tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

kernel / samples / bpf / tracex5_kern.c
at v4.9-rc7 73 lines 1.9 kB view raw
1/* Copyright (c) 2015 PLUMgrid, http://plumgrid.com 2 * 3 * This program is free software; you can redistribute it and/or 4 * modify it under the terms of version 2 of the GNU General Public 5 * License as published by the Free Software Foundation. 6 */ 7#include <linux/ptrace.h> 8#include <linux/version.h> 9#include <uapi/linux/bpf.h> 10#include <uapi/linux/seccomp.h> 11#include "bpf_helpers.h" 12 13#define PROG(F) SEC("kprobe/"__stringify(F)) int bpf_func_##F 14 15struct bpf_map_def SEC("maps") progs = { 16 .type = BPF_MAP_TYPE_PROG_ARRAY, 17 .key_size = sizeof(u32), 18 .value_size = sizeof(u32), 19 .max_entries = 1024, 20}; 21 22SEC("kprobe/__seccomp_filter") 23int bpf_prog1(struct pt_regs *ctx) 24{ 25 int sc_nr = (int)PT_REGS_PARM1(ctx); 26 27 /* dispatch into next BPF program depending on syscall number */ 28 bpf_tail_call(ctx, &progs, sc_nr); 29 30 /* fall through -> unknown syscall */ 31 if (sc_nr >= __NR_getuid && sc_nr <= __NR_getsid) { 32 char fmt[] = "syscall=%d (one of get/set uid/pid/gid)\n"; 33 bpf_trace_printk(fmt, sizeof(fmt), sc_nr); 34 } 35 return 0; 36} 37 38/* we jump here when syscall number == __NR_write */ 39PROG(__NR_write)(struct pt_regs *ctx) 40{ 41 struct seccomp_data sd; 42 43 bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx)); 44 if (sd.args[2] == 512) { 45 char fmt[] = "write(fd=%d, buf=%p, size=%d)\n"; 46 bpf_trace_printk(fmt, sizeof(fmt), 47 sd.args[0], sd.args[1], sd.args[2]); 48 } 49 return 0; 50} 51 52PROG(__NR_read)(struct pt_regs *ctx) 53{ 54 struct seccomp_data sd; 55 56 bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx)); 57 if (sd.args[2] > 128 && sd.args[2] <= 1024) { 58 char fmt[] = "read(fd=%d, buf=%p, size=%d)\n"; 59 bpf_trace_printk(fmt, sizeof(fmt), 60 sd.args[0], sd.args[1], sd.args[2]); 61 } 62 return 0; 63} 64 65PROG(__NR_mmap)(struct pt_regs *ctx) 66{ 67 char fmt[] = "mmap\n"; 68 bpf_trace_printk(fmt, sizeof(fmt)); 69 return 0; 70} 71 72char _license[] SEC("license") = "GPL"; 73u32 _version SEC("version") = LINUX_VERSION_CODE;