tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1// SPDX-License-Identifier: GPL-2.0
2
3/*
4 * Copyright 2020 Google LLC.
5 */
6
7#include "vmlinux.h"
8#include <bpf/bpf_helpers.h>
9#include <bpf/bpf_tracing.h>
10#include <errno.h>
11
12char _license[] SEC("license") = "GPL";
13
14int monitored_pid = 0;
15int mprotect_count = 0;
16int bprm_count = 0;
17
18SEC("lsm/file_mprotect")
19int BPF_PROG(test_int_hook, struct vm_area_struct *vma,
20 unsigned long reqprot, unsigned long prot, int ret)
21{
22 if (ret != 0)
23 return ret;
24
25 __u32 pid = bpf_get_current_pid_tgid() >> 32;
26 int is_stack = 0;
27
28 is_stack = (vma->vm_start <= vma->vm_mm->start_stack &&
29 vma->vm_end >= vma->vm_mm->start_stack);
30
31 if (is_stack && monitored_pid == pid) {
32 mprotect_count++;
33 ret = -EPERM;
34 }
35
36 return ret;
37}
38
39SEC("lsm/bprm_committed_creds")
40int BPF_PROG(test_void_hook, struct linux_binprm *bprm)
41{
42 __u32 pid = bpf_get_current_pid_tgid() >> 32;
43
44 if (monitored_pid == pid)
45 bprm_count++;
46
47 return 0;
48}