1 /*
2 * Copyright (c) 2024 Huawei Device Co., Ltd. All rights reserved.
3
4 * The fstrace_progs.h is dual licensed: you can use it either under the terms of
5 * the GPL V2, or the 3-Clause BSD license, at your option.
6 * See the LICENSE file in the root of this repository for complete details.
7 */
8
9 /* This line is generated to truncate the original file */
10 /************************** fstrace BPF progs BEGIN *****************************/
11 #ifndef FSTRACE_PROGS_H
12 #define FSTRACE_PROGS_H
13
14 SEC("kprobe/do_sys_openat2")
BPF_KPROBE(do_sys_openat2_entry,int dfd,const char __user * filename,struct open_how * how)15 int BPF_KPROBE(do_sys_openat2_entry, int dfd, const char __user* filename, struct open_how* how)
16 {
17 if (check_current_pid(-1, -1) != 0) {
18 // not any one of target processes, skip it
19 return 0;
20 }
21 struct start_event_t start_event = {};
22 __builtin_memset(&start_event, 0, sizeof(start_event));
23 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
24 u64 pid_tgid = bpf_get_current_pid_tgid();
25 // get timestamp of the start of system call
26 fs_se->stime = bpf_ktime_get_ns();
27 // get argument of the system call
28 fs_se->type = SYS_OPENAT2;
29 struct sys_openat2_args_t* args = &fs_se->openat2_args;
30 args->dfd = dfd;
31 args->filename = filename;
32 emit_strtrace_event(fs_se->stime, fs_se->type, filename, FSTRACE);
33 args->how = how;
34
35 // store the start event with pid as key
36 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
37 if (err != 0) {
38 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
39 return -1;
40 }
41 return 0;
42 }
43
44 SEC("kretprobe/do_sys_openat2")
BPF_KRETPROBE(do_sys_openat2_exit,int64_t retval)45 int BPF_KRETPROBE(do_sys_openat2_exit, int64_t retval)
46 {
47 if (check_current_pid(-1, -1) != 0) {
48 // not any one of target processes, skip it
49 return 0;
50 }
51 return emit_event(ctx, retval, FSTRACE);
52 }
53
54 SEC("kprobe/ksys_read")
BPF_KPROBE(ksys_read_entry,unsigned int fd,char __user * buf,size_t count)55 int BPF_KPROBE(ksys_read_entry, unsigned int fd, char __user* buf, size_t count)
56 {
57 if (check_current_pid(-1, -1) != 0) {
58 // not any one of target processes, skip it
59 return 0;
60 }
61 struct start_event_t start_event = {};
62 __builtin_memset(&start_event, 0, sizeof(start_event));
63 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
64 u64 pid_tgid = bpf_get_current_pid_tgid();
65 // get timestamp of the start of system call
66 fs_se->stime = bpf_ktime_get_ns();
67 // get argument of the system call
68 fs_se->type = SYS_READ;
69 struct sys_read_args_t* args = &fs_se->read_args;
70 args->fd = fd;
71 args->buf = buf;
72 args->count = count;
73
74 // store the start event with pid as key
75 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
76 if (err != 0) {
77 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
78 return -1;
79 }
80 return 0;
81 }
82
83 SEC("kretprobe/ksys_read")
BPF_KRETPROBE(ksys_read_exit,int64_t retval)84 int BPF_KRETPROBE(ksys_read_exit, int64_t retval)
85 {
86 if (check_current_pid(-1, -1) != 0) {
87 // not any one of target processes, skip it
88 return 0;
89 }
90 return emit_event(ctx, retval, FSTRACE);
91 }
92
93 SEC("kprobe/ksys_write")
BPF_KPROBE(ksys_write_entry,unsigned int fd,const char __user * buf,size_t count)94 int BPF_KPROBE(ksys_write_entry, unsigned int fd, const char __user* buf, size_t count)
95 {
96 if (check_current_pid(-1, -1) != 0) {
97 // not any one of target processes, skip it
98 return 0;
99 }
100 struct start_event_t start_event = {};
101 __builtin_memset(&start_event, 0, sizeof(start_event));
102 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
103 u64 pid_tgid = bpf_get_current_pid_tgid();
104 // get timestamp of the start of system call
105 fs_se->stime = bpf_ktime_get_ns();
106 // get argument of the system call
107 fs_se->type = SYS_WRITE;
108 struct sys_write_args_t* args = &fs_se->write_args;
109 args->fd = fd;
110 args->buf = buf;
111 args->count = count;
112
113 // store the start event with pid as key
114 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
115 if (err != 0) {
116 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
117 return -1;
118 }
119 return 0;
120 }
121
122 SEC("kretprobe/ksys_write")
BPF_KRETPROBE(ksys_write_exit,int64_t retval)123 int BPF_KRETPROBE(ksys_write_exit, int64_t retval)
124 {
125 if (check_current_pid(-1, -1) != 0) {
126 // not any one of target processes, skip it
127 return 0;
128 }
