Molweni nonke, sabelana nani ngenxalenye yesibini yoshicilelo "Iinkqubo zefayile ezibonakalayo kwiLinux: kutheni zifuneka kwaye zisebenza njani?" Unako ukufunda inxalenye yokuqala
Uyijonga njani iVFS usebenzisa izixhobo ze-eBPF kunye ne-bcc
Eyona ndlela ilula yokuqonda ukuba i-kernel isebenza njani kwiifayile sysfs
kukubona xa usebenza, kwaye eyona ndlela ilula yokuyibukela i-ARM64 kukusebenzisa i-eBPF. I-eBPF (ifutshane kwi-Berkeley Packet Filter) iquka umatshini wenyani osebenzayo query
) ukusuka kumgca womyalelo. Imithombo ye-kernel ixelela umfundi ukuba i-kernel inokwenza ntoni; ukusebenzisa izixhobo ze-eBPF kwindlela elayishiweyo kubonisa ukuba ikernel yenza ntoni kanye kanye.
Ngethamsanqa, ukuqalisa ukusebenzisa i-eBPF kulula kakhulu ngoncedo lwezixhobo bcc
Zizikripthi zePython ezinofakelo oluncinci lwekhowudi ye-C, okuthetha ukuba nabani na oqheleneyo nazo zombini iilwimi unokuziguqula ngokulula. IN bcc/tools
Kukho imibhalo yePython engama-80, nto leyo ethetha ukuba kusenokwenzeka ukuba umphuhlisi okanye umlawuli wenkqubo uya kukwazi ukukhetha into efanelekileyo yokusombulula ingxaki.
Ukufumana ubuncinci umbono ongaphezulu wokuba yintoni umsebenzi weVFSs owenzayo kwinkqubo esebenzayo, zama vfscount
okanye vfsstat
. Oku kuya kubonisa, masithi, ukuba iminxeba emininzi vfs_open()
kwaye "abahlobo bakhe" zenzeka ngokoqobo umzuzwana ngamnye.
vfsstat.py
siscript sePython esinofakelo lwekhowudi ye-C ebala ngokulula iifowuni zeVFS.
Makhe sinike umzekelo ongento yanto kwaye sibone ukuba kwenzeka ntoni xa sifaka i-USB flash drive kwikhompyuter kwaye inkqubo iyibhaqe.
Ukusebenzisa i-eBPF unokubona okwenzekayo kuyo
/sys
xa i-USB flash drive ifakiwe. Umzekelo olula nontsokothileyo ubonisiwe apha.
Kumzekelo oboniswe ngasentla, bcc
isixhobo sysfs_create_files()
. Siyayibona loo nto sysfs_create_files()
yaqaliswa kusetyenziswa kworker
umsinga ekuphenduleni into yokuba i-flash drive ifakiwe, kodwa yeyiphi ifayile eyadalwa? Umzekelo wesibini ubonisa amandla e-eBPF. Apha trace.py
Shicilela umva wekernel (-K ukhetho) kunye negama lefayile eyenziweyo sysfs_create_files()
. Ufakelo lwengxelo enye yikhowudi engu-C equka umtya wefomati ophawuleka ngokulula onikezwe ngumbhalo wePython osebenzisa iLLVM. nje-ngexesha compiler. Iqokelela lo mgca kwaye iwuphumeze kumatshini wenyani ngaphakathi kwekernel. Utyikityo lomsebenzi opheleleyo sysfs_create_files ()
kufuneka iveliswe kwakhona kumyalelo wesibini ukuze umtya wefomathi ubhekisele kwenye yeeparamitha. Iimpazamo kwesi siqwenga sekhowudi C zikhokelela kwiimpazamo ezibonakalayo ezivela kumqokeleli weC. Umzekelo, ukuba i-parameter ayifakwanga, uya kubona "Ayiphumelelanga ukuqulunqa iteksti ye-BPF." Abaphuhlisi abaqhelana neC kunye nePython baya kufumana izixhobo bcc
kulula ukwandisa kunye nokutshintsha.
Xa i-USB drive ifakiwe, i-kernel backtrace iya kubonisa ukuba i-PID 7711 yintambo. kworker
eyenza ifayile Β«eventsΒ»
Π² sysfs
. Ngokufanelekileyo, umnxeba ovela sysfs_remove_files()
iya kubonisa ukuba ukususa i-drive kubangele ukuba ifayile icinywe events
, ehambelana nengqiqo jikelele yokubala ireferensi. Ngexesha elifanayo, ukujonga sysfs_create_link ()
nge-eBPF ngelixa ufaka i-USB drive iya kubonisa ukuba ubuncinane amakhonkco angama-48 enziwe.
