Molweni nonke, sabelana nani ngenxalenye yesibini yoshicilelo "Iinkqubo zefayile ezibonakalayo kwiLinux: kutheni zifuneka kwaye zisebenza njani?" Unako ukufunda inxalenye yokuqala . Masikukhumbuze ukuba olu ngcelele lweempapasho lubekwe ixesha lokuhambelana nokuqaliswa komlambo omtsha kwikhosi. , eqala ngokukhawuleza.
Uyijonga njani iVFS usebenzisa izixhobo ze-eBPF kunye ne-bcc
Eyona ndlela ilula yokuqonda ukuba i-kernel isebenza njani kwiifayile sysfs kukubona xa usebenza, kwaye eyona ndlela ilula yokuyibukela i-ARM64 kukusebenzisa i-eBPF. I-eBPF (ifutshane kwi-Berkeley Packet Filter) iquka umatshini wenyani osebenzayo , abasebenzisi abanethamsanqa banokucela (query) ukusuka kumgca womyalelo. Imithombo ye-kernel ixelela umfundi ukuba i-kernel inokwenza ntoni; ukusebenzisa izixhobo ze-eBPF kwindlela elayishiweyo kubonisa ukuba ikernel yenza ntoni kanye kanye.
Ngethamsanqa, ukuqalisa ukusebenzisa i-eBPF kulula kakhulu ngoncedo lwezixhobo , ezifumaneka njengepakethe ukusuka kunikezelo jikelele kwaye ibhalwe ngokweenkcukacha . Izixhobo bcc Zizikripthi zePython ezinofakelo oluncinci lwekhowudi ye-C, okuthetha ukuba nabani na oqheleneyo nazo zombini iilwimi unokuziguqula ngokulula. IN bcc/tools Kukho imibhalo yePython engama-80, nto leyo ethetha ukuba kusenokwenzeka ukuba umphuhlisi okanye umlawuli wenkqubo uya kukwazi ukukhetha into efanelekileyo yokusombulula ingxaki.
Ukufumana ubuncinci umbono ongaphezulu wokuba yintoni umsebenzi weVFSs owenzayo kwinkqubo esebenzayo, zama vfscount okanye vfsstat. Oku kuya kubonisa, masithi, ukuba iminxeba emininzi vfs_open() kwaye "abahlobo bakhe" zenzeka ngokoqobo umzuzwana ngamnye.
vfsstat.pysiscript sePython esinofakelo lwekhowudi ye-C ebala ngokulula iifowuni zeVFS.
Makhe sinike umzekelo ongento yanto kwaye sibone ukuba kwenzeka ntoni xa sifaka i-USB flash drive kwikhompyuter kwaye inkqubo iyibhaqe.
Ukusebenzisa i-eBPF unokubona okwenzekayo kuyo
/sysxa i-USB flash drive ifakiwe. Umzekelo olula nontsokothileyo ubonisiwe apha.
Kumzekelo oboniswe ngasentla, bcc isixhobo ishicilela umyalezo xa umyalelo uqhutywa sysfs_create_files(). Siyayibona loo nto sysfs_create_files() yaqaliswa kusetyenziswa kworker umsinga ekuphenduleni into yokuba i-flash drive ifakiwe, kodwa yeyiphi ifayile eyadalwa? Umzekelo wesibini ubonisa amandla e-eBPF. Apha trace.py Shicilela umva wekernel (-K ukhetho) kunye negama lefayile eyenziweyo sysfs_create_files(). Ufakelo lwengxelo enye yikhowudi engu-C equka umtya wefomati ophawuleka ngokulula onikezwe ngumbhalo wePython osebenzisa iLLVM. nje-ngexesha compiler. Iqokelela lo mgca kwaye iwuphumeze kumatshini wenyani ngaphakathi kwekernel. Utyikityo lomsebenzi opheleleyo sysfs_create_files () kufuneka iveliswe kwakhona kumyalelo wesibini ukuze umtya wefomathi ubhekisele kwenye yeeparamitha. Iimpazamo kwesi siqwenga sekhowudi C zikhokelela kwiimpazamo ezibonakalayo ezivela kumqokeleli weC. Umzekelo, ukuba i-parameter ayifakwanga, uya kubona "Ayiphumelelanga ukuqulunqa iteksti ye-BPF." Abaphuhlisi abaqhelana neC kunye nePython baya kufumana izixhobo bcc kulula ukwandisa kunye nokutshintsha.
Xa i-USB drive ifakiwe, i-kernel backtrace iya kubonisa ukuba i-PID 7711 yintambo. kworkereyenza ifayile Β«eventsΒ» Π² sysfs. Ngokufanelekileyo, umnxeba ovela sysfs_remove_files() iya kubonisa ukuba ukususa i-drive kubangele ukuba ifayile icinywe events, ehambelana nengqiqo jikelele yokubala ireferensi. Ngexesha elifanayo, ukujonga sysfs_create_link () nge-eBPF ngelixa ufaka i-USB drive iya kubonisa ukuba ubuncinane amakhonkco angama-48 enziwe.
