1 /*
2 * Copyright (c) 2022 Huawei Device Co., Ltd.
3 * Licensed under the Apache License, Version 2.0 (the "License");
4 * you may not use this file except in compliance with the License.
5 * You may obtain a copy of the License at
6 *
7 * http://www.apache.org/licenses/LICENSE-2.0
8 *
9 * Unless required by applicable law or agreed to in writing, software
10 * distributed under the License is distributed on an "AS IS" BASIS,
11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 * See the License for the specific language governing permissions and
13 * limitations under the License.
14 */
15
16 /* This line is generated to truncate the original file */
17 /************************** fstrace BPF progs BEGIN *****************************/
18 #ifndef FSTRACE_PROGS_H
19 #define FSTRACE_PROGS_H
20
21 SEC("kprobe/do_sys_openat2")
BPF_KPROBE(do_sys_openat2_entry,int dfd,const char __user * filename,struct open_how * how)22 int BPF_KPROBE(do_sys_openat2_entry, int dfd, const char __user* filename, struct open_how* how)
23 {
24 if (check_current_pid(-1, -1) != 0) {
25 // not any one of target processes, skip it
26 return 0;
27 }
28 struct start_event_t start_event = {};
29 __builtin_memset(&start_event, 0, sizeof(start_event));
30 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
31 u64 pid_tgid = bpf_get_current_pid_tgid();
32 // get timestamp of the start of system call
33 fs_se->stime = bpf_ktime_get_ns();
34 // get argument of the system call
35 fs_se->type = SYS_OPENAT2;
36 struct sys_openat2_args_t* args = &fs_se->openat2_args;
37 args->dfd = dfd;
38 args->filename = filename;
39 emit_strtrace_event(fs_se->stime, fs_se->type, filename, FSTRACE);
40 args->how = how;
41
42 // store the start event with pid as key
43 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
44 if (err != 0) {
45 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
46 return -1;
47 }
48 return 0;
49 }
50
51 SEC("kretprobe/do_sys_openat2")
BPF_KRETPROBE(do_sys_openat2_exit,int64_t retval)52 int BPF_KRETPROBE(do_sys_openat2_exit, int64_t retval)
53 {
54 if (check_current_pid(-1, -1) != 0) {
55 // not any one of target processes, skip it
56 return 0;
57 }
58 return emit_event(ctx, retval, FSTRACE);
59 }
60
61 SEC("kprobe/ksys_read")
BPF_KPROBE(ksys_read_entry,unsigned int fd,char __user * buf,size_t count)62 int BPF_KPROBE(ksys_read_entry, unsigned int fd, char __user* buf, size_t count)
63 {
64 if (check_current_pid(-1, -1) != 0) {
65 // not any one of target processes, skip it
66 return 0;
67 }
68 struct start_event_t start_event = {};
69 __builtin_memset(&start_event, 0, sizeof(start_event));
70 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
71 u64 pid_tgid = bpf_get_current_pid_tgid();
72 // get timestamp of the start of system call
73 fs_se->stime = bpf_ktime_get_ns();
74 // get argument of the system call
75 fs_se->type = SYS_READ;
76 struct sys_read_args_t* args = &fs_se->read_args;
77 args->fd = fd;
78 args->buf = buf;
79 args->count = count;
80
81 // store the start event with pid as key
82 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
83 if (err != 0) {
84 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
85 return -1;
86 }
87 return 0;
88 }
89
90 SEC("kretprobe/ksys_read")
BPF_KRETPROBE(ksys_read_exit,int64_t retval)91 int BPF_KRETPROBE(ksys_read_exit, int64_t retval)
92 {
93 if (check_current_pid(-1, -1) != 0) {
94 // not any one of target processes, skip it
95 return 0;
96 }
97 return emit_event(ctx, retval, FSTRACE);
98 }
99
100 SEC("kprobe/ksys_write")
