RubyGems - vivarium - Versions diffs - 0.1.1 → 0.1.2 - Mend

vivarium 0.1.1 → 0.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

checksums.yaml +4 -4
data/README.md +14 -3
data/examples/network_client_demo.rb +76 -0
data/lib/vivarium/logger.rb +2 -2
data/lib/vivarium/version.rb +1 -1
data/lib/vivarium.rb +419 -19
data/sig/vivarium.rbs +11 -0
metadata +4 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 1bc495e3c2b8f9d99a2b1c84706b5e00913cc08831b3103b0460db0d4027c77b
-  data.tar.gz: 1ee086243fdc153da5bac6a2bec8d0afe8e644ceac2fef2308b7723b89533338
+  metadata.gz: 2fb7901d1f200e910b88b75fd8ba54cbaa2d6cf2152c31e35b6f790e8b9150e5
+  data.tar.gz: 045c6ef47acb148605a7dd7cbbda5526d82d3548191135baedecaa5d09840f25
 SHA512:
-  metadata.gz: a203dd1cbaeff9fe0f4bf464a01ff49f131a104ca9e1eb14b6c08dd4371f49acf31c493119eee70114cafacbc6aa8a42976a9e6c230b1d828fe442e738c57c54
-  data.tar.gz: a31a64e20f2f7d0956626658b5d6f91e0cd5333f97854ad3388c41cc0d3b0b8d233850c3bdaaf60663c9152d6cf35e4034355e37c50fc913687ad05295dffaba
+  metadata.gz: 9042d44b860bde781d512e36367bfc178a74dd57c6ae6be49c5cea73ec4fbd8b621382ace5d0e1b18188e36bae41d3f5e7e273fd8e019c1ec88820f95653b255
+  data.tar.gz: 9c22285362cea0fe871af6c1f67a66eeb85556a52c5f6aabe93da2b20daa51cbf6528df9021ead0fbb2acdcb152bbee60a1a873c9d7a9b75b1edc8ea244c6016

data/README.md CHANGED Viewed

@@ -18,10 +18,13 @@ The goal is to visualize which Ruby method context triggered low-level events.
 Implemented in this repository:
 - BPF LSM hook on `file_open`
+- BPF LSM hook on `socket_create` (flags unusual socket creation as `odd_socket`)
+- BPF LSM hook on `socket_connect` (captures destination family/address/port as `sock_connect`)
+- BPF kprobe on `ip_local_out` (captures UDP/53 DNS QNAME raw bytes as `dns_req`)
 - Shared pinned maps on bpffs
 	- `config_root_targets` (root PID -> 0/1)
 	- `config_spawned_targets` (spawned TID -> 0/1)
-	- `event_invoked` (array length 64 with `event_t` records)
+	- `event_invoked` (array length 1024 with `event_t` records)
 	- `event_write_pos` (cursor for appending into `event_invoked`)
 - Ruby API `Vivarium.observe do ... end`
 	- Registers current PID to `config_root_targets`
@@ -36,8 +39,8 @@ Implemented in this repository:
 ```c
 struct event_t {
 	u32 pid;
-	char event_name[8];   // "path_open"
-	char payload[64];     // opened path (truncated)
+	char event_name[16];
+	char payload[256];
 };
 ```
@@ -81,6 +84,14 @@ Vivarium.observe do
 end
 ```
+3) Network monitoring demo client:
+```bash
+bundle exec ruby examples/network_client_demo.rb
+```
+This demo intentionally triggers `sock_connect`, `dns_req`, and `odd_socket` events.
 You can also start top-level observation without a block (it keeps observing until process exit):
 ```ruby

