1 files changed, 15 insertions, 12 deletions

diff --git a/main.bpf.c b/main.bpf.c
index 1c0d946..d494991 100644
--- a/main.bpf.c
+++ b/main.bpf.c
@@ -4,17 +4,9 @@
 
 #include <bpf/bpf_helpers.h>
 
-struct value {
-    int x;
-    char y;
-};
-
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __type(key, u32);
-    __type(value, struct value);
-    __uint(max_entries, 1 << 24);
-} tester SEC(".maps");
+// TODO: Make this configurable via a flag from the userland part.
+// For now, this is set to my own user for development purposes.
+#define UID_FILTER 1001 
 
 struct openat_event {
     int fd;
@@ -40,10 +32,12 @@ struct {
 
 SEC("tracepoint/syscalls/sys_enter_open")
 int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
+    if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
+        return 0;
+
     u32 tid = bpf_get_current_pid_tgid();
     struct openat_event event = { .syscall_id = ctx->id };
 
-
     bpf_probe_read_user_str(event.filename, sizeof(event.filename), (void *)ctx->args[0]);
     bpf_get_current_comm(&event.comm, sizeof(event.comm));
     event.tid = tid;
@@ -54,6 +48,9 @@ int handle_enter_open(struct trace_event_raw_sys_enter *ctx) {
 
 SEC("tracepoint/syscalls/sys_exit_open")
 int handle_exit_open(struct trace_event_raw_sys_exit *args) {
+    if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
+        return 0;
+
     u32 tid = bpf_get_current_pid_tgid();
     struct openat_event *eventp = bpf_map_lookup_elem(&temp_events, &tid);
     if (!eventp) {
@@ -69,6 +66,9 @@ int handle_exit_open(struct trace_event_raw_sys_exit *args) {
 
 SEC("tracepoint/syscalls/sys_enter_openat")
 int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
+    if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
+        return 0;
+
     u32 tid = bpf_get_current_pid_tgid();
     struct openat_event event = { .syscall_id = ctx->id };
 
@@ -82,6 +82,9 @@ int handle_enter_openat(struct trace_event_raw_sys_enter *ctx) {
 
 SEC("tracepoint/syscalls/sys_exit_openat")
 int handle_exit_openat(struct trace_event_raw_sys_exit *args) {
+    if ((bpf_get_current_uid_gid() & 0xFFFFFFFF) != UID_FILTER)
+        return 0;
+
     return handle_exit_open(args);
 }