diff options
| author | Paul Buetow <paul@buetow.org> | 2026-05-20 22:43:32 +0300 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-05-20 22:43:32 +0300 |
| commit | 6ca4d5ddacaff05d8bd82a5e9a6dfbb39ac111c9 (patch) | |
| tree | a0b4469a9eb96bfb0b5a09d5f086219782040982 /internal/c | |
| parent | 7a9839917461b12c810329ccb8fd3c6de06902d2 (diff) | |
feat: add keyctl ptrace perf_event_open tracing (task 77)
Diffstat (limited to 'internal/c')
| -rw-r--r-- | internal/c/generated_tracepoints.c | 61 | ||||
| -rw-r--r-- | internal/c/generated_tracepoints_result.txt | 10 | ||||
| -rw-r--r-- | internal/c/types.h | 44 |
3 files changed, 95 insertions, 20 deletions
diff --git a/internal/c/generated_tracepoints.c b/internal/c/generated_tracepoints.c index d14f5ef..b7fa686 100644 --- a/internal/c/generated_tracepoints.c +++ b/internal/c/generated_tracepoints.c @@ -2294,7 +2294,7 @@ int handle_sys_exit_lsm_list_modules(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_add_key is a struct null_event +/// sys_enter_add_key is a struct keyctl_event SEC("tracepoint/syscalls/sys_enter_add_key") int handle_sys_enter_add_key(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -2304,15 +2304,18 @@ int handle_sys_enter_add_key(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_ADD_KEY)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct keyctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct keyctl_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_KEYCTL_EVENT; ev->trace_id = SYS_ENTER_ADD_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->option = -1; + ev->key_serial = (__s32)ctx->args[4]; + ev->value = (__u64)ctx->args[3]; bpf_ringbuf_submit(ev, 0); return 0; @@ -2344,7 +2347,7 @@ int handle_sys_exit_add_key(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_request_key is a struct null_event +/// sys_enter_request_key is a struct keyctl_event SEC("tracepoint/syscalls/sys_enter_request_key") int handle_sys_enter_request_key(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -2354,15 +2357,18 @@ int handle_sys_enter_request_key(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_REQUEST_KEY)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct keyctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct keyctl_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_KEYCTL_EVENT; ev->trace_id = SYS_ENTER_REQUEST_KEY; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->option = -2; + ev->key_serial = (__s32)ctx->args[3]; + ev->value = 0; bpf_ringbuf_submit(ev, 0); return 0; @@ -2394,7 +2400,7 @@ int handle_sys_exit_request_key(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_keyctl is a struct null_event +/// sys_enter_keyctl is a struct keyctl_event SEC("tracepoint/syscalls/sys_enter_keyctl") int handle_sys_enter_keyctl(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -2404,15 +2410,18 @@ int handle_sys_enter_keyctl(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_KEYCTL)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct keyctl_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct keyctl_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_KEYCTL_EVENT; ev->trace_id = SYS_ENTER_KEYCTL; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->option = (__s32)ctx->args[0]; + ev->key_serial = (__s32)ctx->args[1]; + ev->value = (__u64)ctx->args[2]; bpf_ringbuf_submit(ev, 0); return 0; @@ -13050,7 +13059,7 @@ int handle_sys_exit_rseq(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_perf_event_open is a struct null_event +/// sys_enter_perf_event_open is a struct perf_open_event SEC("tracepoint/syscalls/sys_enter_perf_event_open") int handle_sys_enter_perf_event_open(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -13060,15 +13069,34 @@ int handle_sys_enter_perf_event_open(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_PERF_EVENT_OPEN)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct perf_open_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct perf_open_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_PERF_OPEN_EVENT; ev->trace_id = SYS_ENTER_PERF_EVENT_OPEN; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->attr_type = 0; + ev->attr_size = 0; + ev->config = 0; + if (ctx->args[0] != 0) { + struct __ior_perf_event_attr { + __u32 type; + __u32 size; + __u64 config; + } attr = {}; + if (bpf_probe_read_user(&attr, sizeof(attr), (void *)ctx->args[0]) == 0) { + ev->attr_type = attr.type; + ev->attr_size = attr.size; + ev->config = attr.config; + } + } + ev->target_pid = (__s32)ctx->args[1]; + ev->cpu = (__s32)ctx->args[2]; + ev->group_fd = (__s32)ctx->args[3]; + ev->flags = (__u32)ctx->args[4]; bpf_ringbuf_submit(ev, 0); return 0; @@ -18373,7 +18401,7 @@ int handle_sys_exit_rt_sigsuspend(struct syscall_trace_exit *ctx) { return 0; } -/// sys_enter_ptrace is a struct null_event +/// sys_enter_ptrace is a struct ptrace_event SEC("tracepoint/syscalls/sys_enter_ptrace") int handle_sys_enter_ptrace(struct syscall_trace_enter *ctx) { __u32 pid, tid; @@ -18383,15 +18411,18 @@ int handle_sys_enter_ptrace(struct syscall_trace_enter *ctx) { if (!ior_on_syscall_enter(tid, SYS_ENTER_PTRACE)) return 0; - struct null_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct null_event), 0); + struct ptrace_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct ptrace_event), 0); if (!ev) return 0; - ev->event_type = ENTER_NULL_EVENT; + ev->event_type = ENTER_PTRACE_EVENT; ev->trace_id = SYS_ENTER_PTRACE; ev->pid = pid; ev->tid = tid; ev->time = bpf_ktime_get_boot_ns(); + ev->request = (__s64)ctx->args[0]; + ev->target_pid = (__s32)ctx->args[1]; + ev->data = (__u64)ctx->args[3]; bpf_ringbuf_submit(ev, 0); return 0; diff --git a/internal/c/generated_tracepoints_result.txt b/internal/c/generated_tracepoints_result.txt index 892cb1a..0d516db 100644 --- a/internal/c/generated_tracepoints_result.txt +++ b/internal/c/generated_tracepoints_result.txt @@ -2,7 +2,7 @@ sys_enter_accept is a struct accept_event sys_enter_accept4 is a struct accept_event sys_enter_access is a struct path_event sys_enter_acct is a struct null_event -sys_enter_add_key is a struct null_event +sys_enter_add_key is a struct keyctl_event sys_enter_adjtimex is a struct null_event sys_enter_alarm is a struct null_event sys_enter_arch_prctl is a struct null_event @@ -132,7 +132,7 @@ sys_enter_ioprio_set is a struct null_event sys_enter_kcmp is a struct null_event sys_enter_kexec_file_load is a struct null_event sys_enter_kexec_load is a struct null_event -sys_enter_keyctl is a struct null_event +sys_enter_keyctl is a struct keyctl_event sys_enter_kill is a struct null_event sys_enter_landlock_add_rule is a struct null_event sys_enter_landlock_create_ruleset is a struct null_event @@ -205,7 +205,7 @@ sys_enter_open_tree_attr is a struct open_event sys_enter_openat is a struct open_event sys_enter_openat2 is a struct open_event sys_enter_pause is a struct null_event -sys_enter_perf_event_open is a struct null_event +sys_enter_perf_event_open is a struct perf_open_event sys_enter_personality is a struct null_event sys_enter_pidfd_getfd is a struct fd_event sys_enter_pidfd_open is a struct null_event @@ -228,7 +228,7 @@ sys_enter_process_mrelease is a struct null_event sys_enter_process_vm_readv is a struct null_event sys_enter_process_vm_writev is a struct null_event sys_enter_pselect6 is a struct poll_event -sys_enter_ptrace is a struct null_event +sys_enter_ptrace is a struct ptrace_event sys_enter_pwrite64 is a struct fd_event sys_enter_pwritev is a struct fd_event sys_enter_pwritev2 is a struct fd_event @@ -249,7 +249,7 @@ sys_enter_removexattrat is a struct path_event sys_enter_rename is a struct name_event sys_enter_renameat is a struct name_event sys_enter_renameat2 is a struct name_event -sys_enter_request_key is a struct null_event +sys_enter_request_key is a struct keyctl_event sys_enter_restart_syscall is a struct null_event sys_enter_rmdir is a struct path_event sys_enter_rseq is a struct null_event diff --git a/internal/c/types.h b/internal/c/types.h index 6b4785e..6fde3a1 100644 --- a/internal/c/types.h +++ b/internal/c/types.h @@ -41,6 +41,12 @@ #define EXIT_SLEEP_EVENT 36 #define ENTER_TWO_FD_EVENT 37 #define EXIT_TWO_FD_EVENT 38 +#define ENTER_KEYCTL_EVENT 39 +#define EXIT_KEYCTL_EVENT 40 +#define ENTER_PTRACE_EVENT 41 +#define EXIT_PTRACE_EVENT 42 +#define ENTER_PERF_OPEN_EVENT 43 +#define EXIT_PERF_OPEN_EVENT 44 #define UNCLASSIFIED 0 #define READ_CLASSIFIED 1 @@ -245,3 +251,41 @@ struct two_fd_event { __s32 fd_b; __u64 extra; }; + +struct keyctl_event { + __u32 event_type; + __u32 trace_id; + __u64 time; + __u32 pid; + __u32 tid; + __s32 option; + __s32 key_serial; + __u64 value; +}; + +struct ptrace_event { + __u32 event_type; + __u32 trace_id; + __u64 time; + __u32 pid; + __u32 tid; + __s64 request; + __s32 target_pid; + __s32 _pad; + __u64 data; +}; + +struct perf_open_event { + __u32 event_type; + __u32 trace_id; + __u64 time; + __u32 pid; + __u32 tid; + __u32 attr_type; + __u32 attr_size; + __u64 config; + __s32 target_pid; + __s32 cpu; + __s32 group_fd; + __u32 flags; +}; |