BPF_KPROBE(ksys_write_entry,unsigned int fd,const char __user * buf,size_t count)101 int BPF_KPROBE(ksys_write_entry, unsigned int fd, const char __user* buf, size_t count)
102 {
103 if (check_current_pid(-1, -1) != 0) {
104 // not any one of target processes, skip it
105 return 0;
106 }
107 struct start_event_t start_event = {};
108 __builtin_memset(&start_event, 0, sizeof(start_event));
109 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
110 u64 pid_tgid = bpf_get_current_pid_tgid();
111 // get timestamp of the start of system call
112 fs_se->stime = bpf_ktime_get_ns();
113 // get argument of the system call
114 fs_se->type = SYS_WRITE;
115 struct sys_write_args_t* args = &fs_se->write_args;
116 args->fd = fd;
117 args->buf = buf;
118 args->count = count;
119
120 // store the start event with pid as key
121 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
122 if (err != 0) {
123 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
124 return -1;
125 }
126 return 0;
127 }
128
129 SEC("kretprobe/ksys_write")
BPF_KRETPROBE(ksys_write_exit,int64_t retval)130 int BPF_KRETPROBE(ksys_write_exit, int64_t retval)
131 {
132 if (check_current_pid(-1, -1) != 0) {
133 // not any one of target processes, skip it
134 return 0;
135 }
136 return emit_event(ctx, retval, FSTRACE);
137 }
138
139 SEC("kprobe/ksys_pread64")
BPF_KPROBE(ksys_pread64_entry,unsigned int fd,char __user * buf,size_t count,loff_t pos)140 int BPF_KPROBE(ksys_pread64_entry, unsigned int fd, char __user* buf, size_t count, loff_t pos)
141 {
142 if (check_current_pid(-1, -1) != 0) {
143 // not any one of target processes, skip it
144 return 0;
145 }
146 struct start_event_t start_event = {};
147 __builtin_memset(&start_event, 0, sizeof(start_event));
148 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
149 u64 pid_tgid = bpf_get_current_pid_tgid();
150 // get timestamp of the start of system call
151 fs_se->stime = bpf_ktime_get_ns();
152 // get argument of the system call
153 fs_se->type = SYS_PREAD64;
154 struct sys_pread64_args_t* args = &fs_se->pread64_args;
155 args->fd = fd;
156 args->buf = buf;
157 args->count = count;
158 args->pos = pos;
159
160 // store the start event with pid as key
161 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
162 if (err != 0) {
163 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
164 return -1;
165 }
166 return 0;
167 }
168
169 SEC("kretprobe/ksys_pread64")
BPF_KRETPROBE(ksys_pread64_exit,int64_t retval)170 int BPF_KRETPROBE(ksys_pread64_exit, int64_t retval)
171 {
172 if (check_current_pid(-1, -1) != 0) {
173 // not any one of target processes, skip it
174 return 0;
175 }
176 return emit_event(ctx, retval, FSTRACE);
177 }
178
179 SEC("kprobe/ksys_pwrite64")
BPF_KPROBE(ksys_pwrite64_entry,unsigned int fd,const char __user * buf,size_t count,loff_t pos)180 int BPF_KPROBE(ksys_pwrite64_entry, unsigned int fd, const char __user* buf, size_t count, loff_t pos)
181 {
182 if (check_current_pid(-1, -1) != 0) {
183 // not any one of target processes, skip it
184 return 0;
185 }
186 struct start_event_t start_event = {};
187 __builtin_memset(&start_event, 0, sizeof(start_event));
188 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
189 u64 pid_tgid = bpf_get_current_pid_tgid();
190 // get timestamp of the start of system call
191 fs_se->stime = bpf_ktime_get_ns();
192 // get argument of the system call
193 fs_se->type = SYS_PWRITE64;
194 struct sys_pwrite64_args_t* args = &fs_se->pwrite64_args;
195 args->fd = fd;
196 args->buf = buf;
197 args->count = count;
198 args->pos = pos;
199
