Loading...
1// SPDX-License-Identifier: GPL-2.0
2/* Copyright 2022 Sony Group Corporation */
3#include <vmlinux.h>
4
5#include <bpf/bpf_core_read.h>
6#include <bpf/bpf_helpers.h>
7#include <bpf/bpf_tracing.h>
8#include "bpf_misc.h"
9
10int arg1 = 0;
11unsigned long arg2 = 0;
12unsigned long arg3 = 0;
13unsigned long arg4_cx = 0;
14unsigned long arg4 = 0;
15unsigned long arg5 = 0;
16
17int arg1_core = 0;
18unsigned long arg2_core = 0;
19unsigned long arg3_core = 0;
20unsigned long arg4_core_cx = 0;
21unsigned long arg4_core = 0;
22unsigned long arg5_core = 0;
23
24int option_syscall = 0;
25unsigned long arg2_syscall = 0;
26unsigned long arg3_syscall = 0;
27unsigned long arg4_syscall = 0;
28unsigned long arg5_syscall = 0;
29
30const volatile pid_t filter_pid = 0;
31
32SEC("kprobe/" SYS_PREFIX "sys_prctl")
33int BPF_KPROBE(handle_sys_prctl)
34{
35 struct pt_regs *real_regs;
36 pid_t pid = bpf_get_current_pid_tgid() >> 32;
37 unsigned long tmp = 0;
38
39 if (pid != filter_pid)
40 return 0;
41
42 real_regs = PT_REGS_SYSCALL_REGS(ctx);
43
44 /* test for PT_REGS_PARM */
45
46 bpf_probe_read_kernel(&tmp, sizeof(tmp), &PT_REGS_PARM1_SYSCALL(real_regs));
47 arg1 = tmp;
48 bpf_probe_read_kernel(&arg2, sizeof(arg2), &PT_REGS_PARM2_SYSCALL(real_regs));
49 bpf_probe_read_kernel(&arg3, sizeof(arg3), &PT_REGS_PARM3_SYSCALL(real_regs));
50 bpf_probe_read_kernel(&arg4_cx, sizeof(arg4_cx), &PT_REGS_PARM4(real_regs));
51 bpf_probe_read_kernel(&arg4, sizeof(arg4), &PT_REGS_PARM4_SYSCALL(real_regs));
52 bpf_probe_read_kernel(&arg5, sizeof(arg5), &PT_REGS_PARM5_SYSCALL(real_regs));
53
54 /* test for the CORE variant of PT_REGS_PARM */
55 arg1_core = PT_REGS_PARM1_CORE_SYSCALL(real_regs);
56 arg2_core = PT_REGS_PARM2_CORE_SYSCALL(real_regs);
57 arg3_core = PT_REGS_PARM3_CORE_SYSCALL(real_regs);
58 arg4_core_cx = PT_REGS_PARM4_CORE(real_regs);
59 arg4_core = PT_REGS_PARM4_CORE_SYSCALL(real_regs);
60 arg5_core = PT_REGS_PARM5_CORE_SYSCALL(real_regs);
61
62 return 0;
63}
64
65SEC("ksyscall/prctl")
66int BPF_KSYSCALL(prctl_enter, int option, unsigned long arg2,
67 unsigned long arg3, unsigned long arg4, unsigned long arg5)
68{
69 pid_t pid = bpf_get_current_pid_tgid() >> 32;
70
71 if (pid != filter_pid)
72 return 0;
73
74 option_syscall = option;
75 arg2_syscall = arg2;
76 arg3_syscall = arg3;
77 arg4_syscall = arg4;
78 arg5_syscall = arg5;
79 return 0;
80}
81
82__u64 splice_fd_in;
83__u64 splice_off_in;
84__u64 splice_fd_out;
85__u64 splice_off_out;
86__u64 splice_len;
87__u64 splice_flags;
88
89SEC("ksyscall/splice")
90int BPF_KSYSCALL(splice_enter, int fd_in, loff_t *off_in, int fd_out,
91 loff_t *off_out, size_t len, unsigned int flags)
92{
93 pid_t pid = bpf_get_current_pid_tgid() >> 32;
94
95 if (pid != filter_pid)
96 return 0;
97
98 splice_fd_in = fd_in;
99 splice_off_in = (__u64)off_in;
100 splice_fd_out = fd_out;
101 splice_off_out = (__u64)off_out;
102 splice_len = len;
103 splice_flags = flags;
104
105 return 0;
106}
107
108char _license[] SEC("license") = "GPL";
1// SPDX-License-Identifier: GPL-2.0
