From 51372365e8a500f78ef67b261dd1b29233a31643 Mon Sep 17 00:00:00 2001
From: chenjingwen6 <lhchenjw@gmail.com>
Date: Sat, 14 Oct 2023 12:08:13 +0800
Subject: [PATCH] secDetector: ringbuffer supports event type

ringbuffer supports event type, so service can
know event type without parsing text.

Signed-off-by: chenjingwen6 <lhchenjw@gmail.com>
---
 .../core/response_unit/secDetector_response.c | 52 ++++++++++++-------
 .../include/secDetector_response_type.h       |  1 +
 observer_agent/service/main.cpp               | 19 +++----
 observer_agent/service/ringbuffer.h           |  6 +++
 4 files changed, 47 insertions(+), 31 deletions(-)

diff --git a/kerneldriver/core/response_unit/secDetector_response.c b/kerneldriver/core/response_unit/secDetector_response.c
index f525a89..dad9b3a 100644
--- a/kerneldriver/core/response_unit/secDetector_response.c
+++ b/kerneldriver/core/response_unit/secDetector_response.c
@@ -12,6 +12,11 @@
 #include "secDetector_proc.h"
 #include "secDetector_ringbuffer.h"
 
+struct response_rb_entry {
+	int type;
+	char text[];
+};
+
 response_func_t response_units[NR_RESPONSE] = {
 	[RESPONSE_OK] = secDetector_ok,
 	[RESPONSE_REPORT] = secdetector_report,
@@ -35,15 +40,25 @@ void notrace secDetector_ok(response_data_t *data)
 void notrace secdetector_report(response_data_t *log)
 {
 	int ret;
+	struct response_rb_entry *rb_entry;
+	size_t entry_size;
 
-	if (!log || !log->report_data.text)
+	if (!log || !log->report_data.text || log->report_data.len == 0)
+		return;
+
+	entry_size = sizeof(int) + log->report_data.len;
+	if (entry_size < sizeof(int) || entry_size < log->report_data.len)
 		return;
 
-	ret = secDetector_ringbuf_output(log->report_data.text,
-					 log->report_data.len,
+	rb_entry = kzalloc(entry_size, GFP_KERNEL);
+	if (!rb_entry)
+		return;
+
+	ret = secDetector_ringbuf_output(rb_entry, entry_size,
 					 BPF_RB_FORCE_WAKEUP);
 	if (ret != 0)
 		pr_warn("write ringbuf failed\n");
+	free(rb_entry);
 }
 EXPORT_SYMBOL_GPL(secdetector_report);
 
@@ -59,20 +74,17 @@ void notrace secDetector_proc_report(response_data_t *log)
 }
 EXPORT_SYMBOL_GPL(secDetector_proc_report);
 
-
-
-
 void free_response_data_no_rd(uint32_t repsonse_id, response_data_t *rd)
 {
 	if (rd == NULL)
 		return;
 	switch (repsonse_id) {
-		case RESPONSE_REPORT:
-			if (rd->report_data.len != 0 && rd->report_data.text != NULL)
-				kfree(rd->report_data.text);
-			break;
-		default:
-			break;
+	case RESPONSE_REPORT:
+		if (rd->report_data.len != 0 && rd->report_data.text != NULL)
+			kfree(rd->report_data.text);
+		break;
+	default:
+		break;
 	}
 }
 
@@ -81,13 +93,13 @@ void free_response_data(uint32_t repsonse_id, response_data_t *rd)
 	if (rd == NULL)
 		return;
 	switch (repsonse_id) {
-		case RESPONSE_REPORT:
-			if (rd->report_data.len != 0 && rd->report_data.text != NULL) {
-				kfree(rd->report_data.text);
-				kfree(rd);
-			}
-			break;
-		default:
-			break;
+	case RESPONSE_REPORT:
+		if (rd->report_data.len != 0 && rd->report_data.text != NULL) {
+			kfree(rd->report_data.text);
+			kfree(rd);
+		}
+		break;
+	default:
+		break;
 	}
 }
diff --git a/kerneldriver/include/secDetector_response_type.h b/kerneldriver/include/secDetector_response_type.h
index ad9c8b9..f95598c 100644
--- a/kerneldriver/include/secDetector_response_type.h
+++ b/kerneldriver/include/secDetector_response_type.h
@@ -18,6 +18,7 @@ enum RESPONSE_TYPE {
 };
 
 struct response_report_data {
+	int type;
 	char *text;
 	size_t len;
 };
diff --git a/observer_agent/service/main.cpp b/observer_agent/service/main.cpp
index a300fc4..be9ba3c 100644
--- a/observer_agent/service/main.cpp
+++ b/observer_agent/service/main.cpp
@@ -22,20 +22,17 @@
 #include <string.h>
 #include <sys/types.h>
 #include <unistd.h>
+#include <syslog.h>
 
 static volatile bool exiting = false;
 static void sig_handler(int sig) { exiting = true; }
 
-static int ringbuf_cb(void *text, size_t len) {
-    if (len != 0) {
-        char *buf = (char *)calloc(1, len + 1);
-        if (!buf) {
-            return -ENOMEM;
-        }
-        memcpy(buf, text, len);
-        /* TODO: you can add function there */
-        free(buf);
-    }
+static int ringbuf_cb(struct response_rb_entry *entry, size_t entry_size) {
+    if (entry == NULL || entry_size <= sizeof(struct response_rb_entry))
+        return -EINVAL;   
+
+    syslog(LOG_INFO, "type:%d, text:%s\n", entry->type, entry->text);
+    /* TODO: you can add function there */
     return 0;
 }
 
@@ -58,7 +55,7 @@ int main() {
     }
 
     while (!exiting) {
-        secDetector_ringbuf_poll(ringbuf_cb);
+        secDetector_ringbuf_poll((poll_cb)ringbuf_cb);
     }
 
     secDetector_ringbuf_detach();
diff --git a/observer_agent/service/ringbuffer.h b/observer_agent/service/ringbuffer.h
index 599c12b..46575ca 100644
--- a/observer_agent/service/ringbuffer.h
+++ b/observer_agent/service/ringbuffer.h
@@ -15,7 +15,13 @@
  */
 #ifndef SECDETECTOR_OBSERVER_AGENT_RINGBUFFER_H
 #define SECDETECTOR_OBSERVER_AGENT_RINGBUFFER_H
+#include <sys/types.h>
+
 typedef int (*poll_cb)(void *sample, size_t len);
+struct response_rb_entry {
+	int type;
+	char text[];
+};
 
 extern int secDetector_ringbuf_attach(void);
 extern void secDetector_ringbuf_detach(void);
-- 
Gitee