fix err with pipe2 not being processed

nad2040 · nad2040 · commit 6316a77dd5ae · 2025-11-21T16:26:14.000-05:00
dup3 flags are tracked now
reincrease HS_MAX_PATH back to 4096 as artificial limit for paths. dyn lens work, so it doesn't impact performance now.
reimplement the syscall_of_nr integration with crate for printing out the event logs
fix issue with nul bytes showing. and handle the case where path1 and path2 are missing from the structure
diff --git a/src/bpf/hs_trace.bpf.c b/src/bpf/hs_trace.bpf.c
@@ -346,6 +346,8 @@ BPF_PROG(hs_trace_create_pipe_exit)
 	exit.pid_tgid = pid_tgid;
 	exit.ret = ((struct sys_exit_pipe2_args *)ctx)->ret;
 
+	bpf_dynptr_write(&ptr, 0, &exit, sizeof(struct sys_exit_info_t), 0);
+
 	bpf_ringbuf_submit_dynptr(&ptr, 0);
 
 	return 0;
@@ -571,17 +573,18 @@ BPF_PROG(hs_trace_sys_enter, struct pt_regs *regs, long syscall_id)
 		event_type = ENTER_PATH1;
 		break;
 #endif
+#ifdef __NR_dup3
+	case __NR_dup3:
+		flags = (unsigned int)PT_REGS_PARM3_CORE(regs);
+		// FALLTHROUGH
+#endif
 #ifdef __NR_dup2
 	case __NR_dup2:
-		// FALLTHROUGH
 #endif
-#ifdef __NR_dup3
-	case __NR_dup3:
 		fd = (int)PT_REGS_PARM1_CORE(regs);
 		fd2 = (int)PT_REGS_PARM2_CORE(regs);
 		event_type = ENTER_PATH2;
 		break;
-#endif
 #ifdef __NR_dup
 	case __NR_dup:
 		fd = (int)PT_REGS_PARM1_CORE(regs);
@@ -746,7 +749,15 @@ BPF_PROG(hs_trace_sys_enter, struct pt_regs *regs, long syscall_id)
 			bpf_printk("failed to read user str path1, %d, "
 			           "pathptr1 = %p\n",
 			           len1, pathptr1);
-			return 0;
+			len1 = bpf_probe_read_kernel_str(path1, HS_MAX_PATH,
+			                                 pathptr1);
+			if (len1 < 0) {
+				bpf_printk(
+				    "failed to read kernel str path1, %d, "
+				    "pathptr1 = %p\n",
+				    len1, pathptr1);
+				return 0;
+			}
 		}
 	}
 	len1 &= (HS_MAX_PATH - 1);
@@ -760,7 +771,15 @@ BPF_PROG(hs_trace_sys_enter, struct pt_regs *regs, long syscall_id)
 		len2 = bpf_probe_read_user_str(path2, HS_MAX_PATH, pathptr2);
 		if (len2 < 0) {
 			bpf_printk("failed to read user str path2, %d\n", len2);
-			return 0;
+			len2 = bpf_probe_read_kernel_str(path2, HS_MAX_PATH,
+			                                 pathptr2);
+			if (len2 < 0) {
+				bpf_printk(
+				    "failed to read kernel str path2, %d, "
+				    "pathptr2 = %p\n",
+				    len2, pathptr2);
+				return 0;
+			}
 		}
 	}
 	len2 &= (HS_MAX_PATH - 1);
diff --git a/src/bpf/hs_trace.h b/src/bpf/hs_trace.h
@@ -2,7 +2,7 @@
 #define _HS_TRACE_H_
 
 #ifndef HS_MAX_PATH
-#define HS_MAX_PATH 1024
+#define HS_MAX_PATH 4096
 #endif
 
 #ifndef BUFF_SIZE
diff --git a/src/dep_tracer.rs b/src/dep_tracer.rs
@@ -196,7 +196,15 @@ impl Display for SyscallEvent {
                 write!(
                     f,
                     "{}(fd={},path={},fd2={},path2={},flags={})",
-                    syscall_nr, fd, path1, fd2, path2, flags
+                    match syscall_of_nr(*syscall_nr as u64) {
+                        Some(syscall) => syscall,
+                        None => "syscall_nr not found",
+                    },
+                    fd,
+                    path1,
+                    fd2,
+                    path2,
+                    flags
                 )
             }
             SyscallEvent::Exit { pid_tgid: _, ret } => {
@@ -372,7 +380,9 @@ impl Context {
             .fd_tables
             .get(&parent_pid)
             .expect(format!("missing fd table for {parent_pid}").as_str());
+        // println!("clone: parent {fd_table:#?}");
         let mut child_fd_table = fd_table.clone();
+        // println!("clone: child {child_fd_table:#?}");
         for (_fd_, file_desc) in child_fd_table.iter_mut() {
             self.open_files.increment_ref_count(file_desc.open_file);
         }
@@ -408,6 +418,7 @@ impl Context {
             .fd_tables
             .get_mut(&pid)
             .expect(format!("expected fd table for pid {pid}").as_str());
+        // println!("ctxt.dup_file: {fd_table:#?}");
         let old_file_desc = fd_table
             .get(&old_fd)
             .expect(format!("expected old fd {old_fd} to be present for pid {pid}").as_str());
@@ -423,6 +434,7 @@ impl Context {
     }
 
