1*387f9dfdSAndroid Build Coastguard Worker // SPDX-License-Identifier: GPL-2.0
2*387f9dfdSAndroid Build Coastguard Worker // Copyright (c) 2019 Facebook
3*387f9dfdSAndroid Build Coastguard Worker // Copyright (c) 2020 Netflix
4*387f9dfdSAndroid Build Coastguard Worker #include <vmlinux.h>
5*387f9dfdSAndroid Build Coastguard Worker #include <bpf/bpf_helpers.h>
6*387f9dfdSAndroid Build Coastguard Worker #include "opensnoop.h"
7*387f9dfdSAndroid Build Coastguard Worker
8*387f9dfdSAndroid Build Coastguard Worker const volatile pid_t targ_pid = 0;
9*387f9dfdSAndroid Build Coastguard Worker const volatile pid_t targ_tgid = 0;
10*387f9dfdSAndroid Build Coastguard Worker const volatile uid_t targ_uid = 0;
11*387f9dfdSAndroid Build Coastguard Worker const volatile bool targ_failed = false;
12*387f9dfdSAndroid Build Coastguard Worker
13*387f9dfdSAndroid Build Coastguard Worker struct {
14*387f9dfdSAndroid Build Coastguard Worker __uint(type, BPF_MAP_TYPE_HASH);
15*387f9dfdSAndroid Build Coastguard Worker __uint(max_entries, 10240);
16*387f9dfdSAndroid Build Coastguard Worker __type(key, u32);
17*387f9dfdSAndroid Build Coastguard Worker __type(value, struct args_t);
18*387f9dfdSAndroid Build Coastguard Worker } start SEC(".maps");
19*387f9dfdSAndroid Build Coastguard Worker
20*387f9dfdSAndroid Build Coastguard Worker struct {
21*387f9dfdSAndroid Build Coastguard Worker __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
22*387f9dfdSAndroid Build Coastguard Worker __uint(key_size, sizeof(u32));
23*387f9dfdSAndroid Build Coastguard Worker __uint(value_size, sizeof(u32));
24*387f9dfdSAndroid Build Coastguard Worker } events SEC(".maps");
25*387f9dfdSAndroid Build Coastguard Worker
valid_uid(uid_t uid)26*387f9dfdSAndroid Build Coastguard Worker static __always_inline bool valid_uid(uid_t uid) {
27*387f9dfdSAndroid Build Coastguard Worker return uid != INVALID_UID;
28*387f9dfdSAndroid Build Coastguard Worker }
29*387f9dfdSAndroid Build Coastguard Worker
30*387f9dfdSAndroid Build Coastguard Worker static __always_inline
trace_allowed(u32 tgid,u32 pid)31*387f9dfdSAndroid Build Coastguard Worker bool trace_allowed(u32 tgid, u32 pid)
32*387f9dfdSAndroid Build Coastguard Worker {
33*387f9dfdSAndroid Build Coastguard Worker u32 uid;
34*387f9dfdSAndroid Build Coastguard Worker
35*387f9dfdSAndroid Build Coastguard Worker /* filters */
36*387f9dfdSAndroid Build Coastguard Worker if (targ_tgid && targ_tgid != tgid)
37*387f9dfdSAndroid Build Coastguard Worker return false;
38*387f9dfdSAndroid Build Coastguard Worker if (targ_pid && targ_pid != pid)
39*387f9dfdSAndroid Build Coastguard Worker return false;
40*387f9dfdSAndroid Build Coastguard Worker if (valid_uid(targ_uid)) {
41*387f9dfdSAndroid Build Coastguard Worker uid = (u32)bpf_get_current_uid_gid();
42*387f9dfdSAndroid Build Coastguard Worker if (targ_uid != uid) {
43*387f9dfdSAndroid Build Coastguard Worker return false;
44*387f9dfdSAndroid Build Coastguard Worker }
45*387f9dfdSAndroid Build Coastguard Worker }
46*387f9dfdSAndroid Build Coastguard Worker return true;
47*387f9dfdSAndroid Build Coastguard Worker }
48*387f9dfdSAndroid Build Coastguard Worker
49*387f9dfdSAndroid Build Coastguard Worker SEC("tracepoint/syscalls/sys_enter_open")