data/examples/network_client_demo.rb ADDED Viewed

@@ -0,0 +1,76 @@
+#!/usr/bin/env ruby
+# frozen_string_literal: true
+require "socket"
+require "vivarium"
+# Usage:
+#   1) In another shell (root): sudo bundle exec vivariumd
+#   2) Run this script: bundle exec ruby examples/network_client_demo.rb
+def try_step(title)
+  puts "[client] #{title}"
+  yield
+rescue StandardError => e
+  puts "[client] #{title} failed: #{e.class}: #{e.message}"
+end
+Vivarium.observe do
+  # Likely emits sock_connect and dns_req via resolver traffic.
+  try_step("system: DNS lookup") do
+    system("getent hosts example.com >/dev/null 2>&1 || true")
+    system("getent hosts unknown.example.com >/dev/null 2>&1 || true")
+  end
+  # Likely emits sock_connect through HTTPS connection attempts.
+  try_step("system: curl") do
+    system("curl -I https://example.com >/dev/null 2>&1 || true")
+  end
+  # ICMP example (may require CAP_NET_RAW / root depending on environment).
+  try_step("system: ping") do
+    system("ping -c 1 example.com >/dev/null 2>&1 || true")
+  end
+  # Explicit connect path.
+  try_step("Ruby TCP connect") do
+    sock = TCPSocket.new("example.com", 80)
+    sock.close
+  end
+  # Raw DNS query payload, useful for dns_req decode testing.
+  try_step("Ruby UDP DNS query") do
+    dns_query = "\x12\x34\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00" +
+                "\x09udp-query\x07example\x03com\x00" +
+                "\x00\x01\x00\x01"
+    udp = UDPSocket.new
+    begin
+      udp.connect("127.0.0.53", 53)
+    rescue StandardError
+      udp.connect("8.8.8.8", 53)
+    end
+    udp.send(dns_query, 0)
+    udp.close
+  end
+  # Explicit sendto path for DNS payload visibility.
+  try_step("Ruby UDP sendto DNS query") do
+    dns_query = "\x12\x34\x01\x00\x00\x01\x00\x00\x00\x00\x00\x00" +
+                "\x06sendto\x07example\x03com\x00" +
+                "\x00\x01\x00\x01"
+    udp = UDPSocket.new
+    udp.send(dns_query, 0, "127.0.0.53", 53)
+    udp.close
+  end
+  # Intentionally unusual socket type to trigger odd_socket.
+  try_step("Ruby odd socket attempt") do
+    af_packet = Socket.const_defined?(:AF_PACKET) ? Socket::AF_PACKET : 17
+    raw = Socket.new(af_packet, Socket::SOCK_RAW, 0)
+    raw.close
+  end
+end
+puts "[client] done"

data/lib/vivarium/logger.rb CHANGED Viewed

@@ -45,7 +45,7 @@ module Vivarium
       @io.puts "[vivarium] #{events.size} event(s) at #{tp.defined_class}##{tp.method_id} (#{tp.event})"
       @io.puts "  location: #{tp.path}:#{tp.lineno}"
       events.each do |event|
-        @io.puts "  pid=#{event.pid} #{event.event_name} payload=#{event.payload.inspect}"
+        @io.puts "  ktime_ns=#{event.ktime_ns} pid=#{event.pid} #{event.event_name} payload=#{Vivarium.render_event_payload(event)}"
       end
       @io.puts "  stack:"
       stack.each do |loc|
@@ -59,7 +59,7 @@ module Vivarium
         event:  tp.event.to_s,
         path:   tp.path,
         lineno: tp.lineno,
-        events: events.map { |e| { pid: e.pid, event_name: e.event_name, payload: e.payload } },
+        events: events.map { |e| { ktime_ns: e.ktime_ns, pid: e.pid, event_name: e.event_name, payload: Vivarium.render_event_payload(e) } },
         stack:  stack.map { |loc| "#{loc.path}:#{loc.lineno}:in #{loc.base_label}" }
       }
       @io.puts JSON.generate(entry)

data/lib/vivarium/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Vivarium
-  VERSION = "0.1.1"
+  VERSION = "0.1.2"
 end