Ngoko yintoni inqaku lefayile yeziganeko? Ukusetyenziswa Ukukhangela , ibonisa ukuba ibangela ntoni disk_add_events (), kwaye nokuba "media_change", okanye "eject_request" inokurekhodwa kwifayile yesiganeko. Apha umaleko we-kernel block wazisa indawo yomsebenzisi ukuba "idiski" ivele kwaye yakhutshwa. Qaphela ukuba inolwazi kangakanani le ndlela yophando ngokufaka i-USB drive, xa kuthelekiswa nokuzama ukufumanisa ukuba izinto zisebenza njani ukusuka kumthombo.
Iinkqubo zeefayili eziziingcambu ezifundwayo kuphela zenza izixhobo ezizinzisiweyo
Ewe kunjalo, akukho mntu ucima iseva okanye ikhompyuter yakhe ngokutsala iplagi kwisokethi. Kodwa kutheni? Oku kungenxa yokuba iinkqubo zefayile ezinyusiweyo kwizixhobo zogcino lwenyama zinokubhala zishiywe lixesha, kwaye izakhiwo zedatha ezirekhoda imeko yazo zisenokungadityaniswa nokubhala kugcino. Xa oku kusenzeka, abanini benkqubo kufuneka balinde de ibe yinkqubo elandelayo yokuqalisa into eluncedo. fsck filesystem-recovery kwaye, kwimeko embi kakhulu, ukulahlekelwa idatha.
Nangona kunjalo, sonke siyazi ukuba izixhobo ezininzi ze-IoT, kunye nee-routers, i-thermostats kunye neemoto, ngoku ziqhuba i-Linux. Uninzi lwezi zixhobo zincinci kwi-interface yomsebenzisi, kwaye akukho ndlela yokuyicima "ngokucocekileyo." Khawucinge uqale imoto ngebhetri efileyo xa amandla kwiyunithi yokulawula ehlala exhuma-xhuma. Kwenzeka njani ukuba inkqubo iqale ngaphandle kwexesha elide fsckiqala nini ukusebenza injini ekugqibeleni? Kwaye impendulo ilula. Izixhobo ezizinzisiweyo zixhomekeke kwinkqubo yefayile yengcambu (efinyeziwe ro-rootfs (funda-kuphela ingcambu yenkqubo yefayile)).
ro-rootfs zibonelela ngeenzuzo ezininzi ezingacacanga kangako kunobunyani. Enye inzuzo kukuba i-malware ayikwazi ukubhalela /usr okanye /lib, ukuba akukho nkqubo ye Linux inokubhala apho. Enye yeyokuba isixokelelwano sefayile esingenakuguquleka sibaluleke kakhulu kwinkxaso yendawo yezixhobo ezikude, kuba abasebenzi benkxaso baxhomekeke kwiinkqubo zasekhaya ezifanayo ngokwesixokelelwano sentsimi. Mhlawumbi eyona nzuzo ibalulekileyo (kodwa eyona ifihlakeleyo) kukuba i-rootfs inyanzela abaphuhlisi ukuba bathathe isigqibo sokuba zeziphi na izinto zesistim ezingenakuguquguquka kwinqanaba loyilo lwenkqubo. Ukusebenza nge-ro-rootfs kunokuba nzima kwaye kube buhlungu, njengoko i-const variables ihlala ikwiilwimi zeprogram, kodwa izibonelelo zabo zithethelela ngokulula okongeziweyo.
Indalo rootfs Ukufunda kuphela kufuna inzame eyongezelelweyo kubaphuhlisi abafakelweyo, kwaye kulapho iVFS ingena emfanekisweni. I-Linux ifuna ukuba iifayile zibe ngaphakathi /var bezibhaleka, kwaye ukongeza, izicelo ezininzi ezidumileyo ezisebenzisa iindlela ezilungisiweyo ziyakuzama ukwenza uqwalaselo dot-files Π² $HOME. Isisombululo esinye seefayile zoqwalaselo kulawulo lwasekhaya kuqhelekile ukuvelisa ngaphambili kunye nokwakha kuzo rootfs... Kuba /var Enye indlela enokwenzeka kukuyixhoma kwisahlulelo esibhaliweyo esahlukileyo, ngelixa / inyuswe yokufunda kuphela. Enye indlela edumileyo kukusebenzisa i-binding okanye ii-overlay.