tracepoint__syscalls__sys_enter_open(struct trace_event_raw_sys_enter * ctx)50*387f9dfdSAndroid Build Coastguard Worker int tracepoint__syscalls__sys_enter_open(struct trace_event_raw_sys_enter* ctx)
51*387f9dfdSAndroid Build Coastguard Worker {
52*387f9dfdSAndroid Build Coastguard Worker u64 id = bpf_get_current_pid_tgid();
53*387f9dfdSAndroid Build Coastguard Worker /* use kernel terminology here for tgid/pid: */
54*387f9dfdSAndroid Build Coastguard Worker u32 tgid = id >> 32;
55*387f9dfdSAndroid Build Coastguard Worker u32 pid = id;
56*387f9dfdSAndroid Build Coastguard Worker
57*387f9dfdSAndroid Build Coastguard Worker /* store arg info for later lookup */
58*387f9dfdSAndroid Build Coastguard Worker if (trace_allowed(tgid, pid)) {
59*387f9dfdSAndroid Build Coastguard Worker struct args_t args = {};
60*387f9dfdSAndroid Build Coastguard Worker args.fname = (const char *)ctx->args[0];
61*387f9dfdSAndroid Build Coastguard Worker args.flags = (int)ctx->args[1];
62*387f9dfdSAndroid Build Coastguard Worker bpf_map_update_elem(&start, &pid, &args, 0);
63*387f9dfdSAndroid Build Coastguard Worker }
64*387f9dfdSAndroid Build Coastguard Worker return 0;
65*387f9dfdSAndroid Build Coastguard Worker }
66*387f9dfdSAndroid Build Coastguard Worker
67*387f9dfdSAndroid Build Coastguard Worker SEC("tracepoint/syscalls/sys_enter_openat")
tracepoint__syscalls__sys_enter_openat(struct trace_event_raw_sys_enter * ctx)68*387f9dfdSAndroid Build Coastguard Worker int tracepoint__syscalls__sys_enter_openat(struct trace_event_raw_sys_enter* ctx)
69*387f9dfdSAndroid Build Coastguard Worker {
70*387f9dfdSAndroid Build Coastguard Worker u64 id = bpf_get_current_pid_tgid();
71*387f9dfdSAndroid Build Coastguard Worker /* use kernel terminology here for tgid/pid: */
72*387f9dfdSAndroid Build Coastguard Worker u32 tgid = id >> 32;
73*387f9dfdSAndroid Build Coastguard Worker u32 pid = id;
74*387f9dfdSAndroid Build Coastguard Worker
75*387f9dfdSAndroid Build Coastguard Worker /* store arg info for later lookup */
76*387f9dfdSAndroid Build Coastguard Worker if (trace_allowed(tgid, pid)) {
77*387f9dfdSAndroid Build Coastguard Worker struct args_t args = {};
78*387f9dfdSAndroid Build Coastguard Worker args.fname = (const char *)ctx->args[1];
79*387f9dfdSAndroid Build Coastguard Worker args.flags = (int)ctx->args[2];
80*387f9dfdSAndroid Build Coastguard Worker bpf_map_update_elem(&start, &pid, &args, 0);
81*387f9dfdSAndroid Build Coastguard Worker }
82*387f9dfdSAndroid Build Coastguard Worker return 0;
83*387f9dfdSAndroid Build Coastguard Worker }
84*387f9dfdSAndroid Build Coastguard Worker
85*387f9dfdSAndroid Build Coastguard Worker static __always_inline
trace_exit(struct trace_event_raw_sys_exit * ctx)86*387f9dfdSAndroid Build Coastguard Worker int trace_exit(struct trace_event_raw_sys_exit* ctx)
87*387f9dfdSAndroid Build Coastguard Worker {
88*387f9dfdSAndroid Build Coastguard Worker struct event event = {};
89*387f9dfdSAndroid Build Coastguard Worker struct args_t *ap;
90*387f9dfdSAndroid Build Coastguard Worker uintptr_t stack[3];
91*387f9dfdSAndroid Build Coastguard Worker int ret;
92*387f9dfdSAndroid Build Coastguard Worker u32 pid = bpf_get_current_pid_tgid();