data/lib/vivarium.rb CHANGED Viewed

@@ -5,6 +5,7 @@ require "fileutils"
 require "optparse"
 require "pathname"
 require "rbbcc"
+require "socket"
 require_relative "vivarium/version"
 require_relative "vivarium/logger"
@@ -20,8 +21,13 @@ module Vivarium
   EVENT_NAME_SIZE = 16
   EVENT_PAYLOAD_SIZE = 256
-  EVENT_STRUCT_SIZE = 4 + EVENT_NAME_SIZE + EVENT_PAYLOAD_SIZE
-  EVENT_CAPACITY = 64
+  EVENT_TS_SIZE = 8
+  EVENT_STRUCT_SIZE = 288
+  EVENT_TS_OFFSET = 0
+  EVENT_PID_OFFSET = 8
+  EVENT_NAME_OFFSET = 12
+  EVENT_PAYLOAD_OFFSET = 28
+  EVENT_CAPACITY = 1024
   @bpf_pin_dir = PIN_DIR
@@ -33,20 +39,26 @@ module Vivarium
     end
   end
-  Event = Struct.new(:pid, :event_name, :payload, keyword_init: true) do
+  Event = Struct.new(:ktime_ns, :pid, :event_name, :payload, keyword_init: true) do
     def empty?
-      pid.to_i.zero? && event_name.to_s.empty? && payload.to_s.empty?
+      ktime_ns.to_i.zero? && pid.to_i.zero? && event_name.to_s.empty? && payload.to_s.empty?
     end
     def self.from_binary(raw)
       bytes = raw.to_s.b
       bytes = bytes.ljust(EVENT_STRUCT_SIZE, "\x00")
-      pid = bytes[0, 4].unpack1("L<")
-      event_name = c_string(bytes[4, EVENT_NAME_SIZE])
-      payload = c_string(bytes[4 + EVENT_NAME_SIZE, EVENT_PAYLOAD_SIZE])
-      new(pid: pid, event_name: event_name, payload: payload)
+      ktime_ns = bytes[EVENT_TS_OFFSET, EVENT_TS_SIZE].unpack1("Q<")
+      pid = bytes[EVENT_PID_OFFSET, 4].unpack1("L<")
+      event_name = c_string(bytes[EVENT_NAME_OFFSET, EVENT_NAME_SIZE])
+      raw_payload = bytes[EVENT_PAYLOAD_OFFSET, EVENT_PAYLOAD_SIZE]
+      payload = if %w[dns_req sock_connect odd_socket].include?(event_name)
+                  raw_payload
+                else
+                  c_string(raw_payload)
+                end
+      new(ktime_ns: ktime_ns, pid: pid, event_name: event_name, payload: payload)
     end
     def self.c_string(bytes)
@@ -58,6 +70,95 @@ module Vivarium
     end
   end
+  def self.decode_dns_qname(raw_payload)
+    bytes = raw_payload.to_s.b.bytes
+    labels = []
+    idx = 0
+    while idx < bytes.length
+      length = bytes[idx]
+      break if length.nil? || length.zero?
+      break if length > 63
+      idx += 1
+      break if (idx + length) > bytes.length
+      label = bytes[idx, length].pack("C*")
+      labels << label
+      idx += length
+    end
+    return "" if labels.empty?
+    labels.join(".")
+  end
+  def self.decode_sock_connect_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 20
+    family = bytes[0, 2].unpack1("S<")
+    port = bytes[2, 2].unpack1("n")
+    addr = bytes[4, 16]
+    case family
+    when 2 # AF_INET
+      ipv4 = addr[0, 4].bytes.join(".")
+      "#{ipv4}:#{port} (#{socket_const_name("AF_", family)})"
+    when 10 # AF_INET6
+      words = addr.unpack("n8")
+      ipv6 = words.map { |w| format("%x", w) }.join(":")
+      "[#{ipv6}]:#{port} (#{socket_const_name("AF_", family)})"
+    else
+      "family=#{family}(#{socket_const_name("AF_", family)}) port=#{port}"
+    end
+  end
+  def self.decode_odd_socket_payload(raw_payload)
+    bytes = raw_payload.to_s.b
+    return "" if bytes.bytesize < 6
+    family = bytes[0, 2].unpack1("S<")
+    type = bytes[2, 2].unpack1("S<")
+    protocol = bytes[4, 2].unpack1("S<")
+    family_name = socket_const_name("AF_", family)
+    type_name = socket_const_name("SOCK_", type)
+    protocol_name = socket_const_name("IPPROTO_", protocol)
+    "family=#{family}(#{family_name}) type=#{type}(#{type_name}) protocol=#{protocol}(#{protocol_name})"
+  end
+  def self.socket_const_name(prefix, value)
+    return "UNKNOWN" unless defined?(Socket)
+    key = Socket.constants.find do |name|
+      name.to_s.start_with?(prefix) && Socket.const_get(name) == value
+    rescue NameError
+      false
+    end
+    key ? key.to_s : "UNKNOWN"
+  end
+  def self.decode_bad_socket_payload(raw_payload)
+    decode_odd_socket_payload(raw_payload)
+  end
+  def self.render_event_payload(event)
+    case event.event_name
+    when "dns_req"
+      decoded = decode_dns_qname(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "sock_connect"
+      decoded = decode_sock_connect_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    when "odd_socket"
+      decoded = decode_odd_socket_payload(event.payload)
+      decoded.empty? ? event.payload.inspect : decoded
+    else
+      event.payload.inspect
+    end
+  end
   class MapStore
     def initialize(pin_dir: Vivarium.bpf_pin_dir)
       @pin_dir = pin_dir
@@ -132,6 +233,23 @@ module Vivarium
   class Daemon
     BPF_PROGRAM_TEMPLATE = <<~CLANG
