONTEXT_KEY_MODULE_NAME, "bash")
 	mod := module.GetModuleByName(module.ModuleNameBash)
 
 	logger := log.New(os.Stdout, "bash_", log.LstdFlags)

kern/bash_kern.c

@@ -15,6 +15,7 @@
 #include "ecapture.h"
 
 struct event {
+    u32 type;
     u32 pid;
     u32 uid;
     u8 line[MAX_DATA_SIZE_BASH];
@@ -32,9 +33,9 @@ struct {
 struct {
     __uint(type, BPF_MAP_TYPE_HASH);
     __type(key, u32);
-    __type(value, struct event);
+    __type(value, u32);
     __uint(max_entries, 1024);
-} events_t SEC(".maps");
+} pid_temp SEC(".maps");
 // Force emitting struct event into the ELF.
 const struct event *unused __attribute__((unused));
 
@@ -55,15 +56,19 @@ int uretprobe_bash_readline(struct pt_regs *ctx) {
     }
 #endif
 
-    struct event event = {};
-    event.pid = pid;
-    event.uid = uid;
+    struct event event = {
+        .type = BASH_EVENT_TYPE_READLINE,
+        .pid = pid,
+        .uid = uid,
+        .retval = 0,
+    };
     // bpf_printk("!! uretprobe_bash_readline pid:%d",target_pid );
     bpf_probe_read_user(&event.line, sizeof(event.line),
                         (void *)PT_REGS_RC(ctx));
     bpf_get_current_comm(&event.comm, sizeof(event.comm));
-    bpf_map_update_elem(&events_t, &pid, &event, BPF_ANY);
-
+    bpf_map_update_elem(&pid_temp, &pid, &pid, BPF_ANY);
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event,
+                          sizeof(struct event));
     return 0;
 }
 SEC("uretprobe/bash_retval")
@@ -84,22 +89,19 @@ int uretprobe_bash_retval(struct pt_regs *ctx) {
     }
 #endif
 
-    struct event *event_p = bpf_map_lookup_elem(&events_t, &pid);
-
-#ifndef KERNEL_LESS_5_2
-    // if target_errno is 128 then we target all
-    if (target_errno != BASH_ERRNO_DEFAULT && target_errno != retval) {
-        if (event_p) bpf_map_delete_elem(&events_t, &pid);
-        return 0;
-    }
-#endif
-
-    if (event_p) {
-        event_p->retval = retval;
-        //        bpf_map_update_elem(&events_t, &pid, event_p, BPF_ANY);
-        bpf_map_delete_elem(&events_t, &pid);
-        bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event_p,
+    u32 *pid_p = bpf_map_lookup_elem(&pid_temp, &pid);
+    if (pid_p) {
+        struct event event_p = {
+            .type = BASH_EVENT_TYPE_RETVAL,
+            .pid = pid,
+            .uid = uid,
+            .retval = retval,
+        };
+        bpf_get_current_comm(&event_p.comm, sizeof(event_p.comm));
+        bpf_map_delete_elem(&pid_temp, &pid);
+        bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event_p,
                               sizeof(struct event));
     }
+
     return 0;
 }

kern/common.h

@@ -41,6 +41,9 @@
 #define SA_DATA_LEN 14
 #define BASH_ERRNO_DEFAULT 128
 
+#define BASH_EVENT_TYPE_READLINE 0
+#define BASH_EVENT_TYPE_RETVAL 1
+
 ///////// for TC & XDP ebpf programs in tc.h
 #define TC_ACT_OK 0
 #define ETH_P_IP 0x0800 /* Internet Protocol packet        */

pkg/event_processor/iworker.go

@@ -15,19 +15,13 @@
 package event_processor
 
 import (
-	"bytes"
 	"ecapture/user/event"
 	"encoding/hex"
-	"sync/atomic"
 	"time"
 )
 
 type IWorker interface {
 
-	// 定时器1 ，定时判断没有后续包，则解析输出
-
-	// 定时器2， 定时判断没后续包，则通知上层销毁自己
-
 	// 收包
 	Write(event.IEventStruct) error
 	GetUUID() string
@@ -37,12 +31,12 @@
 }
 
 const (
 	MaxTickerCount = 10 // 1 Sencond/(eventWorker.ticker.C) = 10
 	MaxChanLen     = 16 // 包队列长度
 	//MAX_EVENT_LEN    = 16 // 事件数组长度
 )
 
 type eventWorker struct {
 	incoming chan event.IEventStruct
 	//events      []user.IEventStruct
 	status      ProcessStatus
@@ -56,7 +50,7 @@
 	used        atomic.Bool
 }
 
 func NewEventWorker(uuid string, processor *EventProcessor) IWorker {
 	eWorker := &eventWorker{}
 	eWorker.init(uuid, processor)
 	go func() {

pkg/event_processor/processor.go

@@ -15,6 +15,8 @@
 package event_processor
 
 import (
+	"context"
+	"ecapture/user/config"
 	"ecapture/user/event"
 	"fmt"
 	"log"
@@ -28,9 +30,9 @@ const (
 
 type EventProcessor struct {
 	sync.Mutex
+	ctx context.Context
 	// 收包，来自调用者发来的新事件
 	incoming chan event.IEventStruct
-
 	// key为 PID+UID+COMMON等确定唯一的信息
 	workerQueue map[string]IWorker
 
