SentinalFS · technoBlogger-2001 · Jun 15, 2025 · May 28, 2025 · May 30, 2025 · Jun 1, 2025
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -0,0 +1,72 @@
+name: CI and Release
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+jobs:
+  check-version:
+    name: Check VERSION.txt updated in PR
+    runs-on: ubuntu-latest
+    if: github.event_name == 'pull_request'
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Ensure VERSION.txt is updated
+        run: |
+          git fetch origin main
+          CHANGED=$(git diff --name-only origin/main...HEAD)
+          if ! echo "$CHANGED" | grep -qx VERSION.txt; then
+            echo "Error: VERSION.txt must be updated in this pull request."
+            exit 1
+          fi
+
+  build:
+    name: Build Go project
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: 1.20
+
+      - name: Download dependencies
+        run: go mod tidy
+
+      - name: Build binary
+        run: go build -o listener
+
+  release:
+    name: Create GitHub Release
+    needs: build
+    runs-on: ubuntu-latest
+    if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Read version
+        id: version
+        run: |
+          VERSION=$(cat VERSION.txt)
+          echo "version=$VERSION" >> "$GITHUB_OUTPUT"
+
+      - name: Create GitHub Release
+        uses: softprops/action-gh-release@v1
+        with:
+          tag_name: v${{ steps.version.outputs.version }}
+          name: Release v${{ steps.version.outputs.version }}
+          body: |
+            Automated release triggered by push to `main`.
+
+            **Version**: v${{ steps.version.outputs.version }}
+
+            _Changes in this release are based on PR history._
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/LICENSE b/LICENSE
diff --git a/Makefile b/Makefile
@@ -0,0 +1,15 @@
+APP_NAME=listener
+
+.PHONY: build run clean docker
+
+build:
+	go build -o $(APP_NAME) ./cmd/listener
+
+run:
+	./$(APP_NAME) monitor.bpf.o
+
+clean:
+	rm -f $(APP_NAME)
+
+docker:
+	docker build -t go-ebp-logger -f build/docker/Dockerfile .
diff --git a/VERSION.txt b/VERSION.txt
@@ -0,0 +1 @@
+0.1.0
diff --git a/build/docker/Dockerfile b/build/docker/Dockerfile
@@ -0,0 +1,16 @@
+FROM golang:1.20
+
+WORKDIR /app
+
+COPY go.mod go.sum ./
+RUN go mod download
+
+# Download the precompiled BPF object: 
+# TODO: Figure out wget for object file
+# RUN wget <url> -O monitor.bpf.o
+
+COPY . .
+
+RUN CGO_ENABLED=0 GOOS=linux go build -o /listener ./cmd/listener
+
+ENTRYPOINT ["/listener", "monitor.bpf.o"]
diff --git a/cmd/listener/main.go b/cmd/listener/main.go
@@ -0,0 +1,78 @@
+// main.go
+package main
+
+import (
+	"bytes"
+	"encoding/binary"
+	"flag"
+	"fmt"
+	"log"
+	"os"
+	"os/signal"
+	"syscall"
+
+	"go-ebp-logger/internal/bpfmanager" 
+	"go-ebp-logger/internal/event"     
+
+	"github.com/cilium/ebpf/ringbuf" 
+)
+
+func main() {
+
+	done := make(chan struct{})
+	flag.Usage = func() {
+		fmt.Fprintf(os.Stderr, "Usage: %s <bpf-object-file>\n", os.Args[0])
+	}
+	flag.Parse()
+	if flag.NArg() < 1 {
+		flag.Usage()
+		os.Exit(1)
+	}
+	bpfObjPath := flag.Arg(0) 
+
+	bpfManager, err := bpfmanager.NewBPFManager(bpfObjPath)
+	if err != nil {
+		log.Fatalf("Failed to initialize BPF manager: %v", err)
+	}
+	defer bpfManager.Close()
+
+
+	if err := bpfManager.AttachKprobe("vfs_read", "trace_read"); err != nil {
+		log.Fatalf("Failed to attach kprobe for vfs_read: %v", err)
+	}
+
+
+	if err := bpfManager.PinMap("monitored_inodes", "/sys/fs/bpf/monitored_inode"); err != nil {
+		log.Fatalf("Failed to pin 'monitored_inodes' map: %v", err)
+	}
+
+
+	if err := bpfManager.InitRingBufferReader("events"); err != nil {
+		log.Fatalf("Failed to initialize event reader: %v", err)
+	}
+	rd := bpfManager.GetEventReader()
+
+	fmt.Println("Waiting for events... Press Ctrl+C to stop.")
