ebpf files

Author: vsilent

src/collectors/ebpf/enrichment.rs

@@ -133,7 +133,7 @@ pub fn normalize_timestamp(ts: chrono::DateTime<chrono::Utc>) -> chrono::DateTim
 #[cfg(test)]
 mod tests {
     use super::*;
-    
+    use chrono::Utc;
     #[test]
     fn test_enricher_creation() {
         let enricher = EventEnricher::new();

src/collectors/ebpf/loader.rs

@@ -97,12 +97,15 @@ impl EbpfLoader {
             if _bytes.is_empty() {
                 return Err(LoadError::LoadFailed("Empty program bytes".to_string()));
             }
-            
-            // TODO: Implement actual loading when eBPF programs are ready
-            // For now, this is a stub that will be implemented in TASK-004
+
+            let bpf = aya::Bpf::load(_bytes)
+                .map_err(|e| LoadError::LoadFailed(e.to_string()))?;
+            self.bpf = Some(bpf);
+
+            log::info!("eBPF program loaded ({} bytes)", _bytes.len());
             Ok(())
         }
-        
+
         #[cfg(not(all(target_os = "linux", feature = "ebpf")))]
         {
             Err(LoadError::NotLinux)
@@ -132,23 +135,80 @@ impl EbpfLoader {
     pub fn attach_program(&mut self, _program_name: &str) -> Result<(), LoadError> {
         #[cfg(all(target_os = "linux", feature = "ebpf"))]
         {
-            // TODO: Implement actual attachment
-            // For now, just mark as attached
+            let (category, tp_name) = program_to_tracepoint(_program_name)
+                .ok_or_else(|| LoadError::ProgramNotFound(
+                    format!("No tracepoint mapping for '{}'", _program_name)
+                ))?;
+
+            let bpf = self.bpf.as_mut()
+                .ok_or_else(|| LoadError::LoadFailed(
+                    "No eBPF program loaded; call load_program_from_bytes first".to_string()
+                ))?;
+
+            let prog: &mut aya::programs::TracePoint = bpf
+                .program_mut(_program_name)
+                .ok_or_else(|| LoadError::ProgramNotFound(_program_name.to_string()))?
+                .try_into()
+                .map_err(|e: aya::programs::ProgramError| LoadError::AttachFailed(e.to_string()))?;
+
+            prog.load()
+                .map_err(|e| LoadError::AttachFailed(format!("load '{}': {}", _program_name, e)))?;
+
+            prog.attach(category, tp_name)
+                .map_err(|e| LoadError::AttachFailed(
+                    format!("attach '{}/{}': {}", category, tp_name, e)
+                ))?;
+
             self.loaded_programs.insert(
                 _program_name.to_string(),
-                ProgramInfo {
-                    name: _program_name.to_string(),
-                    attached: true,
-                },
+                ProgramInfo { name: _program_name.to_string(), attached: true },
             );
+
+            log::info!("eBPF program '{}' attached to {}/{}", _program_name, category, tp_name);
             Ok(())
         }
-        
+
+        #[cfg(not(all(target_os = "linux", feature = "ebpf")))]
+        {
+            Err(LoadError::NotLinux)
+        }
+    }
+
+    /// Attach all known syscall tracepoint programs
+    pub fn attach_all_programs(&mut self) -> Result<(), LoadError> {
+        #[cfg(all(target_os = "linux", feature = "ebpf"))]
+        {
+            for name in &["trace_execve", "trace_connect", "trace_openat", "trace_ptrace"] {
+                if let Err(e) = self.attach_program(name) {
+                    log::warn!("Failed to attach '{}': {}", name, e);
+                }
+            }
+            Ok(())
+        }
+
         #[cfg(not(all(target_os = "linux", feature = "ebpf")))]
         {
             Err(LoadError::NotLinux)
         }
     }
+
+    /// Extract the EVENTS ring buffer map from the loaded eBPF program.
+    /// Must be called after load_program_from_bytes and before the Bpf object is dropped.
+    #[cfg(all(target_os = "linux", feature = "ebpf"))]
+    pub fn take_ring_buf(&mut self) -> Result<aya::maps::RingBuf<aya::maps::MapData>, LoadError> {
+        let bpf = self.bpf.as_mut()
+            .ok_or_else(|| LoadError::LoadFailed(
+                "No eBPF program loaded".to_string()
+            ))?;
+
+        let map = bpf.take_map("EVENTS")
+            .ok_or_else(|| LoadError::LoadFailed(
+                "EVENTS ring buffer map not found in eBPF program".to_string()
+            ))?;
+
+        aya::maps::RingBuf::try_from(map)
+            .map_err(|e| LoadError::LoadFailed(format!("Failed to create ring buffer: {}", e)))
+    }
 