200 // store the start event with pid as key
201 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
202 if (err != 0) {
203 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
204 return -1;
205 }
206 return 0;
207 }
208
209 SEC("kretprobe/ksys_pwrite64")
BPF_KRETPROBE(ksys_pwrite64_exit,int64_t retval)210 int BPF_KRETPROBE(ksys_pwrite64_exit, int64_t retval)
211 {
212 if (check_current_pid(-1, -1) != 0) {
213 // not any one of target processes, skip it
214 return 0;
215 }
216 return emit_event(ctx, retval, FSTRACE);
217 }
218
219 SEC("kprobe/do_readv")
BPF_KPROBE(do_readv_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,rwf_t flags)220 int BPF_KPROBE(do_readv_entry, unsigned long fd, const struct iovec __user* vec, unsigned long vlen, rwf_t flags)
221 {
222 if (check_current_pid(-1, -1) != 0) {
223 // not any one of target processes, skip it
224 return 0;
225 }
226 struct start_event_t start_event = {};
227 __builtin_memset(&start_event, 0, sizeof(start_event));
228 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
229 u64 pid_tgid = bpf_get_current_pid_tgid();
230 // get timestamp of the start of system call
231 fs_se->stime = bpf_ktime_get_ns();
232 // get argument of the system call
233 fs_se->type = SYS_READV;
234 struct sys_readv_args_t* args = &fs_se->readv_args;
235 args->fd = fd;
236 args->vec = vec;
237 args->vlen = vlen;
238 args->flags = flags;
239
240 // store the start event with pid as key
241 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
242 if (err != 0) {
243 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
244 return -1;
245 }
246 return 0;
247 }
248
249 SEC("kretprobe/do_readv")
BPF_KRETPROBE(do_readv_exit,int64_t retval)250 int BPF_KRETPROBE(do_readv_exit, int64_t retval)
251 {
252 if (check_current_pid(-1, -1) != 0) {
253 // not any one of target processes, skip it
254 return 0;
255 }
256 return emit_event(ctx, retval, FSTRACE);
257 }
258
259 SEC("kprobe/do_writev")
BPF_KPROBE(do_writev_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,rwf_t flags)260 int BPF_KPROBE(do_writev_entry, unsigned long fd, const struct iovec __user* vec, unsigned long vlen, rwf_t flags)
261 {
262 if (check_current_pid(-1, -1) != 0) {
263 // not any one of target processes, skip it
264 return 0;
265 }
266 struct start_event_t start_event = {};
267 __builtin_memset(&start_event, 0, sizeof(start_event));
268 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
269 u64 pid_tgid = bpf_get_current_pid_tgid();
270 // get timestamp of the start of system call
271 fs_se->stime = bpf_ktime_get_ns();
272 // get argument of the system call
273 fs_se->type = SYS_WRITEV;
274 struct sys_writev_args_t* args = &fs_se->writev_args;
275 args->fd = fd;
276 args->vec = vec;
277 args->vlen = vlen;
278 args->flags = flags;
279
280 // store the start event with pid as key
281 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
282 if (err != 0) {
283 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
284 return -1;
285 }
286 return 0;
287 }
288
289 SEC("kretprobe/do_writev")
BPF_KRETPROBE(do_writev_exit,int64_t retval)290 int BPF_KRETPROBE(do_writev_exit, int64_t retval)
291 {
292 if (check_current_pid(-1, -1) != 0) {
293 // not any one of target processes, skip it
294 return 0;
295 }
296 return emit_event(ctx, retval, FSTRACE);
297 }
298
299 SEC("kprobe/do_preadv")
BPF_KPROBE(do_preadv_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,loff_t pos,rwf_t flags)300 int BPF_KPROBE(do_preadv_entry,
301 unsigned long fd, const struct iovec __user* vec,
302 unsigned long vlen, loff_t pos, rwf_t flags)
