1 /* SPDX-License-Identifier: GPL-2.0 */
2 /* Copyright (c) 2021 Facebook */
3 #include <vmlinux.h>
4 #include <bpf/bpf_helpers.h>
5 #include <bpf/bpf_tracing.h>
6 #include "bashreadline.h"
7
8 #define TASK_COMM_LEN 16
9
10 struct {
11 __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
12 __uint(key_size, sizeof(__u32));
13 __uint(value_size, sizeof(__u32));
14 } events SEC(".maps");
15
16 SEC("uretprobe/readline")
BPF_KRETPROBE(printret,const void * ret)17 int BPF_KRETPROBE(printret, const void *ret) {
18 struct str_t data;
19 char comm[TASK_COMM_LEN];
20 u32 pid;
21
22 if (!ret)
23 return 0;
24
25 bpf_get_current_comm(&comm, sizeof(comm));
26 if (comm[0] != 'b' || comm[1] != 'a' || comm[2] != 's' || comm[3] != 'h' || comm[4] != 0 )
27 return 0;
28
29 pid = bpf_get_current_pid_tgid() >> 32;
30 data.pid = pid;
31 bpf_probe_read_user_str(&data.str, sizeof(data.str), ret);
32
33 bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
34
35 return 0;
36 };
37
38 char LICENSE[] SEC("license") = "GPL";
39