-
-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathmain.bpf.c
28 lines (21 loc) · 881 Bytes
/
main.bpf.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include "vmlinux.h"
#include <bpf/bpf_core_read.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
// typedef void (*btf_trace_sys_enter)(void *, struct pt_regs *, long int);
SEC("tp_btf/sys_enter")
int BPF_PROG(btf_raw_tracepoint__sys_enter, struct pt_regs *regs, long int id) {
if (id != 268) // fchmodat
return 0;
struct task_struct *task = (struct task_struct *)bpf_get_current_task_btf();
// int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags);
char pathname[256];
u32 mode;
char *pathname_ptr = (char *)PT_REGS_PARM2_CORE(regs);
bpf_core_read_user_str(&pathname, sizeof(pathname), pathname_ptr);
mode = (u32)PT_REGS_PARM3_CORE(regs);
char fmt[] = "%d fchmodat %s %d\n";
bpf_trace_printk(fmt, sizeof(fmt), task->tgid, &pathname, mode);
return 0;
}
char _license[] SEC("license") = "GPL";