     /// Detach a program
     pub fn detach_program(&mut self, program_name: &str) -> Result<(), LoadError> {
@@ -201,8 +261,24 @@ impl EbpfLoader {
 }
 
 impl Default for EbpfLoader {
-    fn default() -> Result<Self, LoadError> {
-        Self::new()
+    fn default() -> Self {
+        Self {
+            #[cfg(all(target_os = "linux", feature = "ebpf"))]
+            bpf: None,
+            loaded_programs: HashMap::new(),
+            kernel_version: None,
+        }
+    }
+}
+
+/// Map program name to its tracepoint (category, name) for aya attachment.
+fn program_to_tracepoint(name: &str) -> Option<(&'static str, &'static str)> {
+    match name {
+        "trace_execve"  => Some(("syscalls", "sys_enter_execve")),
+        "trace_connect" => Some(("syscalls", "sys_enter_connect")),
+        "trace_openat"  => Some(("syscalls", "sys_enter_openat")),
+        "trace_ptrace"  => Some(("syscalls", "sys_enter_ptrace")),
+        _ => None,
     }
 }
 

src/collectors/ebpf/ring_buffer.rs

@@ -59,6 +59,11 @@ impl EventRingBuffer {
         self.capacity
     }
 
+    /// View events without consuming them
+    pub fn events(&self) -> &[SyscallEvent] {
+        &self.buffer
+    }
+
     /// Clear the buffer
     pub fn clear(&mut self) {
         self.buffer.clear();

src/collectors/ebpf/syscall_monitor.rs

@@ -12,7 +12,10 @@ use crate::collectors::ebpf::container::ContainerDetector;
 pub struct SyscallMonitor {
     #[cfg(all(target_os = "linux", feature = "ebpf"))]
     loader: Option<super::loader::EbpfLoader>,
-    
+
+    #[cfg(all(target_os = "linux", feature = "ebpf"))]
+    ring_buf: Option<aya::maps::RingBuf<aya::maps::MapData>>,
+
     running: bool,
     event_buffer: EventRingBuffer,
     enricher: EventEnricher,
@@ -34,6 +37,7 @@ impl SyscallMonitor {
 
             Ok(Self {
                 loader: Some(loader),
+                ring_buf: None,
                 running: false,
                 event_buffer: EventRingBuffer::with_capacity(8192),
                 enricher,
@@ -54,15 +58,36 @@ impl SyscallMonitor {
             if self.running {
                 anyhow::bail!("Monitor is already running");
             }
-            
-            // TODO: Actually start eBPF programs in TASK-004
-            // For now, just mark as running
+
+            if let Some(loader) = &mut self.loader {
+                let ebpf_path = "target/bpfel-unknown-none/release/stackdog";
+                match loader.load_program_from_file(ebpf_path) {
+                    Ok(()) => {
+                        loader.attach_all_programs().unwrap_or_else(|e| {
+                            log::warn!("Some eBPF programs failed to attach: {}", e);
+                        });
+                        match loader.take_ring_buf() {
+                            Ok(rb) => { self.ring_buf = Some(rb); }
+                            Err(e) => { log::warn!("Failed to get eBPF ring buffer: {}", e); }
+                        }
+                    }
+                    Err(e) => {
+                        log::warn!(
+                            "eBPF program not found at '{}': {}. \
+                             Running without kernel event collection — \
+                             build the eBPF crate first with `cargo build --release` \
+                             in the ebpf/ directory.",
+                            ebpf_path, e
+                        );
+                    }
+                }
+            }
+
             self.running = true;
-            
             log::info!("Syscall monitor started");
             Ok(())
         }
-        
+
         #[cfg(not(all(target_os = "linux", feature = "ebpf")))]
         {
             anyhow::bail!("SyscallMonitor is only available on Linux");
@@ -73,7 +98,10 @@ impl SyscallMonitor {
     pub fn stop(&mut self) -> Result<()> {
         self.running = false;
         self.event_buffer.clear();
-        
+        #[cfg(all(target_os = "linux", feature = "ebpf"))]
+        {
+            self.ring_buf = None;
+        }
         log::info!("Syscall monitor stopped");
         Ok(())
     }
@@ -90,25 +118,39 @@ impl SyscallMonitor {
             if !self.running {
                 return Vec::new();
             }
-            
-            // TODO: Actually poll eBPF ring buffer in TASK-004
-            // For now, drain from internal buffer
+
+            // Drain the eBPF ring buffer into the staging buffer
+            if let Some(rb) = &mut self.ring_buf {
+                while let Some(item) = rb.next() {
+                    let bytes: &[u8] = &item;
+                    if bytes.len() >= std::mem::size_of::<super::types::EbpfSyscallEvent>() {
+                        // SAFETY: We verified the byte length matches the struct size,
+                        // and EbpfSyscallEvent is #[repr(C)] with no padding surprises.
+                        let raw: super::types::EbpfSyscallEvent = unsafe {
+                            std::ptr::read_unaligned(
+                                bytes.as_ptr() as *const super::types::EbpfSyscallEvent
+                            )
+                        };
+                        self.event_buffer.push(raw.to_syscall_event());
+                    }
+                }
+            }
+
+            // Drain the staging buffer and enrich with /proc info
             let mut events = self.event_buffer.drain();
-            
-            // Enrich events
             for event in &mut events {
                 let _ = self.enricher.enrich(event);
             }
-            
+
             events
         }
-        
+
         #[cfg(not(all(target_os = "linux", feature = "ebpf")))]
         {
             Vec::new()
         }
     }
-    
+
     /// Get events without consuming them
     pub fn peek_events(&self) -> &[SyscallEvent] {
         self.event_buffer.events()