Initial Commit

2025-08-16 15:15:18 +02:00
commit 912a283f7c
20 changed files with 3123 additions and 0 deletions
--- a/main.go
+++ b/main.go
@@ -0,0 +1,102 @@
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"errors"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+	"unsafe"
+
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/perf"
+	"github.com/cilium/ebpf/rlimit"
+)
+
+// event matches the C struct in your BPF program
+type event struct {
+	Pid      uint32
+	Uid      uint32
+	Comm     [16]byte
+	Filename [256]byte
+}
+
+func main() {
+	// Allow the current process to lock memory for eBPF resources
+	if err := rlimit.RemoveMemlock(); err != nil {
+		log.Fatal(err)
+	}
+
+	// Load the pre-compiled BPF program
+	objs := tracepointObjects{}
+	if err := loadTracepointObjects(&objs, nil); err != nil {
+		log.Fatalf("loading objects: %v", err)
+	}
+	defer objs.Close()
+
+	// Populate the target filename map (critical part)
+	targetFilename := "/tmp/testfile\x00" // Null-terminated
+	var filenameBuf [256]byte
+	copy(filenameBuf[:], targetFilename)
+
+	key := uint32(0)
+	if err := objs.TargetFilenameMap.Put(key, filenameBuf); err != nil {
+		log.Fatalf("putting target filename in map: %v", err)
+	}
+
+	// Attach the tracepoint
+	tp, err := link.Tracepoint("syscalls", "sys_enter_openat", objs.TraceOpenat, nil)
+	if err != nil {
+		log.Fatalf("attaching tracepoint: %v", err)
+	}
+	defer tp.Close()
+
+	// Set up perf event reader
+	rd, err := perf.NewReader(objs.Events, os.Getpagesize())
+	if err != nil {
+		log.Fatalf("creating perf event reader: %v", err)
+	}
+	defer rd.Close()
+
+	log.Println("Monitoring for openat() syscalls to /tmp/testfile...")
+
+	// Graceful shutdown
+	sig := make(chan os.Signal, 1)
+	signal.Notify(sig, syscall.SIGINT, syscall.SIGTERM)
+
+	go func() {
+		for {
+			record, err := rd.Read()
+			if err != nil {
+				if errors.Is(err, perf.ErrClosed) {
+					return
+				}
+				log.Printf("reading from perf reader: %v", err)
+				continue
+			}
+
+			if len(record.RawSample) < int(unsafe.Sizeof(event{})) {
+				log.Printf("invalid sample size: %d", len(record.RawSample))
+				continue
+			}
+
+			var e event
+			if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &e); err != nil {
+				log.Printf("parsing event: %v", err)
+				continue
+			}
+
+			// Convert byte arrays to strings
+			comm := string(bytes.TrimRight(e.Comm[:], "\x00"))
+			filename := string(bytes.TrimRight(e.Filename[:], "\x00"))
+
+			log.Printf("PID: %d, UID: %d, CMD: %s, FILE: %s",
+				e.Pid, e.Uid, comm, filename)
+		}
+	}()
+
+	<-sig
+	log.Println("Shutting down...")
+}