Ukunyuswa okudityanisiweyo kunye nokupakishwayo, ukusetyenziswa kwazo zizikhongozeli
Ukuphunyezwa komyalelo man mount yeyona ndlela ingcono yokufunda malunga nokubopheleka nokuxhoma okukwalekekayo, okunika ababhekisi phambili kunye nabalawuli benkqubo ukukwazi ukwenza inkqubo yefayile kwindlela enye kwaye emva koko uyiveze kwizicelo kwenye. Kwiinkqubo ezizinzisiweyo, oku kuthetha ukukwazi ukugcina iifayile ngaphakathi /var kwi-flash drive efundwayo kuphela, kodwa isigqubuthelo okanye indlela yentaba eqhagamshekayo ukusuka tmpfs Π² /var xa ulayisha, iyakuvumela izicelo ukuba zibhale amanqaku apho (scrawl). Kwixesha elizayo xa uvula utshintsho kwi /var uya kulahleka. Intaba eyalekeneyo yenza umanyano phakathi tmpfs kunye nenkqubo yefayile esezantsi kwaye ikuvumela ukuba wenze utshintsho olubonakalayo kwiifayile ezikhoyo ro-tootf ngelixa intaba ebophekayo inokwenza ezintsha zingabi nanto tmpfs iziqulathi zeefayili ezibonakalayo njengoko zibhalwayo ngaphakathi ro-rootfs iindlela. Ngelixa overlayfs le yeyona ilungileyo (proper) uhlobo lwesixokelelwano sefayile, intaba ebophelelayo iphunyeziwe .
Ngokusekwe kwinkcazo yokwaleka kunye nentaba enokuqhagamshelwana nayo, akukho mntu umangaliswayo kukuba zisetyenziswa ngenkuthalo. Makhe sibone ukuba kwenzeka ntoni xa sisebenzisa ukuqhuba isikhongozeli usebenzisa isixhobo mountsnoop ukusuka bcc.
Mngeni system-nspawn iqala isikhongozeli ngelixa ibaleka mountsnoop.py.
Makhe sibone ukuba kwenzeke ntoni:
Qalisa mountsnoop Ngelixa isikhongozeli "siqalisa" sibonisa ukuba ixesha lokuqhuba lesikhongozeli lixhomekeke kakhulu kwintaba edityanisiweyo (Kuphela isiqalo sesiphumo eside sibonisiwe).
kuyinto systemd-nspawn inikeza iifayile ezikhethiweyo kwi procfs ΠΈ sysfs ngenisa isikhongozeli njengeendlela eziya kuyo rootfs... Ngaphandle koko MS_BIND iflegi emisela intaba ebophelelayo, ezinye iiflegi entabeni zichaza unxulumano phakathi kotshintsho kumamkeli kunye nezithuba zamagama zesikhongozeli. Umzekelo, intaba edityanisiweyo inokutsiba utshintsho ukuya /proc ΠΈ /sys kwisikhongozeli, okanye uzifihle ngokuxhomekeke kwifowuni.
isiphelo
Ukuqonda ukusebenza kwangaphakathi kweLinux kunokubonakala ngathi ngumsebenzi ongenakwenzeka, kuba ikernel ngokwayo iqulethe isixa esikhulu sekhowudi, ishiya bucala usetyenziso lwendawo yeLinux kunye nenkqubo yokufowuna ujongano kwiilayibrari zeC ezifana glibc. Enye indlela yokwenza inkqubela kukufunda ikhowudi yemvelaphi ye-kernel subsystem, kunye nogxininiso kwiifowuni zenkqubo yokuqonda kunye nentloko yendawo yomsebenzisi, kunye nojongano oluphambili lwekernel lwangaphakathi, olufana netafile. file_operations. Imisebenzi yefayile ibonelela ngomgaqo othi "yonke into yifayile", nto leyo eyenza ukuba kube mnandi kakhulu ukuyilawula. Iifayile zemvelaphi ye-kernel kwinqanaba eliphezulu fs/ bonisa uzalisekiso lweenkqubo zefayile ezinenyani, ezilucwecwe olusongayo olubonelela ngokuhambelana okubanzi nolula olulula phakathi kweenkqubo zefayile ezidumileyo kunye nezixhobo zokugcina. Ukudibanisa kunye nokunyuka okungaphezulu ngeendawo zeLinux ngumlingo weVFS owenza ukuba kubekho izikhongozeli zokufunda kuphela kunye neenkqubo zeefayile zeengcambu zenzeke. Idityaniswe noviwo lwekhowudi yomthombo, isixhobo esisisiseko se-eBPF kunye ne-interface yayo bcc
ukwenza uphononongo olungundoqo lube lula kunangaphambili.
Bahlobo, bhala, ngaba eli nqaku liluncedo kuwe? Mhlawumbi unazo naziphi na izimvo okanye amagqabantshintshi? Kwaye abo banomdla kwikhosi yoMlawuli weLinux bayamenywa ukuba , eya kuba ngoAprili 18.
umthombo: www.habr.com