1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
|
package probemanager
import (
"errors"
"fmt"
"sort"
"strings"
"sync"
)
// Link abstracts an attached tracepoint link.
type Link interface {
Destroy() error
}
// Program abstracts a loadable BPF program that can attach to a tracepoint.
type Program interface {
AttachTracepoint(category, name string) (Link, error)
}
// Attacher resolves BPF programs by name.
type Attacher interface {
GetProgram(name string) (Program, error)
}
// ProbeState is an immutable view used by callers/UI.
type ProbeState struct {
Syscall string
Active bool
Error string
}
type probeEntry struct {
syscall string
enterTP string
exitTP string
enterLink Link
exitLink Link
active bool
lastErr error
}
// Manager tracks probe attach/detach state for grouped syscall tracepoints.
type Manager struct {
mu sync.Mutex
attacher Attacher
probes map[string]*probeEntry
closed bool
}
// NewManager creates a new probe manager that resolves programs via attacher.
func NewManager(attacher Attacher) *Manager {
return &Manager{
attacher: attacher,
probes: make(map[string]*probeEntry),
}
}
// Register registers the enter/exit tracepoint pair for a syscall key.
func (m *Manager) Register(syscall string, pair TracepointPair) {
if m == nil || syscall == "" {
return
}
m.mu.Lock()
defer m.mu.Unlock()
entry, ok := m.probes[syscall]
if !ok {
entry = &probeEntry{syscall: syscall}
m.probes[syscall] = entry
}
entry.enterTP = pair.Enter
entry.exitTP = pair.Exit
}
// AttachAll registers and attaches all tracepoint pairs selected by shouldAttach.
func (m *Manager) AttachAll(shouldAttach func(string) bool, tpNames []string) error {
if m == nil {
return errors.New("probe manager is nil")
}
if shouldAttach == nil {
shouldAttach = func(string) bool { return true }
}
groups := GroupTracepoints(tpNames)
for syscall, pair := range groups {
m.Register(syscall, pair)
if !shouldAttach(pair.Enter) && !shouldAttach(pair.Exit) {
continue
}
if err := m.Attach(syscall); err != nil {
return err
}
}
return nil
}
// Toggle flips a syscall probe between attached and detached states.
func (m *Manager) Toggle(syscall string) error {
if m == nil {
return errors.New("probe manager is nil")
}
if syscall == "" {
return errors.New("syscall is required")
}
m.mu.Lock()
entry, err := m.entryLocked(syscall)
if err != nil {
m.mu.Unlock()
return err
}
active := entry.active
m.mu.Unlock()
if active {
return m.Detach(syscall)
}
return m.Attach(syscall)
}
// Attach attaches enter/exit tracepoints for a registered syscall.
func (m *Manager) Attach(syscall string) error {
if syscall == "" {
return errors.New("syscall is required")
}
m.mu.Lock()
entry, err := m.entryLocked(syscall)
if err != nil {
m.mu.Unlock()
return err
}
if entry.active {
m.mu.Unlock()
return nil
}
enterTP := entry.enterTP
exitTP := entry.exitTP
attacher := m.attacher
m.mu.Unlock()
enterLink, exitLink, attachErr := attachPair(attacher, enterTP, exitTP)
m.mu.Lock()
defer m.mu.Unlock()
entry, err = m.entryLocked(syscall)
if err != nil {
return errors.Join(
err,
destroyLink(fmt.Sprintf("cleanup enter %s", syscall), enterLink),
destroyLink(fmt.Sprintf("cleanup exit %s", syscall), exitLink),
)
}
if attachErr != nil {
entry.lastErr = attachErr
entry.active = entry.enterLink != nil || entry.exitLink != nil
return attachErr
}
entry.enterLink = enterLink
entry.exitLink = exitLink
entry.lastErr = nil
entry.active = enterLink != nil || exitLink != nil
return nil
}
// Detach detaches enter/exit tracepoints for a registered syscall.
func (m *Manager) Detach(syscall string) error {
if syscall == "" {
return errors.New("syscall is required")
}
m.mu.Lock()
entry, err := m.entryLocked(syscall)
if err != nil {
m.mu.Unlock()
return err
}
enterLink := entry.enterLink
exitLink := entry.exitLink
m.mu.Unlock()
var errs []string
enterErr := error(nil)
if enterLink != nil {
if err := enterLink.Destroy(); err != nil {
enterErr = err
errs = append(errs, fmt.Sprintf("detach enter %s: %v", syscall, err))
}
}
exitErr := error(nil)
if exitLink != nil {
if err := exitLink.Destroy(); err != nil {
exitErr = err
errs = append(errs, fmt.Sprintf("detach exit %s: %v", syscall, err))
}
}
m.mu.Lock()
defer m.mu.Unlock()
entry, err = m.entryLocked(syscall)
if err != nil {
return err
}
if enterErr == nil {
entry.enterLink = nil
}
if exitErr == nil {
entry.exitLink = nil
}
entry.active = entry.enterLink != nil || entry.exitLink != nil
if len(errs) == 0 {
entry.lastErr = nil
return nil
}
combined := errors.New(strings.Join(errs, "; "))
entry.lastErr = combined
return combined
}
// States returns a stable snapshot of all known probe states.