303 {
304 if (check_current_pid(-1, -1) != 0) {
305 // not any one of target processes, skip it
306 return 0;
307 }
308 struct start_event_t start_event = {};
309 __builtin_memset(&start_event, 0, sizeof(start_event));
310 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
311 u64 pid_tgid = bpf_get_current_pid_tgid();
312 // get timestamp of the start of system call
313 fs_se->stime = bpf_ktime_get_ns();
314 // get argument of the system call
315 fs_se->type = SYS_PREADV;
316 struct sys_preadv_args_t* args = &fs_se->preadv_args;
317 args->fd = fd;
318 args->vec = vec;
319 args->vlen = vlen;
320 args->pos = pos;
321 args->flags = flags;
322
323 // store the start event with pid as key
324 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
325 if (err != 0) {
326 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
327 return -1;
328 }
329 return 0;
330 }
331
332 SEC("kretprobe/do_preadv")
BPF_KRETPROBE(do_preadv_exit,int64_t retval)333 int BPF_KRETPROBE(do_preadv_exit, int64_t retval)
334 {
335 if (check_current_pid(-1, -1) != 0) {
336 // not any one of target processes, skip it
337 return 0;
338 }
339 return emit_event(ctx, retval, FSTRACE);
340 }
341
pos_from_hilo(unsigned long high,unsigned long low)342 static inline loff_t pos_from_hilo(unsigned long high, unsigned long low)
343 {
344 #define HALF_LONG_BITS (__SIZEOF_LONG__ * 4)
345 return (((loff_t)high << HALF_LONG_BITS) << HALF_LONG_BITS) | low;
346 }
347
pwritev_entry(unsigned long fd,const struct iovec __user * vec,unsigned long vlen,loff_t pos,rwf_t flags)348 static __always_inline int pwritev_entry(unsigned long fd, const struct iovec __user* vec,
349 unsigned long vlen, loff_t pos, rwf_t flags)
350 {
351 if (check_current_pid(-1, -1) != 0) {
352 return 0;
353 }
354 struct start_event_t start_event = {};
355 __builtin_memset(&start_event, 0, sizeof(start_event));
356 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
357 u64 pid_tgid = bpf_get_current_pid_tgid();
358 // get timestamp of the start of system call
359 fs_se->stime = bpf_ktime_get_ns();
360 // get argument of the system call
361 fs_se->type = SYS_PWRITEV;
362 struct sys_pwritev_args_t* args = &fs_se->pwritev_args;
363 args->fd = fd;
364 args->vec = vec;
365 args->vlen = vlen;
366 args->pos = pos;
367 args->flags = flags;
368
369 // store the start event with pid as key
370 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
371 if (err != 0) {
372 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
373 return -1;
374 }
375 return 0;
376 }
377
pwritev_exit(void * ctx,int64_t retval)378 static __always_inline int pwritev_exit(void* ctx, int64_t retval)
379 {
380 if (check_current_pid(-1, -1) != 0) {
381 return 0;
382 }
383 return emit_event(ctx, retval, FSTRACE);
384 }
385
386 SEC("kprobe/__arm64_sys_pwritev")
BPF_KPROBE(__arm64_sys_pwritev_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,unsigned long pos_l,unsigned long pos_h)387 int BPF_KPROBE(__arm64_sys_pwritev_entry,
388 unsigned long fd, const struct iovec __user * vec,
389 unsigned long vlen, unsigned long pos_l, unsigned long pos_h)
390 {
391 loff_t pos = pos_from_hilo(pos_h, pos_l);
392 return pwritev_entry(fd, vec, vlen, pos, 0);
393 }
394
395 SEC("kretprobe/__arm64_sys_pwritev")
BPF_KRETPROBE(__arm64_sys_pwritev_exit,int64_t retval)396 int BPF_KRETPROBE(__arm64_sys_pwritev_exit, int64_t retval)
397 {
398 return pwritev_exit(ctx, retval);
399 }
400
401 SEC("kprobe/__arm64_sys_pwritev2")