@@ -51,11 +53,8 @@ func (this *EventProcessor) init() {
 
 // Write event 处理器读取事件
 func (this *EventProcessor) Serve() {
-	for {
-		select {
-		case e := <-this.incoming:
-			this.dispatch(e)
-		}
+	for e := range this.incoming {
+		this.dispatch(e)
 	}
 }
 
@@ -65,7 +64,12 @@ func (this *EventProcessor) dispatch(e event.IEventStruct) {
 	found, eWorker := this.getWorkerByUUID(uuid)
 	if !found {
 		// ADD a new eventWorker into queue
-		eWorker = NewEventWorker(e.GetUUID(), this)
+
+		if this.ctx.Value(config.CONTEXT_KEY_MODULE_NAME) == "bash" {
+			eWorker = NewBashEventWorker(e.GetUUID(), this)
+		} else {
+			eWorker = NewEventWorker(e.GetUUID(), this)
+		}
 		this.addWorkerByUUID(eWorker)
 	}
 
@@ -126,9 +130,9 @@ func (this *EventProcessor) Close() error {
 	return nil
 }
 
-func NewEventProcessor(logger *log.Logger, isHex bool) *EventProcessor {
-	var ep *EventProcessor
-	ep = &EventProcessor{}
+func NewEventProcessor(ctx context.Context, logger *log.Logger, isHex bool) *EventProcessor {
+	ep := &EventProcessor{}
+	ep.ctx = ctx
 	ep.logger = logger
 	ep.isHex = isHex
 	ep.init()

pkg/event_processor/processor_test.go

@@ -2,6 +2,7 @@ package event_processor
 
 import (
 	"bytes"
+	"context"
 	"encoding/json"
 	"fmt"
 	"io"
@@ -41,7 +42,7 @@ func TestEventProcessor_Serve(t *testing.T) {
 		}
 		logger.SetOutput(f)
 	*/
-	ep := NewEventProcessor(logger, true)
+	ep := NewEventProcessor(context.Background(), logger, true)
 
 	go func() {
 		ep.Serve()

pkg/event_processor/worker_bashevent.go

@@ -0,0 +1,79 @@
+package event_processor
+
+import (
+	"ecapture/user/event"
+	"strings"
+
+	"golang.org/x/sys/unix"
+)
+
+// 特殊处理bashevent
+type bashEventWorker struct {
+	incoming  chan event.IEventStruct
+	status    ProcessStatus
+	UUID      string
+	processor *EventProcessor
+	line      string
+	retVal    uint32
+}
+
+func NewBashEventWorker(uuid string, processor *EventProcessor) IWorker {
+	beWorker := &bashEventWorker{}
+	beWorker.init(uuid, processor)
+	go func() {
+		beWorker.Run()
+	}()
+	return beWorker
+}
+
+func (ew *bashEventWorker) init(uuid string, processor *EventProcessor) {
+	ew.incoming = make(chan event.IEventStruct)
+	ew.status = ProcessStateInit
+	ew.UUID = uuid
+	ew.processor = processor
+}
+
+func (bew *bashEventWorker) GetUUID() string {
+	return bew.UUID
+}
+
+func (bew *bashEventWorker) Write(e event.IEventStruct) error {
+	bew.incoming <- e
+	return nil
+}
+
+func (bew *bashEventWorker) Run() {
+	for e := range bew.incoming {
+		bashEvent, _ := e.(*event.BashEvent)
+		line := strings.TrimSpace(unix.ByteSliceToString((bashEvent.Line[:])))
+		if (line == "" || line == "\\") && bew.status == ProcessStateInit {
+			continue
+		}
+		bew.line += line
+		bew.status = ProcessStateProcessing
+		if bashEvent.Type == 1 {
+			//retval
+			bew.retVal = bashEvent.Retval
+			bew.Close()
+			return
+		}
+
+		if strings.HasPrefix(line, "exit") || strings.HasPrefix(line, "exec") {
+			//无返回值的命令
+			bew.Close()
+			return
+		}
+		bew.line += "\n"
+	}
+}
+
+func (bew *bashEventWorker) Close() {
+	bew.status = ProcessStateDone
+	bew.Display()
+	bew.processor.delWorkerByUUID(bew)
+}
+
+// 输出整个Command内容
+func (bew *bashEventWorker) Display() {
+	bew.processor.GetLogger().Printf("pid_uid_comm:%s, length:%d, retVal:%v\nline:%v", bew.UUID, len(bew.line), bew.retVal, bew.line)
+}