+      #include <linux/socket.h>
+      #include <uapi/linux/in.h>
+      #include <uapi/linux/in6.h>
+      #include <uapi/linux/ip.h>
+      #include <uapi/linux/udp.h>
+      #ifndef SOCK_STREAM
+      #define SOCK_STREAM 1
+      #endif
+      #ifndef SOCK_DGRAM
+      #define SOCK_DGRAM 2
+      #endif
+      struct net;
+      struct sock;
+      struct sk_buff;
       struct path {
         void *mnt;
         void *dentry;
@@ -141,7 +259,62 @@ module Vivarium
         struct path f_path;
       };
+      struct sockaddr_t {
+        u16 sa_family;
+        unsigned char sa_data[14];
+      };
+      struct sockaddr_in_t {
+        u16 sin_family;
+        u16 sin_port;
+        u32 sin_addr;
+        unsigned char pad[8];
+      };
+      struct sockaddr_in6_t {
+        u16 sin6_family;
+        u16 sin6_port;
+        u32 sin6_flowinfo;
+        unsigned char sin6_addr[16];
+        u32 sin6_scope_id;
+      };
+      struct sockaddr_port_t {
+        u16 family;
+        u16 port;
+      };
+      struct iovec_t {
+        void *iov_base;
+        unsigned long iov_len;
+      };
+      struct user_msghdr_t {
+        void *msg_name;
+        int msg_namelen;
+        struct iovec_t *msg_iov;
+        unsigned long msg_iovlen;
+        void *msg_control;
+        unsigned long msg_controllen;
+        unsigned int msg_flags;
+      };
+      struct mmsghdr_t {
+        struct user_msghdr_t msg_hdr;
+        unsigned int msg_len;
+      };
+      struct sk_buff_t {
+        unsigned char *head;
+        unsigned char *data;
+        u32 len;
+        u16 mac_header;
+        u16 network_header;
+        u16 transport_header;
+      };
       struct event_t {
+        u64 ktime_ns;
         u32 pid;
         char event_name[16];
         char payload[#{EVENT_PAYLOAD_SIZE}];
@@ -149,7 +322,8 @@ module Vivarium
       BPF_HASH(config_root_targets, u32, u8, 1024);
       BPF_HASH(config_spawned_targets, u32, u8, 8192);
-      BPF_ARRAY(event_invoked, struct event_t, 1024);
+      BPF_HASH(dns_connected_tids, u32, u8, 8192);
+      BPF_ARRAY(event_invoked, struct event_t, #{EVENT_CAPACITY});
       BPF_ARRAY(event_write_pos, u32, 1);
       static __always_inline int target_enabled(u32 pid, u32 tid)
@@ -167,6 +341,61 @@ module Vivarium
         return 0;
       }
+      static __always_inline void submit_event(struct event_t *ev)
+      {
+        u32 zero = 0;
+        u32 *write_pos = event_write_pos.lookup(&zero);
+        if (!write_pos) {
+          return;
+        }
+        ev->ktime_ns = bpf_ktime_get_ns();
+        u32 idx = *write_pos % #{EVENT_CAPACITY};
+        __sync_fetch_and_add(write_pos, 1);
+        event_invoked.update(&idx, ev);
+      }
+      static __always_inline int is_dns_destination(void *addr)
+      {
+        u16 family = 0;
+        bpf_probe_read_user(&family, sizeof(family), addr);
+        if (family == AF_INET) {
+          struct sockaddr_in_t sin = {};
+          bpf_probe_read_user(&sin, sizeof(sin), addr);
+          return sin.sin_port == __constant_htons(53);
+        }
+        if (family == AF_INET6) {
+          struct sockaddr_in6_t sin6 = {};
+          bpf_probe_read_user(&sin6, sizeof(sin6), addr);
+          return sin6.sin6_port == __constant_htons(53);
+        }
+        return 0;
+      }
+      static __always_inline void submit_dns_req(u32 pid, unsigned char *payload, unsigned int payload_len)
+      {
+        unsigned int copy_len = payload_len;
+        if (copy_len <= 12) {
+          return;
+        }
+        copy_len -= 12;
+        if (copy_len > 64) {
+          copy_len = 64;
+        }
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "dns_req", 8);
+        bpf_probe_read_user(&ev.payload[0], copy_len, payload + 12);
+        submit_event(&ev);
+      }
       TRACEPOINT_PROBE(sched, sched_process_fork)
       {
         u32 parent = args->parent_pid;
@@ -191,6 +420,7 @@ module Vivarium
       {
         u32 tid = (u32)bpf_get_current_pid_tgid();
         config_spawned_targets.delete(&tid);
+        dns_connected_tids.delete(&tid);
         return 0;
       }
@@ -204,14 +434,6 @@ module Vivarium
           return 0;
         }
-        u32 zero = 0;
-        u32 *write_pos = event_write_pos.lookup(&zero);
-        if (!write_pos) {
-          return 0;
-        }
-        u32 idx = *write_pos & 1023;
-        __sync_fetch_and_add(write_pos, 1);
         struct event_t ev = {};
         int path_ret;
         ev.pid = pid;
@@ -226,7 +448,185 @@ module Vivarium
         }
         bpf_trace_printk("vivarium: pid=%d path=%s\\n", pid, ev.payload);
