add UID filter

author: Paul Buetow <paul@buetow.org> 2024-02-10 18:50:08 +0200
committer: Paul Buetow <paul@buetow.org> 2024-02-10 18:50:08 +0200
commit: 25d56de3712412bfb5b271ff9fbad7bf8d75288e (patch)
tree: 6a9c796ec41a3c2bdeaeaa3036e1fafcf1d44148
parent: c6200235b553770221e1ca0b25ca46ed6af96803 (diff)
2 files changed, 15 insertions, 25 deletions
diff --git a/main.bpf.c b/main.bpf.c
index 1c0d946..d494991 100644
--- a/main.bpf.c
+++ b/main.bpf.c
@@ -4,17 +4,9 @@
 
 #include <bpf/bpf_helpers.h>
 
-struct value {
-    int x;
-    char y;
-};
-
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __type(key, u32);
-    __type(value, struct value);
-    __uint(max_entries, 1 << 24);
-} tester SEC(".maps");
+// TODO: Make this configurable via a flag from the userland part.
+// For now, this is set to my own user for development purposes.
+#define UID_FILTER 1001 
 
 struct openat_event {
     int fd;
@@ -40,10 +32,12 @@ struct {
 
 SEC("tracepoint/syscalls/sys_enter_open")
 int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
+    if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
+        return 0;
+
     u32 tid = bpf_get_current_pid_tgid();
     struct openat_event event = { .syscall_id = ctx->id };
 
-
     bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[0]);
     bpf_get_current_comm(&event.comm, sizeof(event.comm));
     event.tid = tid;
@@ -54,6 +48,9 @@ int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
 
 SEC("tracepoint/syscalls/sys_exit_open")
 int handle_exit_open(struct trace_event_raw_sys_exit *args) {
+    if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
+        return 0;
+
     u32 tid = bpf_get_current_pid_tgid();
     struct openat_event *eventp = bpf_map_lookup_elem(&temp_events, &tid);
     if (!eventp) {
@@ -69,6 +66,9 @@ int handle_exit_open(struct trace_event_raw_sys_exit *args) {
 
 SEC("tracepoint/syscalls/sys_enter_openat")
 int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
+    if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
+        return 0;
+
     u32 tid = bpf_get_current_pid_tgid();
     struct openat_event event = { .syscall_id = ctx->id };
 
@@ -82,6 +82,9 @@ int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
 
 SEC("tracepoint/syscalls/sys_exit_openat")
 int handle_exit_openat(struct trace_event_raw_sys_exit *args) {
+    if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
+        return 0;
+
     return handle_exit_open(args);
 }
 
diff --git a/main.go b/main.go
index 7d4dd8f..1d3988c 100644
--- a/main.go
+++ b/main.go
@@ -66,19 +66,6 @@ func main() {
 		log.Fatal(err)
 	}
 
-	testerMap, err := bpfModule.GetMap("tester")
-	if err != nil {
-		log.Fatal(err)
-	}
-
-	if testerMap.Name() != "tester" {
-		log.Fatal("wrong map")
-	}
-
-	if testerMap.Type() != bpf.MapTypeHash {
-		log.Fatal("wrong map type")
-	}
-
 	eventsChannel := make(chan []byte)
 	lostChannel := make(chan uint64)
 	pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1)
author	Paul Buetow <paul@buetow.org>	2024-02-10 18:50:08 +0200
committer	Paul Buetow <paul@buetow.org>	2024-02-10 18:50:08 +0200
commit	25d56de3712412bfb5b271ff9fbad7bf8d75288e (patch)
tree	6a9c796ec41a3c2bdeaeaa3036e1fafcf1d44148
parent	c6200235b553770221e1ca0b25ca46ed6af96803 (diff)