Ngoko yintoni inqaku lefayile yeziganeko? Ukusetyenziswa disk_add_events ()
, kwaye nokuba "media_change"
, okanye "eject_request"
inokurekhodwa kwifayile yesiganeko. Apha umaleko we-kernel block wazisa indawo yomsebenzisi ukuba "idiski" ivele kwaye yakhutshwa. Qaphela ukuba inolwazi kangakanani le ndlela yophando ngokufaka i-USB drive, xa kuthelekiswa nokuzama ukufumanisa ukuba izinto zisebenza njani ukusuka kumthombo.
Iinkqubo zeefayili eziziingcambu ezifundwayo kuphela zenza izixhobo ezizinzisiweyo
Ewe kunjalo, akukho mntu ucima iseva okanye ikhompyuter yakhe ngokutsala iplagi kwisokethi. Kodwa kutheni? Oku kungenxa yokuba iinkqubo zefayile ezinyusiweyo kwizixhobo zogcino lwenyama zinokubhala zishiywe lixesha, kwaye izakhiwo zedatha ezirekhoda imeko yazo zisenokungadityaniswa nokubhala kugcino. Xa oku kusenzeka, abanini benkqubo kufuneka balinde de ibe yinkqubo elandelayo yokuqalisa into eluncedo. fsck filesystem-recovery
kwaye, kwimeko embi kakhulu, ukulahlekelwa idatha.
Nangona kunjalo, sonke siyazi ukuba izixhobo ezininzi ze-IoT, kunye nee-routers, i-thermostats kunye neemoto, ngoku ziqhuba i-Linux. Uninzi lwezi zixhobo zincinci kwi-interface yomsebenzisi, kwaye akukho ndlela yokuyicima "ngokucocekileyo." Khawucinge uqale imoto ngebhetri efileyo xa amandla kwiyunithi yokulawula fsck
iqala nini ukusebenza injini ekugqibeleni? Kwaye impendulo ilula. Izixhobo ezizinzisiweyo zixhomekeke kwinkqubo yefayile yengcambu ro-rootfs
(funda-kuphela ingcambu yenkqubo yefayile)).
ro-rootfs
zibonelela ngeenzuzo ezininzi ezingacacanga kangako kunobunyani. Enye inzuzo kukuba i-malware ayikwazi ukubhalela /usr
okanye /lib
, ukuba akukho nkqubo ye Linux inokubhala apho. Enye yeyokuba isixokelelwano sefayile esingenakuguquleka sibaluleke kakhulu kwinkxaso yendawo yezixhobo ezikude, kuba abasebenzi benkxaso baxhomekeke kwiinkqubo zasekhaya ezifanayo ngokwesixokelelwano sentsimi. Mhlawumbi eyona nzuzo ibalulekileyo (kodwa eyona ifihlakeleyo) kukuba i-rootfs inyanzela abaphuhlisi ukuba bathathe isigqibo sokuba zeziphi na izinto zesistim ezingenakuguquguquka kwinqanaba loyilo lwenkqubo. Ukusebenza nge-ro-rootfs kunokuba nzima kwaye kube buhlungu, njengoko i-const variables ihlala ikwiilwimi zeprogram, kodwa izibonelelo zabo zithethelela ngokulula okongeziweyo.
Indalo rootfs
Ukufunda kuphela kufuna inzame eyongezelelweyo kubaphuhlisi abafakelweyo, kwaye kulapho iVFS ingena emfanekisweni. I-Linux ifuna ukuba iifayile zibe ngaphakathi /var
bezibhaleka, kwaye ukongeza, izicelo ezininzi ezidumileyo ezisebenzisa iindlela ezilungisiweyo ziyakuzama ukwenza uqwalaselo dot-files
Π² $HOME
. Isisombululo esinye seefayile zoqwalaselo kulawulo lwasekhaya kuqhelekile ukuvelisa ngaphambili kunye nokwakha kuzo rootfs
... Kuba /var
Enye indlela enokwenzeka kukuyixhoma kwisahlulelo esibhaliweyo esahlukileyo, ngelixa /
inyuswe yokufunda kuphela. Enye indlela edumileyo kukusebenzisa i-binding okanye ii-overlay.