     pub fn create_pipe(&mut self, pid_tgid: u64, fd1: i32, fd2: i32, flags: u32, path: PathBuf) {
+        // println!("fds passed to create_pipe are {fd1} and {fd2}");
         let pid = upid_of(pid_tgid);
         let read_end = self.open_files.open_file(0, path.clone());
         let write_end = self.open_files.open_file(0, path);
@@ -449,6 +461,7 @@ impl Context {
                 open_file: write_end,
             },
         );
+        // println!("{fd_table:#?}");
     }
 
     // pub fn close_file(&mut self, pid_tgid: u64, fd: i32) {
@@ -914,19 +927,19 @@ fn parse_openat(
     }
 }
 
-// fn parse_close(
-//     ctxt: &mut Context,
-//     sets: &mut RWSet,
-//     pid_tgid: u64,
-//     ret: i64,
-//     flags: u32,
-//     fd: i32,
-//     path: &str,
-// ) {
-//     // if ret >= 0 {
-//     //     ctxt.close_file(pid_tgid, fd);
-//     // }
-// }
+fn parse_close(
+    ctxt: &mut Context,
+    sets: &mut RWSet,
+    pid_tgid: u64,
+    ret: i64,
+    flags: u32,
+    fd: i32,
+    path: &str,
+) {
+    if ret >= 0 {
+        // ctxt.close_file(pid_tgid, fd);
+    }
+}
 
 fn parse_open(
     ctxt: &mut Context,
@@ -1105,10 +1118,12 @@ pub fn event_stream_handler(rx: mpsc::Receiver<Option<SyscallEvent>>) -> Result<
     loop {
         match rx.recv() {
             Ok(Some(enter @ SyscallEvent::Enter { pid_tgid, .. })) => {
+                // print!("{enter}");
                 let mut logs = LOGS.lock().unwrap();
                 logs.update_log(pid_tgid, enter)
             }
             Ok(Some(exit @ SyscallEvent::Exit { pid_tgid, ret })) => {
+                // print!("{exit}");
                 let mut logs = LOGS.lock().unwrap();
                 logs.update_log(pid_tgid, exit);
                 let event_queue = logs.log.get(&pid_tgid).unwrap();
diff --git a/src/main.rs b/src/main.rs
@@ -209,15 +209,27 @@ fn main() -> Result<()> {
             let path1_len = header.path1_len as usize;
             let path2_len = header.path2_len as usize;
 
-            let path1_data = &data[header_len..header_len + path1_len];
-            let path2_data = &data[header_len + path1_len..header_len + path1_len + path2_len];
-
-            let path1 = std::str::from_utf8(path1_data)
-                .expect("invalid utf8 string")
-                .to_string();
-            let path2 = std::str::from_utf8(path2_data)
-                .expect("invalid utf8 string")
-                .to_string();
+            let path1_data = &data[header_len..(header_len + path1_len)];
+            let path2_data = &data[(header_len + path1_len)..(header_len + path1_len + path2_len)];
+
+            let path1 = if path1_len > 0 {
+                CStr::from_bytes_with_nul(path1_data)
+                    .expect("invalid C string")
+                    .to_str()
+                    .expect("should be valid str")
+                    .to_string()
+            } else {
+                String::new()
+            };
+            let path2 = if path2_len > 0 {
+                CStr::from_bytes_with_nul(path2_data)
+                    .expect("invalid C string")
+                    .to_str()
+                    .expect("should be valid str")
+                    .to_string()
+            } else {
+                String::new()
+            };
 
             SyscallEvent::Enter {
                 pid_tgid: header.pid_tgid,
@@ -316,5 +328,6 @@ fn main() -> Result<()> {
             }
         }
     }
+    println!("{program_total} missed events during the duration of the program");
     Ok(())
 }