129 return emit_event(ctx, retval, FSTRACE);
130 }
131
132 SEC("kprobe/ksys_pread64")
BPF_KPROBE(ksys_pread64_entry,unsigned int fd,char __user * buf,size_t count,loff_t pos)133 int BPF_KPROBE(ksys_pread64_entry, unsigned int fd, char __user* buf, size_t count, loff_t pos)
134 {
135 if (check_current_pid(-1, -1) != 0) {
136 // not any one of target processes, skip it
137 return 0;
138 }
139 struct start_event_t start_event = {};
140 __builtin_memset(&start_event, 0, sizeof(start_event));
141 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
142 u64 pid_tgid = bpf_get_current_pid_tgid();
143 // get timestamp of the start of system call
144 fs_se->stime = bpf_ktime_get_ns();
145 // get argument of the system call
146 fs_se->type = SYS_PREAD64;
147 struct sys_pread64_args_t* args = &fs_se->pread64_args;
148 args->fd = fd;
149 args->buf = buf;
150 args->count = count;
151 args->pos = pos;
152
153 // store the start event with pid as key
154 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
155 if (err != 0) {
156 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
157 return -1;
158 }
159 return 0;
160 }
161
162 SEC("kretprobe/ksys_pread64")
BPF_KRETPROBE(ksys_pread64_exit,int64_t retval)163 int BPF_KRETPROBE(ksys_pread64_exit, int64_t retval)
164 {
165 if (check_current_pid(-1, -1) != 0) {
166 // not any one of target processes, skip it
167 return 0;
168 }
169 return emit_event(ctx, retval, FSTRACE);
170 }
171
172 SEC("kprobe/ksys_pwrite64")
BPF_KPROBE(ksys_pwrite64_entry,unsigned int fd,const char __user * buf,size_t count,loff_t pos)173 int BPF_KPROBE(ksys_pwrite64_entry, unsigned int fd, const char __user* buf, size_t count, loff_t pos)
174 {
175 if (check_current_pid(-1, -1) != 0) {
176 // not any one of target processes, skip it
177 return 0;
178 }
179 struct start_event_t start_event = {};
180 __builtin_memset(&start_event, 0, sizeof(start_event));
181 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
182 u64 pid_tgid = bpf_get_current_pid_tgid();
183 // get timestamp of the start of system call
184 fs_se->stime = bpf_ktime_get_ns();
185 // get argument of the system call
186 fs_se->type = SYS_PWRITE64;
187 struct sys_pwrite64_args_t* args = &fs_se->pwrite64_args;
188 args->fd = fd;
189 args->buf = buf;
190 args->count = count;
191 args->pos = pos;
192
193 // store the start event with pid as key
194 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
195 if (err != 0) {
196 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
197 return -1;
198 }
199 return 0;
200 }
201
202 SEC("kretprobe/ksys_pwrite64")
BPF_KRETPROBE(ksys_pwrite64_exit,int64_t retval)203 int BPF_KRETPROBE(ksys_pwrite64_exit, int64_t retval)
204 {
205 if (check_current_pid(-1, -1) != 0) {
206 // not any one of target processes, skip it
207 return 0;
208 }
209 return emit_event(ctx, retval, FSTRACE);
210 }
211
212 SEC("kprobe/do_readv")
BPF_KPROBE(do_readv_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,rwf_t flags)213 int BPF_KPROBE(do_readv_entry, unsigned long fd, const struct iovec __user* vec, unsigned long vlen, rwf_t flags)
214 {
215 if (check_current_pid(-1, -1) != 0) {
216 // not any one of target processes, skip it
217 return 0;
218 }
219 struct start_event_t start_event = {};
220 __builtin_memset(&start_event, 0, sizeof(start_event));
221 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
222 u64 pid_tgid = bpf_get_current_pid_tgid();
223 // get timestamp of the start of system call
224 fs_se->stime = bpf_ktime_get_ns();
225 // get argument of the system call
226 fs_se->type = SYS_READV;
227 struct sys_readv_args_t* args = &fs_se->readv_args;
228 args->fd = fd;
229 args->vec = vec;
230 args->vlen = vlen;
231 args->flags = flags;
232
233 // store the start event with pid as key
234 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
235 if (err != 0) {
236 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
237 return -1;
238 }
239 return 0;
240 }
241
242 SEC("kretprobe/do_readv")
BPF_KRETPROBE(do_readv_exit,int64_t retval)243 int BPF_KRETPROBE(do_readv_exit, int64_t retval)
244 {
245 if (check_current_pid(-1, -1) != 0) {
246 // not any one of target processes, skip it
247 return 0;
248 }
249 return emit_event(ctx, retval, FSTRACE);
250 }
251
252 SEC("kprobe/do_writev")
BPF_KPROBE(do_writev_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,rwf_t flags)253 int BPF_KPROBE(do_writev_entry, unsigned long fd, const struct iovec __user* vec, unsigned long vlen, rwf_t flags)
254 {
255 if (check_current_pid(-1, -1) != 0) {
