diff options
| author | Paul Buetow <paul@buetow.org> | 2024-02-22 22:58:21 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-02-22 22:58:21 +0200 |
| commit | 1621b01ae9a47ab27c5b83237d37595695d32cbb (patch) | |
| tree | 4a8d83794441da8fa573e8a15f43e7bc8a44e886 /internal/c | |
| parent | c1b4bee6c93265139974b1e5cf065d3f82a7154b (diff) | |
filter sets pid and tid
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/filter.c | 15 | ||||
| -rw-r--r-- | internal/c/tracepoints/close.c | 12 | ||||
| -rw-r--r-- | internal/c/tracepoints/open.c | 12 | ||||
| -rw-r--r-- | internal/c/tracepoints/write.c | 12 | ||||
| -rw-r--r-- | internal/c/types.h | 14 |
5 files changed, 41 insertions, 24 deletions
diff --git a/internal/c/filter.c b/internal/c/filter.c index 93497c7..f30611a 100644 --- a/internal/c/filter.c +++ b/internal/c/filter.c @@ -1,13 +1,20 @@ //+build ignore -static __always_inline int filter() { - if ((bpf_get_current_pid_tgid() >> 32) == PID_FILTER) - return 0; +#define ACCEPT 0 +#define FILTER 1 + +static __always_inline int filter(__u32 *pid, __u32 *tid) { + u64 pid_tgid = bpf_get_current_pid_tgid(); + *pid = pid_tgid >> 32; + *tid = pid_tgid & 0xFFFFFFFF; + + if (*pid == PID_FILTER) + return ACCEPT; /* if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) == UID_FILTER) return 0; */ - return 1; + return FILTER; } diff --git a/internal/c/tracepoints/close.c b/internal/c/tracepoints/close.c index 5e9504b..199a6fa 100644 --- a/internal/c/tracepoints/close.c +++ b/internal/c/tracepoints/close.c @@ -2,7 +2,8 @@ SEC("tracepoint/syscalls/sys_enter_close") int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { - if (filter()) + __u32 pid, tid; + if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); @@ -10,7 +11,8 @@ int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { return 0; ev->op_id = CLOSE_ENTER_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->pid = pid; + ev->tid = tid; ev->time = bpf_ktime_get_ns(); ev->fd = (int)ctx->args[0]; @@ -20,7 +22,8 @@ int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { SEC("tracepoint/syscalls/sys_exit_close") int handle_exit_close(struct trace_event_raw_sys_enter *ctx) { - if (filter()) + __u32 pid, tid; + if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); @@ -28,7 +31,8 @@ int handle_exit_close(struct trace_event_raw_sys_enter *ctx) { return 0; ev->op_id = CLOSE_EXIT_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->pid = pid; + ev->tid = tid; ev->time = bpf_ktime_get_ns(); bpf_ringbuf_submit(ev, 0); diff --git a/internal/c/tracepoints/open.c b/internal/c/tracepoints/open.c index f3b3a21..24f94b8 100644 --- a/internal/c/tracepoints/open.c +++ b/internal/c/tracepoints/open.c @@ -1,7 +1,8 @@ //+build ignore static __always_inline int _handle_enter_open(struct trace_event_raw_sys_enter *ctx, __u32 op_id) { - if (filter()) + __u32 pid, tid; + if (filter(&pid, &tid)) return 0; struct open_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_enter_event), 0); @@ -9,7 +10,8 @@ static __always_inline int _handle_enter_open(struct trace_event_raw_sys_enter * return 0; ev->op_id = op_id; - ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->pid = pid; + ev->tid = tid; ev->time = bpf_ktime_get_ns(); // Reset memory, as structure is re-used (ringbuffer) @@ -22,7 +24,8 @@ static __always_inline int _handle_enter_open(struct trace_event_raw_sys_enter * } static __always_inline int _handle_exit_open(struct trace_event_raw_sys_exit *ctx, __u32 op_id) { - if (filter()) + __u32 pid, tid; + if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); @@ -30,7 +33,8 @@ static __always_inline int _handle_exit_open(struct trace_event_raw_sys_exit *ct return 0; ev->op_id = op_id; - ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->pid = pid; + ev->tid = tid; ev->time = bpf_ktime_get_ns(); ev->fd = ctx->ret; diff --git a/internal/c/tracepoints/write.c b/internal/c/tracepoints/write.c index 262cb48..7caff5d 100644 --- a/internal/c/tracepoints/write.c +++ b/internal/c/tracepoints/write.c @@ -2,7 +2,8 @@ SEC("tracepoint/syscalls/sys_enter_write") int handle_enter_write(struct trace_event_raw_sys_enter *ctx) { - if (filter()) + __u32 pid, tid; + if (filter(&pid, &tid)) return 0; struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0); @@ -10,7 +11,8 @@ int handle_enter_write(struct trace_event_raw_sys_enter *ctx) { return 0; ev->op_id = WRITE_ENTER_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->pid = pid; + ev->tid = tid; ev->time = bpf_ktime_get_ns(); ev->fd = (int)ctx->args[0]; @@ -20,7 +22,8 @@ int handle_enter_write(struct trace_event_raw_sys_enter *ctx) { SEC("tracepoint/syscalls/sys_exit_write") int handle_exit_write(struct trace_event_raw_sys_enter *ctx) { - if (filter()) + __u32 pid, tid; + if (filter(&pid, &tid)) return 0; struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); @@ -28,7 +31,8 @@ int handle_exit_write(struct trace_event_raw_sys_enter *ctx) { return 0; ev->op_id = WRITE_EXIT_OP_ID; - ev->pid_tgid = bpf_get_current_pid_tgid(); + ev->pid = pid; + ev->tid = tid; ev->time = bpf_ktime_get_ns(); bpf_ringbuf_submit(ev, 0); diff --git a/internal/c/types.h b/internal/c/types.h index e1d5e29..509610e 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -18,26 +18,24 @@ struct null_event { __u32 op_id; - __u32 pid_tgid; + __u32 pid; + __u32 tid; __u64 time; }; struct fd_event { __u32 op_id; - __u32 pid_tgid; + __u32 pid; + __u32 tid; __u64 time; __s32 fd; }; struct open_enter_event { __u32 op_id; - __u32 pid_tgid; + __u32 pid; + __u32 tid; __u64 time; char filename[MAX_FILENAME_LENGTH]; char comm[MAX_PROGNAME_LENGTH]; }; - -struct flags { - __u32 uid_filter; -}; - |