+
+
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, syscall.SIGINT, syscall.SIGTERM)
+
+loop:
+	for {
+		select {
+		case <-sigCh:
+			break loop
+		default:
+			record, err := rd.Read()
+			if err != nil {
+				log.Printf("Failed to read from ring buffer: %v", err)
+				continueAdd commentMore actions
+			}
+			var e event.Data
+			if err := binary.Read(bytes.NewReader(record.RawSample), binary.LittleEndian, &e); err == nil {
+				event.Print(e)
+			}
+		}
+}
+}
diff --git a/go.mod b/go.mod
@@ -0,0 +1,10 @@
+module go-ebp-logger
+
+go 1.20
+
+require github.com/cilium/ebpf v0.12.0
+
+require (
+	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+)
diff --git a/go.sum b/go.sum
@@ -0,0 +1,11 @@
+github.com/cilium/ebpf v0.12.0 h1:oQEuIQIXgYhe1v7sYUG0P9vtJTYZLLdA6tiQmrOB1mo=
+github.com/cilium/ebpf v0.12.0/go.mod h1:u9H29/Iq+8cy70YqI6p5pfADkFl3vdnV2qXDg5JL0Zo=
+github.com/frankban/quicktest v1.14.5 h1:dfYrrRyLtiqT9GyKXgdh+k4inNeTvmGbuSgZ3lx3GhA=
+github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 h1:Jvc7gsqn21cJHCmAWx0LiimpP18LZmUxkT5Mp7EZ1mI=
+golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
diff --git a/internal/ebpfmanager/bpfmanager.go b/internal/ebpfmanager/bpfmanager.go
@@ -0,0 +1,109 @@
+package bpfmanager
+
+import (
+	"fmt"
+	"log"
+	"os"
+
+	"github.com/cilium/ebpf"
+	"github.com/cilium/ebpf/link"
+	"github.com/cilium/ebpf/ringbuf"
+)
+
+type BPFManager struct {
+	collection *ebpf.Collection
+	reader     *ringbuf.Reader
+	links      []link.Link 
+}
+
+
+func NewBPFManager(bpfObjPath string) (*BPFManager, error) {
+	spec, err := ebpf.LoadCollectionSpec(bpfObjPath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load BPF spec from %s: %w", bpfObjPath, err)
+	}
+	coll, err := ebpf.NewCollection(spec)
+	if err != nil {
+		return nil, fmt.Errorf("failed to load BPF collection: %w", err)
+	}
+	return &BPFManager{
+		collection: coll,
+		links: make([]link.Link, 0), 
+	}, nil
+}
+
+
+
+func (bm *BPFManager) AttachKprobe(kernelSymbol string, programName string) error {
+	prog := bm.collection.Programs[programName]
+	if prog == nil {
+		return fmt.Errorf("eBPF program '%s' not found in collection", programName)
+	}
+	kp, err := link.Kprobe(kernelSymbol, prog, nil)
+	if err != nil {
+		return fmt.Errorf("failed to attach kprobe to '%s' using program '%s': %w", kernelSymbol, programName, err)
+	}
+	bm.links = append(bm.links, kp) 
+	log.Printf("Successfully attached kprobe: %s -> %s", kernelSymbol, programName)
+	return nil
+}
+
+
+
+func (bm *BPFManager) InitRingBufferReader(mapName string) error {
+	eventsMap := bm.collection.Maps[mapName]
+	if eventsMap == nil {
+		return fmt.Errorf("eBPF map '%s' not found in collection", mapName)
+	}
+	rd, err := ringbuf.NewReader(eventsMap)
+	if err != nil {
+		return fmt.Errorf("failed to create ring buffer reader for map '%s': %w", mapName, err)
+	}
+	bm.reader = rd 
+	log.Printf("Initialized ring buffer reader for map: %s", mapName)
+	return nil
+}
+
+
+
+func (bm *BPFManager) GetEventReader() *ringbuf.Reader {
+	return bm.reader
+}
+
+
+
+func (bm *BPFManager) PinMap(mapName string, pinPath string) error {
+	bpfMap := bm.collection.Maps[mapName]
+	if bpfMap == nil {
+		log.Printf("Map '%s' not found in collection. Skipping pinning.", mapName)
+		return nil
+	}
+	if err := os.Remove(pinPath); err != nil && !os.IsNotExist(err) {
+		log.Printf("Warning: failed to remove existing pin at %s: %v", pinPath, err)
+	}
+	if err := bpfMap.Pin(pinPath); err != nil {
+		return fmt.Errorf("failed to pin map '%s' to %s: %w", mapName, pinPath, err)
+	}
+	log.Printf("Map '%s' pinned to %s", mapName, pinPath)
+	return nil
+}
+
+
+func (bm *BPFManager) Close() {
+	for _, l := range bm.links {
+		if err := l.Close(); err != nil {
+			log.Printf("Error closing BPF link: %v", err)
+		}
+	}
+	if bm.reader != nil {
+		if err := bm.reader.Close(); err != nil {
+			log.Printf("Error closing ring buffer reader: %v", err)
+		}
+	}
+	if bm.collection != nil {
+		if err := bm.collection.Close(); err != nil {
+			log.Printf("Error closing BPF collection: %v", err)
+		}
+	}
+	log.Println("All eBPF resources released.")
+}
diff --git a/internal/event/event.go b/internal/event/event.go
@@ -0,0 +1,28 @@
+package event
+
+import (
+	"fmt"
+	"strings"
+	"time"
+)
+
+type Data struct {
+	Pid       uint32
+	Uid       uint32
+	Filename  [128]byte
+	Comm      [16]byte
+	Timestamp uint64
+	Otype     [16]byte
+}
+
+func Print(e Data) {
+	ts := time.Unix(0, int64(e.Timestamp))
+	fmt.Printf("[%s] PID=%d, UID=%d, Operation=%s, File=%s, Process=%s\n",
+		ts.Format("15:04:05"),
+		e.Pid,
+		e.Uid,
+		strings.TrimRight(string(e.Otype[:]), "\x00"),
+		strings.TrimRight(string(e.Filename[:]), "\x00"),
+		strings.TrimRight(string(e.Comm[:]), "\x00"),
+	)
+}