examples/bpf/etcsnoop.c

0001 // SPDX-License-Identifier: GPL-2.0
0002 /*
0003  * Augment the filename syscalls with the contents of the filename pointer argument
0004  * filtering only those that do not start with /etc/.
0005  *
0006  * Test it with:
0007  *
0008  * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null
0009  *
0010  * It'll catch some openat syscalls related to the dynamic linked and
0011  * the last one should be the one for '/etc/passwd'.
0012  *
0013  * This matches what is marshalled into the raw_syscall:sys_enter payload
0014  * expected by the 'perf trace' beautifiers, and can be used by them unmodified,
0015  * which will be done as that feature is implemented in the next csets, for now
0016  * it will appear in a dump done by the default tracepoint handler in 'perf trace',
0017  * that uses bpf_output__fprintf() to just dump those contents, as done with
0018  * the bpf-output event associated with the __bpf_output__ map declared in
0019  * tools/perf/include/bpf/stdio.h.
0020  */
0021
0022 #include <stdio.h>
0023
0024 /* bpf-output associated map */
0025 bpf_map(__augmented_syscalls__, PERF_EVENT_ARRAY, int, u32, __NR_CPUS__);
0026
0027 struct augmented_filename {
0028     int size;
0029     int reserved;
0030     char    value[64];
0031 };
0032
0033 #define augmented_filename_syscall_enter(syscall)                       \
0034 struct augmented_enter_##syscall##_args {                           \
0035     struct syscall_enter_##syscall##_args   args;                       \
0036     struct augmented_filename       filename;                   \
0037 };                                              \
0038 int syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args)             \
0039 {                                               \
0040     char etc[6] = "/etc/";                                  \
0041     struct augmented_enter_##syscall##_args augmented_args = { .filename.reserved = 0, };   \
0042     probe_read(&augmented_args.args, sizeof(augmented_args.args), args);            \
0043     augmented_args.filename.size = probe_read_str(&augmented_args.filename.value,       \
0044                               sizeof(augmented_args.filename.value),    \
0045                               args->filename_ptr);          \
0046     if (__builtin_memcmp(augmented_args.filename.value, etc, 4) != 0)           \
0047         return 0;                                   \
0048     /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */  \
0049     return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU,      \
0050                  &augmented_args,                       \
0051                  (sizeof(augmented_args) - sizeof(augmented_args.filename.value) + \
0052                  augmented_args.filename.size));                \
0053 }
0054
0055 struct syscall_enter_openat_args {
0056     unsigned long long common_tp_fields;
0057     long           syscall_nr;
0058     long           dfd;
0059     char           *filename_ptr;
0060     long           flags;
0061     long           mode;
0062 };
0063
0064 augmented_filename_syscall_enter(openat);
0065
0066 struct syscall_enter_open_args {
0067     unsigned long long common_tp_fields;
0068     long           syscall_nr;
0069     char           *filename_ptr;
0070     long           flags;
0071     long           mode;
0072 };
0073
0074 augmented_filename_syscall_enter(open);
0075
0076 license(GPL);