Ukunyuswa okudityanisiweyo kunye nokupakishwayo, ukusetyenziswa kwazo zizikhongozeli
Ukuphunyezwa komyalelo man mount
yeyona ndlela ingcono yokufunda malunga nokubopheleka nokuxhoma okukwalekekayo, okunika ababhekisi phambili kunye nabalawuli benkqubo ukukwazi ukwenza inkqubo yefayile kwindlela enye kwaye emva koko uyiveze kwizicelo kwenye. Kwiinkqubo ezizinzisiweyo, oku kuthetha ukukwazi ukugcina iifayile ngaphakathi /var
kwi-flash drive efundwayo kuphela, kodwa isigqubuthelo okanye indlela yentaba eqhagamshekayo ukusuka tmpfs
Π² /var
xa ulayisha, iyakuvumela izicelo ukuba zibhale amanqaku apho (scrawl). Kwixesha elizayo xa uvula utshintsho kwi /var
uya kulahleka. Intaba eyalekeneyo yenza umanyano phakathi tmpfs
kunye nenkqubo yefayile esezantsi kwaye ikuvumela ukuba wenze utshintsho olubonakalayo kwiifayile ezikhoyo ro-tootf
ngelixa intaba ebophekayo inokwenza ezintsha zingabi nanto tmpfs
iziqulathi zeefayili ezibonakalayo njengoko zibhalwayo ngaphakathi ro-rootfs
iindlela. Ngelixa overlayfs
le yeyona ilungileyo (proper
) uhlobo lwesixokelelwano sefayile, intaba ebophelelayo iphunyeziwe
Ngokusekwe kwinkcazo yokwaleka kunye nentaba enokuqhagamshelwana nayo, akukho mntu umangaliswayo kukuba mountsnoop
ukusuka bcc
.
Mngeni system-nspawn
iqala isikhongozeli ngelixa ibaleka mountsnoop.py
.
Makhe sibone ukuba kwenzeke ntoni:
Qalisa mountsnoop
Ngelixa isikhongozeli "siqalisa" sibonisa ukuba ixesha lokuqhuba lesikhongozeli lixhomekeke kakhulu kwintaba edityanisiweyo (Kuphela isiqalo sesiphumo eside sibonisiwe).
kuyinto systemd-nspawn
inikeza iifayile ezikhethiweyo kwi procfs
ΠΈ sysfs
ngenisa isikhongozeli njengeendlela eziya kuyo rootfs
... Ngaphandle koko MS_BIND
iflegi emisela intaba ebophelelayo, ezinye iiflegi entabeni zichaza unxulumano phakathi kotshintsho kumamkeli kunye nezithuba zamagama zesikhongozeli. Umzekelo, intaba edityanisiweyo inokutsiba utshintsho ukuya /proc
ΠΈ /sys
kwisikhongozeli, okanye uzifihle ngokuxhomekeke kwifowuni.
isiphelo
Ukuqonda ukusebenza kwangaphakathi kweLinux kunokubonakala ngathi ngumsebenzi ongenakwenzeka, kuba ikernel ngokwayo iqulethe isixa esikhulu sekhowudi, ishiya bucala usetyenziso lwendawo yeLinux kunye nenkqubo yokufowuna ujongano kwiilayibrari zeC ezifana glibc
. Enye indlela yokwenza inkqubela kukufunda ikhowudi yemvelaphi ye-kernel subsystem, kunye nogxininiso kwiifowuni zenkqubo yokuqonda kunye nentloko yendawo yomsebenzisi, kunye nojongano oluphambili lwekernel lwangaphakathi, olufana netafile. file_operations
. Imisebenzi yefayile ibonelela ngomgaqo othi "yonke into yifayile", nto leyo eyenza ukuba kube mnandi kakhulu ukuyilawula. Iifayile zemvelaphi ye-kernel kwinqanaba eliphezulu fs/
bonisa uzalisekiso lweenkqubo zefayile ezinenyani, ezilucwecwe olusongayo olubonelela ngokuhambelana okubanzi nolula olulula phakathi kweenkqubo zefayile ezidumileyo kunye nezixhobo zokugcina. Ukudibanisa kunye nokunyuka okungaphezulu ngeendawo zeLinux ngumlingo weVFS owenza ukuba kubekho izikhongozeli zokufunda kuphela kunye neenkqubo zeefayile zeengcambu zenzeke. Idityaniswe noviwo lwekhowudi yomthombo, isixhobo esisisiseko se-eBPF kunye ne-interface yayo bcc
ukwenza uphononongo olungundoqo lube lula kunangaphambili.
Bahlobo, bhala, ngaba eli nqaku liluncedo kuwe? Mhlawumbi unazo naziphi na izimvo okanye amagqabantshintshi? Kwaye abo banomdla kwikhosi yoMlawuli weLinux bayamenywa ukuba
umthombo: www.habr.com