1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
//+build ignore
#define SYS_EXIT_OPEN 1
#define SYS_ENTER_OPEN 2
#define SYS_EXIT_OPENAT 3
#define SYS_ENTER_OPENAT 4
static __always_inline int _handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx, __u32 syscall_id) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
struct open_enter_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct open_enter_event), 0);
if (!ev)
return 0;
ev->event_type = ENTER_OPEN_EVENT;
ev->syscall_id = syscall_id;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
// Reset memory, as structure is re-used (ringbuffer)
__builtin_memset(&(ev->filename), 0, sizeof(ev->filename) + sizeof(ev->comm));
bpf_probe_read_user_str(ev->filename, sizeof(ev->filename), (void *)ctx->args[1]);
bpf_get_current_comm(&ev->comm, sizeof(ev->comm));
bpf_ringbuf_submit(ev, 0);
return 0;
}
static __always_inline int _handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx, __u32 syscall_id) {
__u32 pid, tid;
if (filter(&pid, &tid))
return 0;
struct fd_event *ev = bpf_ringbuf_reserve(&event_map, sizeof(struct fd_event), 0);
if (!ev)
return 0;
ev->event_type = EXIT_FD_EVENT;
ev->syscall_id = syscall_id;
ev->pid = pid;
ev->tid = tid;
ev->time = bpf_ktime_get_ns() / 1000;
ev->fd = ctx->ret;
bpf_ringbuf_submit(ev, 0);
return 0;
}
SEC("tracepoint/syscalls/sys_enter_openat")
int handle_sys_enter_openat(struct trace_event_raw_sys_enter *ctx) {
return _handle_sys_enter_open(ctx, SYS_ENTER_OPENAT);
}
SEC("tracepoint/syscalls/sys_exit_openat")
int handle_sys_exit_openat(struct trace_event_raw_sys_exit *ctx) {
return _handle_sys_exit_open(ctx, SYS_EXIT_OPENAT);
}
SEC("tracepoint/syscalls/sys_enter_open")
int handle_sys_enter_open(struct trace_event_raw_sys_enter *ctx) {
return _handle_sys_enter_open(ctx, SYS_ENTER_OPEN);
}
SEC("tracepoint/syscalls/sys_exit_open")
int handle_sys_exit_open(struct trace_event_raw_sys_exit *ctx) {
return _handle_sys_exit_open(ctx, SYS_EXIT_OPEN);
}
|