-        event_invoked.update(&idx, &ev);
+        submit_event(&ev);
+        return 0;
+      }
+      LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+        if ((family == AF_INET || family == AF_INET6) && (type == SOCK_STREAM || type == SOCK_DGRAM)) {
+          return 0;
+        }
+        struct event_t ev = {};
+        u16 family16 = family;
+        u16 type16 = type;
+        u16 proto16 = protocol;
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "odd_socket", 11);
+        __builtin_memcpy(&ev.payload[0], &family16, sizeof(family16));
+        __builtin_memcpy(&ev.payload[2], &type16, sizeof(type16));
+        __builtin_memcpy(&ev.payload[4], &proto16, sizeof(proto16));
+        submit_event(&ev);
+        return 0;
+      }
+      LSM_PROBE(socket_connect, struct socket *sock, struct sockaddr *address, int addrlen)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        u16 family = 0;
+        u8 one = 1;
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+        if (!address) {
+          return 0;
+        }
+        bpf_probe_read_kernel(&family, sizeof(family), address);
+        struct event_t ev = {};
+        ev.pid = pid;
+        __builtin_memcpy(ev.event_name, "sock_connect", 13);
+        __builtin_memcpy(&ev.payload[0], &family, sizeof(family));
+        if (family == AF_INET) {
+          struct sockaddr_in_t sin = {};
+          bpf_probe_read_kernel(&sin, sizeof(sin), address);
+          __builtin_memcpy(&ev.payload[2], &sin.sin_port, sizeof(sin.sin_port));
+          __builtin_memcpy(&ev.payload[4], &sin.sin_addr, sizeof(sin.sin_addr));
+          if (sin.sin_port == __constant_htons(53)) {
+            dns_connected_tids.update(&tid, &one);
+          }
+        } else if (family == AF_INET6) {
+          struct sockaddr_in6_t sin6 = {};
+          bpf_probe_read_kernel(&sin6, sizeof(sin6), address);
+          __builtin_memcpy(&ev.payload[2], &sin6.sin6_port, sizeof(sin6.sin6_port));
+          __builtin_memcpy(&ev.payload[4], &sin6.sin6_addr, sizeof(sin6.sin6_addr));
+          if (sin6.sin6_port == __constant_htons(53)) {
+            dns_connected_tids.update(&tid, &one);
+          }
+        }
+        submit_event(&ev);
+        return 0;
+      }
+      TRACEPOINT_PROBE(syscalls, sys_enter_sendmsg)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        struct user_msghdr_t msg = {};
+        struct iovec_t iov = {};
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+        if (!args->msg) {
+          return 0;
+        }
+        bpf_probe_read_user(&msg, sizeof(msg), args->msg);
+        if (!msg.msg_iov || msg.msg_iovlen == 0) {
+          return 0;
+        }
+        if (msg.msg_name && !is_dns_destination(msg.msg_name)) {
+          return 0;
+        }
+        bpf_probe_read_user(&iov, sizeof(iov), msg.msg_iov);
+        if (!iov.iov_base) {
+          return 0;
+        }
+        submit_dns_req(pid, (unsigned char *)iov.iov_base, (unsigned int)iov.iov_len);
+        return 0;
+      }
+      TRACEPOINT_PROBE(syscalls, sys_enter_sendto)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        unsigned char *buff = args->buff;
+        int dns_match = 0;
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+        if (!buff) {
+          return 0;
+        }
+        if (args->addr) {
+          dns_match = is_dns_destination(args->addr);
+        } else {
+          u8 *connected = dns_connected_tids.lookup(&tid);
+          dns_match = connected && *connected == 1;
+        }
+        if (!dns_match) {
+          return 0;
+        }
+        submit_dns_req(pid, buff, args->len);
+        dns_connected_tids.delete(&tid);
+        return 0;
+      }
+      TRACEPOINT_PROBE(syscalls, sys_enter_sendmmsg)
+      {
+        u64 pid_tgid = bpf_get_current_pid_tgid();
+        u32 pid = pid_tgid >> 32;
+        u32 tid = (u32)pid_tgid;
+        struct mmsghdr_t mmsg = {};
+        struct iovec_t iov = {};
+        if (!target_enabled(pid, tid)) {
+          return 0;
+        }
+        if (!args->mmsg) {
+          return 0;
+        }
+        bpf_probe_read_user(&mmsg, sizeof(mmsg), args->mmsg);
+        if (mmsg.msg_hdr.msg_name && !is_dns_destination(mmsg.msg_hdr.msg_name)) {
+          return 0;
+        }
+        if (!mmsg.msg_hdr.msg_iov || mmsg.msg_hdr.msg_iovlen == 0) {
+          return 0;
+        }
+        bpf_probe_read_user(&iov, sizeof(iov), mmsg.msg_hdr.msg_iov);
+        if (!iov.iov_base) {
+          return 0;
+        }
+        submit_dns_req(pid, (unsigned char *)iov.iov_base, (unsigned int)iov.iov_len);
         return 0;
       }

