xref: /linux/samples/bpf/tracex5.bpf.c (revision a23e1966932464e1c5226cb9ac4ce1d5fc10ba22) 
15bacd780SAlexei Starovoitov /* Copyright (c) 2015 PLUMgrid, http://plumgrid.com
25bacd780SAlexei Starovoitov  *
35bacd780SAlexei Starovoitov  * This program is free software; you can redistribute it and/or
45bacd780SAlexei Starovoitov  * modify it under the terms of version 2 of the GNU General Public
55bacd780SAlexei Starovoitov  * License as published by the Free Software Foundation.
65bacd780SAlexei Starovoitov  */
7e7e6c774SDaniel T. Lee #include "vmlinux.h"
84b7190e8SDavid Daney #include "syscall_nrs.h"
9e7e6c774SDaniel T. Lee #include <linux/version.h>
10e7e6c774SDaniel T. Lee #include <uapi/linux/unistd.h>
117cf245a3SToke Høiland-Jørgensen #include <bpf/bpf_helpers.h>
127cf245a3SToke Høiland-Jørgensen #include <bpf/bpf_tracing.h>
13*11430421SDaniel T. Lee #include <bpf/bpf_core_read.h>
145bacd780SAlexei Starovoitov 
15e7e6c774SDaniel T. Lee #define __stringify(x) #x
165bacd780SAlexei Starovoitov #define PROG(F) SEC("kprobe/"__stringify(F)) int bpf_func_##F
175bacd780SAlexei Starovoitov 
1859929cd1SDaniel T. Lee struct {
1959929cd1SDaniel T. Lee 	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
2059929cd1SDaniel T. Lee 	__uint(key_size, sizeof(u32));
2159929cd1SDaniel T. Lee 	__uint(value_size, sizeof(u32));
224b7190e8SDavid Daney #ifdef __mips__
2359929cd1SDaniel T. Lee 	__uint(max_entries, 6000); /* MIPS n64 syscalls start at 5000 */
244b7190e8SDavid Daney #else
2559929cd1SDaniel T. Lee 	__uint(max_entries, 1024);
264b7190e8SDavid Daney #endif
2759929cd1SDaniel T. Lee } progs SEC(".maps");
285bacd780SAlexei Starovoitov 
29973d94d8SNaveen N. Rao SEC("kprobe/__seccomp_filter")
bpf_prog1(struct pt_regs * ctx)305bacd780SAlexei Starovoitov int bpf_prog1(struct pt_regs *ctx)
315bacd780SAlexei Starovoitov {
32973d94d8SNaveen N. Rao 	int sc_nr = (int)PT_REGS_PARM1(ctx);
335bacd780SAlexei Starovoitov 
345bacd780SAlexei Starovoitov 	/* dispatch into next BPF program depending on syscall number */
35973d94d8SNaveen N. Rao 	bpf_tail_call(ctx, &progs, sc_nr);
365bacd780SAlexei Starovoitov 
375bacd780SAlexei Starovoitov 	/* fall through -> unknown syscall */
38973d94d8SNaveen N. Rao 	if (sc_nr >= __NR_getuid && sc_nr <= __NR_getsid) {
395bacd780SAlexei Starovoitov 		char fmt[] = "syscall=%d (one of get/set uid/pid/gid)\n";
40973d94d8SNaveen N. Rao 		bpf_trace_printk(fmt, sizeof(fmt), sc_nr);
415bacd780SAlexei Starovoitov 	}
425bacd780SAlexei Starovoitov 	return 0;
435bacd780SAlexei Starovoitov }
445bacd780SAlexei Starovoitov 
455bacd780SAlexei Starovoitov /* we jump here when syscall number == __NR_write */
PROG(SYS__NR_write)464b7190e8SDavid Daney PROG(SYS__NR_write)(struct pt_regs *ctx)
475bacd780SAlexei Starovoitov {
4802413cabSDaniel Borkmann 	struct seccomp_data sd;
495bacd780SAlexei Starovoitov 
50*11430421SDaniel T. Lee 	bpf_core_read(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx));
515bacd780SAlexei Starovoitov 	if (sd.args[2] == 512) {
525bacd780SAlexei Starovoitov 		char fmt[] = "write(fd=%d, buf=%p, size=%d)\n";
535bacd780SAlexei Starovoitov 		bpf_trace_printk(fmt, sizeof(fmt),
545bacd780SAlexei Starovoitov 				 sd.args[0], sd.args[1], sd.args[2]);
555bacd780SAlexei Starovoitov 	}
565bacd780SAlexei Starovoitov 	return 0;
575bacd780SAlexei Starovoitov }
585bacd780SAlexei Starovoitov 
PROG(SYS__NR_read)594b7190e8SDavid Daney PROG(SYS__NR_read)(struct pt_regs *ctx)
605bacd780SAlexei Starovoitov {
6102413cabSDaniel Borkmann 	struct seccomp_data sd;
625bacd780SAlexei Starovoitov 
63*11430421SDaniel T. Lee 	bpf_core_read(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx));
645bacd780SAlexei Starovoitov 	if (sd.args[2] > 128 && sd.args[2] <= 1024) {
655bacd780SAlexei Starovoitov 		char fmt[] = "read(fd=%d, buf=%p, size=%d)\n";
665bacd780SAlexei Starovoitov 		bpf_trace_printk(fmt, sizeof(fmt),
675bacd780SAlexei Starovoitov 				 sd.args[0], sd.args[1], sd.args[2]);
685bacd780SAlexei Starovoitov 	}
695bacd780SAlexei Starovoitov 	return 0;
705bacd780SAlexei Starovoitov }
715bacd780SAlexei Starovoitov 
72bb4b5c08SIvan Khoronzhuk #ifdef __NR_mmap2
PROG(SYS__NR_mmap2)73bb4b5c08SIvan Khoronzhuk PROG(SYS__NR_mmap2)(struct pt_regs *ctx)
745bacd780SAlexei Starovoitov {
75bb4b5c08SIvan Khoronzhuk 	char fmt[] = "mmap2\n";
76bb4b5c08SIvan Khoronzhuk 
775bacd780SAlexei Starovoitov 	bpf_trace_printk(fmt, sizeof(fmt));
785bacd780SAlexei Starovoitov 	return 0;
795bacd780SAlexei Starovoitov }
80bb4b5c08SIvan Khoronzhuk #endif
81bb4b5c08SIvan Khoronzhuk 
82bb4b5c08SIvan Khoronzhuk #ifdef __NR_mmap
PROG(SYS__NR_mmap)83bb4b5c08SIvan Khoronzhuk PROG(SYS__NR_mmap)(struct pt_regs *ctx)
84bb4b5c08SIvan Khoronzhuk {
85bb4b5c08SIvan Khoronzhuk 	char fmt[] = "mmap\n";
86bb4b5c08SIvan Khoronzhuk 
87bb4b5c08SIvan Khoronzhuk 	bpf_trace_printk(fmt, sizeof(fmt));
88bb4b5c08SIvan Khoronzhuk 	return 0;
89bb4b5c08SIvan Khoronzhuk }
90bb4b5c08SIvan Khoronzhuk #endif
915bacd780SAlexei Starovoitov 
925bacd780SAlexei Starovoitov char _license[] SEC("license") = "GPL";
935bacd780SAlexei Starovoitov u32 _version SEC("version") = LINUX_VERSION_CODE;
94