1 | // SPDX-License-Identifier: GPL-2.0 |
2 | /* Copyright (c) 2021 Facebook */ |
3 | #include "vmlinux.h" |
4 | #include <bpf/bpf_helpers.h> |
5 | #include <bpf/bpf_tracing.h> |
6 | |
7 | char _license[] SEC("license" ) = "GPL" ; |
8 | |
9 | struct callback_ctx { |
10 | int dummy; |
11 | }; |
12 | |
13 | #define VM_EXEC 0x00000004 |
14 | #define DNAME_INLINE_LEN 32 |
15 | |
16 | pid_t target_pid = 0; |
17 | char d_iname[DNAME_INLINE_LEN] = {0}; |
18 | __u32 found_vm_exec = 0; |
19 | __u64 addr = 0; |
20 | int find_zero_ret = -1; |
21 | int find_addr_ret = -1; |
22 | |
23 | static long check_vma(struct task_struct *task, struct vm_area_struct *vma, |
24 | struct callback_ctx *data) |
25 | { |
26 | if (vma->vm_file) |
27 | bpf_probe_read_kernel_str(d_iname, DNAME_INLINE_LEN - 1, |
28 | vma->vm_file->f_path.dentry->d_iname); |
29 | |
30 | /* check for VM_EXEC */ |
31 | if (vma->vm_flags & VM_EXEC) |
32 | found_vm_exec = 1; |
33 | |
34 | return 0; |
35 | } |
36 | |
37 | SEC("raw_tp/sys_enter" ) |
38 | int handle_getpid(void) |
39 | { |
40 | struct task_struct *task = bpf_get_current_task_btf(); |
41 | struct callback_ctx data = {}; |
42 | |
43 | if (task->pid != target_pid) |
44 | return 0; |
45 | |
46 | find_addr_ret = bpf_find_vma(task, addr, check_vma, &data, 0); |
47 | |
48 | /* this should return -ENOENT */ |
49 | find_zero_ret = bpf_find_vma(task, 0, check_vma, &data, 0); |
50 | return 0; |
51 | } |
52 | |
53 | SEC("perf_event" ) |
54 | int handle_pe(void) |
55 | { |
56 | struct task_struct *task = bpf_get_current_task_btf(); |
57 | struct callback_ctx data = {}; |
58 | |
59 | if (task->pid != target_pid) |
60 | return 0; |
61 | |
62 | find_addr_ret = bpf_find_vma(task, addr, check_vma, &data, 0); |
63 | |
64 | /* In NMI, this should return -EBUSY, as the previous call is using |
65 | * the irq_work. |
66 | */ |
67 | find_zero_ret = bpf_find_vma(task, 0, check_vma, &data, 0); |
68 | return 0; |
69 | } |
70 | |