data/sig/vivarium.rbs CHANGED Viewed

@@ -5,6 +5,7 @@ module Vivarium
   end
   class Event < ::Struct
+    attr_accessor ktime_ns: Integer?
     attr_accessor pid: Integer?
     attr_accessor event_name: String?
     attr_accessor payload: String?
@@ -39,11 +40,21 @@ module Vivarium
   EVENT_NAME_SIZE: Integer
   EVENT_PAYLOAD_SIZE: Integer
+  EVENT_TS_SIZE: Integer
   EVENT_STRUCT_SIZE: Integer
+  EVENT_TS_OFFSET: Integer
+  EVENT_PID_OFFSET: Integer
+  EVENT_NAME_OFFSET: Integer
+  EVENT_PAYLOAD_OFFSET: Integer
   EVENT_CAPACITY: Integer
   def self.bpf_pin_dir: () -> String
   def self.bpf_pin_dir=: (String dir) -> String
+  def self.decode_dns_qname: (String raw_payload) -> String
+  def self.decode_sock_connect_payload: (String raw_payload) -> String
+  def self.decode_odd_socket_payload: (String raw_payload) -> String
+  def self.decode_bad_socket_payload: (String raw_payload) -> String
+  def self.render_event_payload: (Event event) -> String
   def self.observe: (?pin_dir: String pin_dir, ?logger: untyped logger, ?dest: untyped dest, ?format: Symbol format) { () -> untyped } -> untyped
   def self.top_observe: (?pin_dir: String pin_dir, ?logger: untyped logger, ?dest: untyped dest, ?format: Symbol format) -> ObservationSession
   def self.filter_internal_frames?: () -> bool

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: vivarium
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.1.2
 platform: ruby
 authors:
 - Uchio Kondo
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.11.3
+        version: 0.11.4
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.11.3
+        version: 0.11.4
 description: Vivarium visualizes low-level events such as file open paths and relates
   them to Ruby method boundaries by combining RbBCC (eBPF LSM) and TracePoint.
 email:
@@ -34,6 +34,7 @@ extra_rdoc_files: []
 files:
 - README.md
 - Rakefile
+- examples/network_client_demo.rb
 - exe/vivariumd
 - lib/vivarium.rb
 - lib/vivarium/logger.rb