1. symbolyze.Scanner now implements the RunEvery(time.Duration) method
that will call scanner.Run() periodically. It should be called to
run in its own goroutine. The loop can be stopped by calling
scanner.Stop().
2. The scanner now collects all errors from all observers in a private
error type `errors []error`. It's Error() returns a cumulated list of
errors, seperated by a newline.
symbolyze.go has been simplified and cleaned up. It now also is documented,
f.e.:
% go doc Scanner
package symbolyze // import "."
type Scanner struct {
*log.Logger // Embedded logger
// Has unexported fields.
}
Scanner represents an engine for scanning for a specific symbol in all
ELF-files matching a certain pattern. The pattern is described in
fileapth.Match().
Once a Scanner is created with New(), it should be populated with Observer
functions using OnFound(). Optionally, the scanner can be put into debugging
mode by a call to DebugOn() prior to a call to Run().
A call to Scanner.Run() then starts the engine and it will scan all pids in
/proc. Whenever a match is found, all observers will be called with the
(pid, offset), concurrently.
func New(symbol, pathglob string) *Scanner
func (S *Scanner) DebugOn()
func (S *Scanner) OnFound(fun Observer)
func (S *Scanner) Run() error
symbolyze/ now contains a module that exposes a Finder type with a
simple API, like:
finder := symbolyze.New("_PyRuntime", "*python3*")
finder.Debug(true)
finder.OnFound(mapFD.Set)
finder.Run()
Instead of writing (pid, offset) directly to a eBPF-map, it implements
an observer-pattern and expects a callback.
TODOs/next steps:
- Write documentation
- Add tests
- Experiment and re-evaluate design
main.go:
- reading /proc
- iteration over entries in NNN/maps
- filter glob-search for "*python3*" in pathname
- find symbol and its offset in pathnanme
- calculate offset in memory
- add pid and offset to map
TODO: encapsulating this into a module
ebpf.go:
- added type MapFD int, changing all function on a FD to methods
This allows us to enrich the data type going forward
- added bpf_update_elem() from the manpage ebpf2.
.updateElement() is the verbatim wrapper to it.
- added .Add/.Change/.Set methods, which call .updateElement
with specific flags
TODO: re-implement ebpf.go with pure go, using direct syscalls.
