diff options
| author | Paul Buetow <paul@buetow.org> | 2024-02-10 19:14:50 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2024-02-10 19:14:50 +0200 |
| commit | 1554f9992aef6fc92c964af866a833c6de4e806c (patch) | |
| tree | 87cd402aa912e61fd4812653ce6a376e64621ed5 /main.bpf.c | |
| parent | 465c686b125bd287db25efb26625c946ab6a4771 (diff) | |
refactor
Diffstat (limited to 'main.bpf.c')
| -rw-r--r-- | main.bpf.c | 46 |
1 files changed, 39 insertions, 7 deletions
@@ -4,10 +4,14 @@ #include <bpf/bpf_helpers.h> -// TODO: Make this configurable via a flag from the userland part. +// TODO: Split out this file into several *.bpf.c programs. + +// TODO: Make UID_FILTER configurable via a flag from the userland part. // For now, this is set to my own user for development purposes. #define UID_FILTER 1001 +// Helper structs for opening file(s) + struct open_event { int fd; int syscall_id; @@ -47,7 +51,7 @@ int handle_enter_open(struct trace_event_raw_sys_enter *ctx) { } SEC("tracepoint/syscalls/sys_exit_open") -int handle_exit_open(struct trace_event_raw_sys_exit *args) { +int handle_exit_open(struct trace_event_raw_sys_exit *ctx) { if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) return 0; @@ -56,14 +60,13 @@ int handle_exit_open(struct trace_event_raw_sys_exit *args) { if (!eventp) { return 0; } - eventp->fd = args->ret; - bpf_perf_event_output(args, &open_event_map, BPF_F_CURRENT_CPU, eventp, sizeof(struct open_event)); + eventp->fd = ctx->ret; + bpf_perf_event_output(ctx, &open_event_map, BPF_F_CURRENT_CPU, eventp, sizeof(struct open_event)); bpf_map_delete_elem(&open_event_temp_map, &tid); return 0; } - SEC("tracepoint/syscalls/sys_enter_openat") int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) @@ -81,11 +84,40 @@ int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) { } SEC("tracepoint/syscalls/sys_exit_openat") -int handle_exit_openat(struct trace_event_raw_sys_exit *args) { +int handle_exit_openat(struct trace_event_raw_sys_exit *ctx) { if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) return 0; - return handle_exit_open(args); + return handle_exit_open(ctx); +} + +// Helper structs for other syscalls on FDs + +struct fd_event { + int fd; + int syscall_id; + u32 tid; +}; + +struct { + __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); + __uint(key_size, sizeof(u32)); + __uint(value_size, sizeof(u32)); +} fd_event_map SEC(".maps"); + +SEC("tracepoint/syscalls/sys_enter_close") +int handle_enter_close(struct trace_event_raw_sys_enter *ctx) { + if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER) + return 0; + + struct fd_event event = { + .fd = (int)ctx->args[0], + .syscall_id = ctx->id, + .tid = bpf_get_current_pid_tgid(), + }; + bpf_perf_event_output(ctx, &fd_event_map, BPF_F_CURRENT_CPU, &event, sizeof(struct fd_event)); + + return 0; } char LICENSE[] SEC("license") = "Dual BSD/GPL"; |