-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
92 lines (75 loc) · 2.41 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
package main
import (
"os"
"log"
"unsafe"
"regexp"
"strings"
"github.com/cilium/ebpf/rlimit"
"github.com/cilium/ebpf/link"
"github.com/cilium/ebpf/perf"
)
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go postgres postgres.c
var re *regexp.Regexp
var keywords = []string{"SELECT", "INSERT INTO", "UPDATE", "DELETE FROM", "CREATE TABLE", "ALTER TABLE", "DROP TABLE", "TRUNCATE TABLE", "BEGIN", "COMMIT", "ROLLBACK", "SAVEPOINT", "CREATE INDEX", "DROP INDEX", "CREATE VIEW", "DROP VIEW", "GRANT", "REVOKE", "EXECUTE"}
var pgObjs postgresObjects
func main() {
// Allow the current process to lock memory for eBPF resources.
if err := rlimit.RemoveMemlock(); err != nil {
log.Fatal(err)
}
// Load pre-compiled programs and maps into the kernel.
pgObjs = postgresObjects{}
if err := loadPostgresObjects(&pgObjs, nil); err != nil {
log.Fatal(err)
}
w, err := link.Tracepoint("syscalls", "sys_enter_write", pgObjs.HandleWrite, nil)
if err != nil {
log.Fatal("link sys_enter_write tracepoint")
}
defer w.Close()
r, err := link.Tracepoint("syscalls", "sys_enter_read", pgObjs.HandleRead, nil)
if err != nil {
log.Fatal("link sys_enter_read tracepoint")
}
defer r.Close()
rexit, err := link.Tracepoint("syscalls", "sys_exit_read", pgObjs.HandleReadExit, nil)
if err != nil {
log.Fatal("link sys_exit_read tracepoint")
}
defer rexit.Close()
L7EventsReader, err := perf.NewReader(pgObjs.L7Events, int(4096)*os.Getpagesize())
if err != nil {
log.Fatal("error creating perf event array reader")
}
// Case-insensitive matching
re = regexp.MustCompile(strings.Join(keywords, "|"))
pgStatements := make(map[string]string)
for {
var record perf.Record
err := L7EventsReader.ReadInto(&record)
if err != nil {
log.Print("error reading from perf array")
}
if record.LostSamples != 0 {
log.Printf("lost samples l7-event %d", record.LostSamples)
}
if record.RawSample == nil || len(record.RawSample) == 0 {
log.Print("read sample l7-event nil or empty")
return
}
l7Event := (*bpfL7Event)(unsafe.Pointer(&record.RawSample[0]))
protocol := L7ProtocolConversion(l7Event.Protocol).String()
// copy payload slice
payload := [1024]uint8{}
copy(payload[:], l7Event.Payload[:])
if (protocol == "POSTGRES") {
out, err := parseSqlCommand(l7Event, &pgStatements)
if err != nil {
log.Printf("Error parsing sql command: %s", err)
} else {
log.Printf("%s", out)
}
}
}
}