1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
// SPDX-License-Identifier: GPL-2.0
/* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
#include "vmlinux.h"
#include <bpf/bpf_helpers.h>
char _license[] SEC("license") = "GPL";
struct {
__uint(type, BPF_MAP_TYPE_HASH);
__uint(max_entries, 1);
__type(key, int);
__type(value, int);
} hash_map SEC(".maps");
struct {
__uint(type, BPF_MAP_TYPE_STACK);
__uint(max_entries, 1);
__type(value, int);
} stack_map SEC(".maps");
struct {
__uint(type, BPF_MAP_TYPE_ARRAY);
__uint(max_entries, 1);
__type(key, int);
__type(value, int);
} array_map SEC(".maps");
const volatile pid_t pid;
long err = 0;
static u64 callback(u64 map, u64 key, u64 val, u64 ctx, u64 flags)
{
return 0;
}
SEC("tp/syscalls/sys_enter_getpid")
int map_update(void *ctx)
{
const int key = 0;
const int val = 1;
if (pid != (bpf_get_current_pid_tgid() >> 32))
return 0;
err = bpf_map_update_elem(&hash_map, &key, &val, BPF_NOEXIST);
return 0;
}
SEC("tp/syscalls/sys_enter_getppid")
int map_delete(void *ctx)
{
const int key = 0;
if (pid != (bpf_get_current_pid_tgid() >> 32))
return 0;
err = bpf_map_delete_elem(&hash_map, &key);
return 0;
}
SEC("tp/syscalls/sys_enter_getuid")
int map_push(void *ctx)
{
const int val = 1;
if (pid != (bpf_get_current_pid_tgid() >> 32))
return 0;
err = bpf_map_push_elem(&stack_map, &val, 0);
return 0;
}
SEC("tp/syscalls/sys_enter_geteuid")
int map_pop(void *ctx)
{
int val;
if (pid != (bpf_get_current_pid_tgid() >> 32))
return 0;
err = bpf_map_pop_elem(&stack_map, &val);
return 0;
}
SEC("tp/syscalls/sys_enter_getgid")
int map_peek(void *ctx)
{
int val;
if (pid != (bpf_get_current_pid_tgid() >> 32))
return 0;
err = bpf_map_peek_elem(&stack_map, &val);
return 0;
}
SEC("tp/syscalls/sys_enter_gettid")
int map_for_each_pass(void *ctx)
{
const int key = 0;
const int val = 1;
const u64 flags = 0;
int callback_ctx;
if (pid != (bpf_get_current_pid_tgid() >> 32))
return 0;
bpf_map_update_elem(&array_map, &key, &val, flags);
err = bpf_for_each_map_elem(&array_map, callback, &callback_ctx, flags);
return 0;
}
SEC("tp/syscalls/sys_enter_getpgid")
int map_for_each_fail(void *ctx)
{
const int key = 0;
const int val = 1;
const u64 flags = BPF_NOEXIST;
int callback_ctx;
if (pid != (bpf_get_current_pid_tgid() >> 32))
return 0;
bpf_map_update_elem(&array_map, &key, &val, flags);
/* calling for_each with non-zero flags will return error */
err = bpf_for_each_map_elem(&array_map, callback, &callback_ctx, flags);
return 0;
}
|