2/* Copyright 2022 Sony Group Corporation */
3#include <vmlinux.h>
4
5#include <bpf/bpf_core_read.h>
6#include <bpf/bpf_helpers.h>
7#include <bpf/bpf_tracing.h>
8#include "bpf_misc.h"
9
10int arg1 = 0;
11unsigned long arg2 = 0;
12unsigned long arg3 = 0;
13unsigned long arg4_cx = 0;
14unsigned long arg4 = 0;
15unsigned long arg5 = 0;
16
17int arg1_core = 0;
18unsigned long arg2_core = 0;
19unsigned long arg3_core = 0;
20unsigned long arg4_core_cx = 0;
21unsigned long arg4_core = 0;
22unsigned long arg5_core = 0;
23
24int option_syscall = 0;
25unsigned long arg2_syscall = 0;
26unsigned long arg3_syscall = 0;
27unsigned long arg4_syscall = 0;
28unsigned long arg5_syscall = 0;
29
30const volatile pid_t filter_pid = 0;
31
32SEC("kprobe/" SYS_PREFIX "sys_prctl")
33int BPF_KPROBE(handle_sys_prctl)
34{
35 struct pt_regs *real_regs;
36 pid_t pid = bpf_get_current_pid_tgid() >> 32;
37 unsigned long tmp = 0;
38
39 if (pid != filter_pid)
40 return 0;
41
42 real_regs = PT_REGS_SYSCALL_REGS(ctx);
43
44 /* test for PT_REGS_PARM */
45
46#if !defined(bpf_target_arm64) && !defined(bpf_target_s390)
47 bpf_probe_read_kernel(&tmp, sizeof(tmp), &PT_REGS_PARM1_SYSCALL(real_regs));
48#endif
49 arg1 = tmp;
50 bpf_probe_read_kernel(&arg2, sizeof(arg2), &PT_REGS_PARM2_SYSCALL(real_regs));
51 bpf_probe_read_kernel(&arg3, sizeof(arg3), &PT_REGS_PARM3_SYSCALL(real_regs));
52 bpf_probe_read_kernel(&arg4_cx, sizeof(arg4_cx), &PT_REGS_PARM4(real_regs));
53 bpf_probe_read_kernel(&arg4, sizeof(arg4), &PT_REGS_PARM4_SYSCALL(real_regs));
54 bpf_probe_read_kernel(&arg5, sizeof(arg5), &PT_REGS_PARM5_SYSCALL(real_regs));
55
56 /* test for the CORE variant of PT_REGS_PARM */
57 arg1_core = PT_REGS_PARM1_CORE_SYSCALL(real_regs);
58 arg2_core = PT_REGS_PARM2_CORE_SYSCALL(real_regs);
59 arg3_core = PT_REGS_PARM3_CORE_SYSCALL(real_regs);
60 arg4_core_cx = PT_REGS_PARM4_CORE(real_regs);
61 arg4_core = PT_REGS_PARM4_CORE_SYSCALL(real_regs);
62 arg5_core = PT_REGS_PARM5_CORE_SYSCALL(real_regs);
63
64 return 0;
65}
66
67SEC("ksyscall/prctl")
68int BPF_KSYSCALL(prctl_enter, int option, unsigned long arg2,
69 unsigned long arg3, unsigned long arg4, unsigned long arg5)
70{
71 pid_t pid = bpf_get_current_pid_tgid() >> 32;
72
73 if (pid != filter_pid)
74 return 0;
75
76 option_syscall = option;
77 arg2_syscall = arg2;
78 arg3_syscall = arg3;
79 arg4_syscall = arg4;
80 arg5_syscall = arg5;
81 return 0;
82}
83
84__u64 splice_fd_in;
85__u64 splice_off_in;
86__u64 splice_fd_out;
87__u64 splice_off_out;
88__u64 splice_len;
89__u64 splice_flags;
90
91SEC("ksyscall/splice")
92int BPF_KSYSCALL(splice_enter, int fd_in, loff_t *off_in, int fd_out,
93 loff_t *off_out, size_t len, unsigned int flags)
94{
95 pid_t pid = bpf_get_current_pid_tgid() >> 32;
96
97 if (pid != filter_pid)
98 return 0;
99
100 splice_fd_in = fd_in;
101 splice_off_in = (__u64)off_in;
102 splice_fd_out = fd_out;
103 splice_off_out = (__u64)off_out;
104 splice_len = len;
105 splice_flags = flags;
106
107 return 0;
108}
109
110char _license[] SEC("license") = "GPL";