-
-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathmain.bpf.c
66 lines (46 loc) · 1.45 KB
/
main.bpf.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
#include "vmlinux.h"
#include "common.h"
#include <bpf/bpf_core_read.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
/* BPF ringbuf map */
struct {
__uint(type, BPF_MAP_TYPE_RINGBUF);
__uint(max_entries, 256 * 1024 /* 256 KB */);
} events SEC(".maps");
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 10240);
__type(key, pid_t);
__type(value, struct event);
} tmp_map SEC(".maps");
SEC("fentry/do_sys_openat2")
int BPF_PROG(fentry__do_sys_openat2, int dfd, const char *filename, struct open_how *how) {
struct event e = {0} ;
pid_t tid = (pid_t)bpf_get_current_pid_tgid();
e.pid = bpf_get_current_pid_tgid() >> 32;
bpf_core_read_user_str(&e.filename, sizeof(e.filename), filename);
bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST);
return 0;
}
SEC("fexit/do_sys_openat2")
int BPF_PROG(fexit__do_sys_openat2, int dfd, const char *filename, struct open_how *how, long ret) {
struct event *e;
pid_t tid = (pid_t)bpf_get_current_pid_tgid();
struct event *tmp;
tmp = bpf_map_lookup_elem(&tmp_map, &tid);
if (!tmp) {
return 0;
}
e = bpf_ringbuf_reserve(&events, sizeof(*e), 0);
if (!e) {
return 0;
}
e->ret = ret;
e->pid = tmp->pid;
__builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename));
bpf_ringbuf_submit(e, 0);
bpf_map_delete_elem(&tmp_map, &tid);
return 0;
}
char _license[] SEC("license") = "GPL";