-
Notifications
You must be signed in to change notification settings - Fork 1
/
syscall.bpf.c
94 lines (77 loc) · 2.3 KB
/
syscall.bpf.c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
#define BPF_NO_GLOBAL_DATA
#include <vmlinux.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
#include <bpf/bpf_core_read.h>
#define path_size 256
struct event {
int pid_;
char path_name_[path_size];
int n_;
};
struct {
__uint(type, BPF_MAP_TYPE_RINGBUF);
__uint(max_entries, 256 * 1024);
} rb SEC(".maps"); // 环形缓冲区
SEC("tracepoint/syscalls/sys_enter_openat")
int do_syscall_trace(struct trace_event_raw_sys_enter *ctx)
{
struct event *e;
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
if (!e)
return 0;
char filename[path_size];
struct task_struct *task = (struct task_struct *)bpf_get_current_task(),
*real_parent;
if (task == NULL) {
bpf_printk("task\n");
bpf_ringbuf_discard(e, 0);
return 0;
}
int pid = bpf_get_current_pid_tgid() >> 32, tgid;
int ppid = BPF_CORE_READ(task, real_parent, tgid);
bpf_probe_read_str(e->path_name_, sizeof(e->path_name_),
(void *)(ctx->args[1]));
bpf_printk("path name: %s,pid:%d,ppid:%d\n", e->path_name_, pid, ppid);
struct fdtable *fdt = BPF_CORE_READ(task, files, fdt);
if (fdt == NULL) {
bpf_printk("fdt\n");
bpf_ringbuf_discard(e, 0);
return 0;
}
unsigned int i = 0, count = 0, n = BPF_CORE_READ(fdt, max_fds);
bpf_printk("n:%d\n", n);
e->n_ = n;
e->pid_ = pid;
// struct file **fd = BPF_CORE_READ(fdt, fd); // 文件描述符表
// struct file *file;
// bpf_probe_read_kernel(&file, sizeof(file), &fd[11]); // 拿到文件指针
// if (file) {
// char path_name[path_size];
// struct dentry *dp = BPF_CORE_READ(file, f_path.dentry);
// bpf_probe_read_str(path_name, sizeof(path_name),
// BPF_CORE_READ(dp, d_name.name));
// if (path_name != NULL) {
// bpf_printk("filename: %s\n", path_name);
// }
// }
// for (; count < 50 || i < n; ++i, ++count) {
// bpf_probe_read_kernel(&file, sizeof(file), &fd[i]);
// if (file) {
// char path_name[path_size];
// struct dentry *dp = BPF_CORE_READ(file, f_path.dentry);
// bpf_probe_read_str(path_name, sizeof(path_name),
// BPF_CORE_READ(dp, d_name.name));
// if (path_name != NULL) {
// bpf_printk("filename: %s\n", path_name);
// if (bpf_strcmp(path_name, filename) == 0) {
// bpf_printk("get\n");
// break;
// }
// }
// }
// }
bpf_ringbuf_submit(e, 0);
return 0;
}
char LICENSE[] SEC("license") = "GPL";