func (m *Manager) States() []ProbeState {
if m == nil {
return nil
}
m.mu.Lock()
defer m.mu.Unlock()
out := make([]ProbeState, 0, len(m.probes))
for syscall, entry := range m.probes {
state := ProbeState{
Syscall: syscall,
Active: entry.active,
}
if entry.lastErr != nil {
state.Error = entry.lastErr.Error()
}
out = append(out, state)
}
sort.Slice(out, func(i, j int) bool { return out[i].Syscall < out[j].Syscall })
return out
}
// ActiveCount returns the number of active probes and total registered probes.
func (m *Manager) ActiveCount() (active, total int) {
if m == nil {
return 0, 0
}
m.mu.Lock()
defer m.mu.Unlock()
total = len(m.probes)
for _, entry := range m.probes {
if entry.active {
active++
}
}
return active, total
}
// IsActive reports whether the syscall probe is currently active.
func (m *Manager) IsActive(syscall string) bool {
if m == nil || syscall == "" {
return false
}
m.mu.Lock()
defer m.mu.Unlock()
entry, ok := m.probes[syscall]
if !ok {
return false
}
return entry.active
}
// Close detaches all registered probes and marks the manager closed.
func (m *Manager) Close() error {
if m == nil {
return nil
}
m.mu.Lock()
if m.closed {
m.mu.Unlock()
return nil
}
type pairLinks struct {
syscall string
enterLink Link
exitLink Link
}
links := make([]pairLinks, 0, len(m.probes))
for syscall, entry := range m.probes {
links = append(links, pairLinks{
syscall: syscall,
enterLink: entry.enterLink,
exitLink: entry.exitLink,
})
entry.enterLink = nil
entry.exitLink = nil
entry.active = false
entry.lastErr = nil
}
m.closed = true
m.mu.Unlock()
var firstErr error
for _, l := range links {
var errForSyscall error
if l.enterLink != nil {
if err := l.enterLink.Destroy(); err != nil {
errForSyscall = err
if firstErr == nil {
firstErr = err
}
}
}
if l.exitLink != nil {
if err := l.exitLink.Destroy(); err != nil {
if errForSyscall == nil {
errForSyscall = err
}
if firstErr == nil {
firstErr = err
}
}
}
m.setLastError(l.syscall, errForSyscall)
}
return firstErr
}
func (m *Manager) entryLocked(syscall string) (*probeEntry, error) {
if m.closed {
return nil, errors.New("probe manager is closed")
}
if m.attacher == nil {
return nil, errors.New("probe manager has no attacher")
}
entry, ok := m.probes[syscall]
if !ok {
return nil, fmt.Errorf("unknown syscall %q", syscall)
}
return entry, nil
}
func (m *Manager) setLastError(syscall string, err error) {
m.mu.Lock()
defer m.mu.Unlock()
entry, ok := m.probes[syscall]
if !ok {
return
}
entry.lastErr = err
}
func attachPair(attacher Attacher, enterTP, exitTP string) (Link, Link, error) {
enterLink, err := attachOne(attacher, enterTP)
if err != nil {
return nil, nil, err
}
exitLink, err := attachOne(attacher, exitTP)
if err != nil {
return nil, nil, errors.Join(err, destroyLink("cleanup enter link after exit attach failure", enterLink))
}
return enterLink, exitLink, nil
}
func destroyLink(action string, link Link) error {
if link == nil {
return nil
}
if err := link.Destroy(); err != nil {
return fmt.Errorf("%s: %w", action, err)
}
return nil
}
func attachOne(attacher Attacher, tracepoint string) (Link, error) {
if tracepoint == "" {
return nil, nil
}
progName := "handle_" + tracepoint
prog, err := attacher.GetProgram(progName)
if err != nil {
return nil, fmt.Errorf("get program %s: %w", progName, err)
}
link, err := prog.AttachTracepoint("syscalls", tracepoint)
if err != nil {
return nil, fmt.Errorf("attach %s: %w", tracepoint, err)
}
return link, nil
}
|