93*387f9dfdSAndroid Build Coastguard Worker
94*387f9dfdSAndroid Build Coastguard Worker ap = bpf_map_lookup_elem(&start, &pid);
95*387f9dfdSAndroid Build Coastguard Worker if (!ap)
96*387f9dfdSAndroid Build Coastguard Worker return 0; /* missed entry */
97*387f9dfdSAndroid Build Coastguard Worker ret = ctx->ret;
98*387f9dfdSAndroid Build Coastguard Worker if (targ_failed && ret >= 0)
99*387f9dfdSAndroid Build Coastguard Worker goto cleanup; /* want failed only */
100*387f9dfdSAndroid Build Coastguard Worker
101*387f9dfdSAndroid Build Coastguard Worker /* event data */
102*387f9dfdSAndroid Build Coastguard Worker event.pid = bpf_get_current_pid_tgid() >> 32;
103*387f9dfdSAndroid Build Coastguard Worker event.uid = bpf_get_current_uid_gid();
104*387f9dfdSAndroid Build Coastguard Worker bpf_get_current_comm(&event.comm, sizeof(event.comm));
105*387f9dfdSAndroid Build Coastguard Worker bpf_probe_read_user_str(&event.fname, sizeof(event.fname), ap->fname);
106*387f9dfdSAndroid Build Coastguard Worker event.flags = ap->flags;
107*387f9dfdSAndroid Build Coastguard Worker event.ret = ret;
108*387f9dfdSAndroid Build Coastguard Worker
109*387f9dfdSAndroid Build Coastguard Worker bpf_get_stack(ctx, &stack, sizeof(stack),
110*387f9dfdSAndroid Build Coastguard Worker BPF_F_USER_STACK);
111*387f9dfdSAndroid Build Coastguard Worker /* Skip the first address that is usually the syscall it-self */
112*387f9dfdSAndroid Build Coastguard Worker event.callers[0] = stack[1];
113*387f9dfdSAndroid Build Coastguard Worker event.callers[1] = stack[2];
114*387f9dfdSAndroid Build Coastguard Worker
115*387f9dfdSAndroid Build Coastguard Worker /* emit event */
116*387f9dfdSAndroid Build Coastguard Worker bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU,
117*387f9dfdSAndroid Build Coastguard Worker &event, sizeof(event));
118*387f9dfdSAndroid Build Coastguard Worker
119*387f9dfdSAndroid Build Coastguard Worker cleanup:
120*387f9dfdSAndroid Build Coastguard Worker bpf_map_delete_elem(&start, &pid);
121*387f9dfdSAndroid Build Coastguard Worker return 0;
122*387f9dfdSAndroid Build Coastguard Worker }
123*387f9dfdSAndroid Build Coastguard Worker
124*387f9dfdSAndroid Build Coastguard Worker SEC("tracepoint/syscalls/sys_exit_open")
tracepoint__syscalls__sys_exit_open(struct trace_event_raw_sys_exit * ctx)125*387f9dfdSAndroid Build Coastguard Worker int tracepoint__syscalls__sys_exit_open(struct trace_event_raw_sys_exit* ctx)
126*387f9dfdSAndroid Build Coastguard Worker {
127*387f9dfdSAndroid Build Coastguard Worker return trace_exit(ctx);
128*387f9dfdSAndroid Build Coastguard Worker }
129*387f9dfdSAndroid Build Coastguard Worker
130*387f9dfdSAndroid Build Coastguard Worker SEC("tracepoint/syscalls/sys_exit_openat")
tracepoint__syscalls__sys_exit_openat(struct trace_event_raw_sys_exit * ctx)131*387f9dfdSAndroid Build Coastguard Worker int tracepoint__syscalls__sys_exit_openat(struct trace_event_raw_sys_exit* ctx)
132*387f9dfdSAndroid Build Coastguard Worker {
133*387f9dfdSAndroid Build Coastguard Worker return trace_exit(ctx);
134*387f9dfdSAndroid Build Coastguard Worker }
135*387f9dfdSAndroid Build Coastguard Worker
136*387f9dfdSAndroid Build Coastguard Worker char LICENSE[] SEC("license") = "GPL";
137