1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Copyright 2022 Sony Group Corporation */ |
3 | #include <vmlinux.h> |
4 | |
5 | #include <bpf/bpf_core_read.h> |
6 | #include <bpf/bpf_helpers.h> |
7 | #include <bpf/bpf_tracing.h> |
8 | #include "bpf_misc.h" |
9 | |
10 | int arg1 = 0; |
11 | unsigned long arg2 = 0; |
12 | unsigned long arg3 = 0; |
13 | unsigned long arg4_cx = 0; |
14 | unsigned long arg4 = 0; |
15 | unsigned long arg5 = 0; |
16 | |
17 | int arg1_core = 0; |
18 | unsigned long arg2_core = 0; |
19 | unsigned long arg3_core = 0; |
20 | unsigned long arg4_core_cx = 0; |
21 | unsigned long arg4_core = 0; |
22 | unsigned long arg5_core = 0; |
23 | |
24 | int option_syscall = 0; |
25 | unsigned long arg2_syscall = 0; |
26 | unsigned long arg3_syscall = 0; |
27 | unsigned long arg4_syscall = 0; |
28 | unsigned long arg5_syscall = 0; |
29 | |
30 | const volatile pid_t filter_pid = 0; |
31 | |
32 | SEC("kprobe/" SYS_PREFIX "sys_prctl" ) |
33 | int BPF_KPROBE(handle_sys_prctl) |
34 | { |
35 | struct pt_regs *real_regs; |
36 | pid_t pid = bpf_get_current_pid_tgid() >> 32; |
37 | unsigned long tmp = 0; |
38 | |
39 | if (pid != filter_pid) |
40 | return 0; |
41 | |
42 | real_regs = PT_REGS_SYSCALL_REGS(ctx); |
43 | |
44 | /* test for PT_REGS_PARM */ |
45 | |
46 | #if !defined(bpf_target_arm64) && !defined(bpf_target_s390) |
47 | bpf_probe_read_kernel(&tmp, sizeof(tmp), &PT_REGS_PARM1_SYSCALL(real_regs)); |
48 | #endif |
49 | arg1 = tmp; |
50 | bpf_probe_read_kernel(&arg2, sizeof(arg2), &PT_REGS_PARM2_SYSCALL(real_regs)); |
51 | bpf_probe_read_kernel(&arg3, sizeof(arg3), &PT_REGS_PARM3_SYSCALL(real_regs)); |
52 | bpf_probe_read_kernel(&arg4_cx, sizeof(arg4_cx), &PT_REGS_PARM4(real_regs)); |
53 | bpf_probe_read_kernel(&arg4, sizeof(arg4), &PT_REGS_PARM4_SYSCALL(real_regs)); |
54 | bpf_probe_read_kernel(&arg5, sizeof(arg5), &PT_REGS_PARM5_SYSCALL(real_regs)); |
55 | |
56 | /* test for the CORE variant of PT_REGS_PARM */ |
57 | arg1_core = PT_REGS_PARM1_CORE_SYSCALL(real_regs); |
58 | arg2_core = PT_REGS_PARM2_CORE_SYSCALL(real_regs); |
59 | arg3_core = PT_REGS_PARM3_CORE_SYSCALL(real_regs); |
60 | arg4_core_cx = PT_REGS_PARM4_CORE(real_regs); |
61 | arg4_core = PT_REGS_PARM4_CORE_SYSCALL(real_regs); |
62 | arg5_core = PT_REGS_PARM5_CORE_SYSCALL(real_regs); |
63 | |
64 | return 0; |
65 | } |
66 | |
67 | SEC("ksyscall/prctl" ) |
68 | int BPF_KSYSCALL(prctl_enter, int option, unsigned long arg2, |
69 | unsigned long arg3, unsigned long arg4, unsigned long arg5) |
70 | { |
71 | pid_t pid = bpf_get_current_pid_tgid() >> 32; |
72 | |
73 | if (pid != filter_pid) |
74 | return 0; |
75 | |
76 | option_syscall = option; |
77 | arg2_syscall = arg2; |
78 | arg3_syscall = arg3; |
79 | arg4_syscall = arg4; |
80 | arg5_syscall = arg5; |
81 | return 0; |
82 | } |
83 | |
84 | __u64 splice_fd_in; |
85 | __u64 splice_off_in; |
86 | __u64 splice_fd_out; |
87 | __u64 splice_off_out; |
88 | __u64 splice_len; |
89 | __u64 splice_flags; |
90 | |
91 | SEC("ksyscall/splice" ) |
92 | int BPF_KSYSCALL(splice_enter, int fd_in, loff_t *off_in, int fd_out, |
93 | loff_t *off_out, size_t len, unsigned int flags) |
94 | { |
95 | pid_t pid = bpf_get_current_pid_tgid() >> 32; |
96 | |
97 | if (pid != filter_pid) |
98 | return 0; |
99 | |
100 | splice_fd_in = fd_in; |
101 | splice_off_in = (__u64)off_in; |
102 | splice_fd_out = fd_out; |
103 | splice_off_out = (__u64)off_out; |
104 | splice_len = len; |
105 | splice_flags = flags; |
106 | |
107 | return 0; |
108 | } |
109 | |
110 | char _license[] SEC("license" ) = "GPL" ; |
111 | |