BPF_KPROBE(__arm64_sys_pwritev2_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,unsigned long pos_l,unsigned long pos_h,rwf_t flags)402 int BPF_KPROBE(__arm64_sys_pwritev2_entry,
403 unsigned long fd, const struct iovec __user * vec,
404 unsigned long vlen, unsigned long pos_l, unsigned long pos_h, rwf_t flags)
405 {
406 loff_t pos = pos_from_hilo(pos_h, pos_l);
407 if (pos == -1) {
408 return 0;
409 }
410 return pwritev_entry(fd, vec, vlen, pos, flags);
411 }
412
413 SEC("kretprobe/__arm64_sys_pwritev2")
BPF_KRETPROBE(__arm64_sys_pwritev2_exit,int64_t retval)414 int BPF_KRETPROBE(__arm64_sys_pwritev2_exit, int64_t retval)
415 {
416 return pwritev_exit(ctx, retval);
417 }
418
419 SEC("kprobe/__arm64_compat_sys_pwritev")
BPF_KPROBE(__arm64_compat_sys_pwritev_entry,compat_ulong_t fd,const struct iovec __user * vec,compat_ulong_t vlen,u32 pos_low,u32 pos_high)420 int BPF_KPROBE(__arm64_compat_sys_pwritev_entry,
421 compat_ulong_t fd, const struct iovec __user* vec,
422 compat_ulong_t vlen, u32 pos_low, u32 pos_high)
423 {
424 loff_t pos = ((loff_t)pos_high << 32) | pos_low;
425 return pwritev_entry(fd, vec, vlen, pos, 0);
426 }
427
428 SEC("kretprobe/__arm64_compat_sys_pwritev")
BPF_KRETPROBE(__arm64_compat_sys_pwritev_exit,int64_t retval)429 int BPF_KRETPROBE(__arm64_compat_sys_pwritev_exit, int64_t retval)
430 {
431 return pwritev_exit(ctx, retval);
432 }
433
434 SEC("kprobe/__arm64_compat_sys_pwritev2")
BPF_KPROBE(__arm64_compat_sys_pwritev2_entry,compat_ulong_t fd,const struct iovec __user * vec,compat_ulong_t vlen,u32 pos_low,u32 pos_high,rwf_t flags)435 int BPF_KPROBE(__arm64_compat_sys_pwritev2_entry,
436 compat_ulong_t fd, const struct iovec __user* vec,
437 compat_ulong_t vlen, u32 pos_low, u32 pos_high, rwf_t flags)
438 {
439 loff_t pos = ((loff_t)pos_high << 32) | pos_low;
440 if (pos == -1) {
441 return 0;
442 }
443 return pwritev_entry(fd, vec, vlen, pos, flags);
444 }
445
446 SEC("kretprobe/__arm64_compat_sys_pwritev2")
BPF_KRETPROBE(__arm64_compat_sys_pwritev2_exit,int64_t retval)447 int BPF_KRETPROBE(__arm64_compat_sys_pwritev2_exit, int64_t retval)
448 {
449 return pwritev_exit(ctx, retval);
450 }
451
452 SEC("kprobe/__close_fd")
BPF_KPROBE(__close_fd_entry,struct files_struct * files,unsigned fd)453 int BPF_KPROBE(__close_fd_entry, struct files_struct* files, unsigned fd)
454 {
455 if (check_current_pid(-1, -1) != 0) {
456 // not any one of target processes, skip it
457 return 0;
458 }
459 struct start_event_t start_event = {};
460 __builtin_memset(&start_event, 0, sizeof(start_event));
461 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
462 u64 pid_tgid = bpf_get_current_pid_tgid();
463 // get timestamp of the start of system call
464 fs_se->stime = bpf_ktime_get_ns();
465 // get argument of the system call
466 fs_se->type = SYS_CLOSE;
467 struct sys_close_args_t* args = &fs_se->close_args;
468 args->files = files;
469 args->fd = fd;
470 emit_strtrace_event(fs_se->stime, fs_se->type, args, FSTRACE);
471 // store the start event with pid as key
472 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
473 if (err != 0) {
474 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
475 return -1;
476 }
477 return 0;
478 }
479
480 SEC("kretprobe/__close_fd")
BPF_KRETPROBE(__close_fd_exit,int64_t retval)481 int BPF_KRETPROBE(__close_fd_exit, int64_t retval)
482 {
483 if (check_current_pid(-1, -1) != 0) {
484 // not any one of target processes, skip it
485 return 0;
486 }
487 return emit_event(ctx, retval, FSTRACE);
488 }
489 /*************************** fstrace BPF progs END ******************************/
490 #endif // FSTRACE_PROGS_H
491