256 // not any one of target processes, skip it
257 return 0;
258 }
259 struct start_event_t start_event = {};
260 __builtin_memset(&start_event, 0, sizeof(start_event));
261 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
262 u64 pid_tgid = bpf_get_current_pid_tgid();
263 // get timestamp of the start of system call
264 fs_se->stime = bpf_ktime_get_ns();
265 // get argument of the system call
266 fs_se->type = SYS_WRITEV;
267 struct sys_writev_args_t* args = &fs_se->writev_args;
268 args->fd = fd;
269 args->vec = vec;
270 args->vlen = vlen;
271 args->flags = flags;
272
273 // store the start event with pid as key
274 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
275 if (err != 0) {
276 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
277 return -1;
278 }
279 return 0;
280 }
281
282 SEC("kretprobe/do_writev")
BPF_KRETPROBE(do_writev_exit,int64_t retval)283 int BPF_KRETPROBE(do_writev_exit, int64_t retval)
284 {
285 if (check_current_pid(-1, -1) != 0) {
286 // not any one of target processes, skip it
287 return 0;
288 }
289 return emit_event(ctx, retval, FSTRACE);
290 }
291
292 SEC("kprobe/do_preadv")
BPF_KPROBE(do_preadv_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,loff_t pos,rwf_t flags)293 int BPF_KPROBE(do_preadv_entry,
294 unsigned long fd, const struct iovec __user* vec,
295 unsigned long vlen, loff_t pos, rwf_t flags)
296 {
297 if (check_current_pid(-1, -1) != 0) {
298 // not any one of target processes, skip it
299 return 0;
300 }
301 struct start_event_t start_event = {};
302 __builtin_memset(&start_event, 0, sizeof(start_event));
303 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
304 u64 pid_tgid = bpf_get_current_pid_tgid();
305 // get timestamp of the start of system call
306 fs_se->stime = bpf_ktime_get_ns();
307 // get argument of the system call
308 fs_se->type = SYS_PREADV;
309 struct sys_preadv_args_t* args = &fs_se->preadv_args;
310 args->fd = fd;
311 args->vec = vec;
312 args->vlen = vlen;
313 args->pos = pos;
314 args->flags = flags;
315
316 // store the start event with pid as key
317 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
318 if (err != 0) {
319 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
320 return -1;
321 }
322 return 0;
323 }
324
325 SEC("kretprobe/do_preadv")
BPF_KRETPROBE(do_preadv_exit,int64_t retval)326 int BPF_KRETPROBE(do_preadv_exit, int64_t retval)
327 {
328 if (check_current_pid(-1, -1) != 0) {
329 // not any one of target processes, skip it
330 return 0;
331 }
332 return emit_event(ctx, retval, FSTRACE);
333 }
334
pos_from_hilo(unsigned long high,unsigned long low)335 static inline loff_t pos_from_hilo(unsigned long high, unsigned long low)
336 {
337 #define HALF_LONG_BITS (__SIZEOF_LONG__ * 4)
338 return (((loff_t)high << HALF_LONG_BITS) << HALF_LONG_BITS) | low;
339 }
340
pwritev_entry(unsigned long fd,const struct iovec __user * vec,unsigned long vlen,loff_t pos,rwf_t flags)341 static __always_inline int pwritev_entry(unsigned long fd, const struct iovec __user* vec,
342 unsigned long vlen, loff_t pos, rwf_t flags)
343 {
344 if (check_current_pid(-1, -1) != 0) {
345 return 0;
346 }
347 struct start_event_t start_event = {};
348 __builtin_memset(&start_event, 0, sizeof(start_event));
349 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
350 u64 pid_tgid = bpf_get_current_pid_tgid();
351 // get timestamp of the start of system call
352 fs_se->stime = bpf_ktime_get_ns();
353 // get argument of the system call
354 fs_se->type = SYS_PWRITEV;
355 struct sys_pwritev_args_t* args = &fs_se->pwritev_args;
356 args->fd = fd;
357 args->vec = vec;
358 args->vlen = vlen;
359 args->pos = pos;
360 args->flags = flags;
361
362 // store the start event with pid as key
363 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
364 if (err != 0) {
365 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
366 return -1;
367 }
368 return 0;
369 }
370
pwritev_exit(void * ctx,int64_t retval)371 static __always_inline int pwritev_exit(void* ctx, int64_t retval)
372 {
373 if (check_current_pid(-1, -1) != 0) {
374 return 0;
375 }
376 return emit_event(ctx, retval, FSTRACE);
377 }
378
379 SEC("kprobe/__arm64_sys_pwritev")
BPF_KPROBE(__arm64_sys_pwritev_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,unsigned long pos_l,unsigned long pos_h)380 int BPF_KPROBE(__arm64_sys_pwritev_entry,
381 unsigned long fd, const struct iovec __user * vec,
382 unsigned long vlen, unsigned long pos_l, unsigned long pos_h)
383 {
384 loff_t pos = pos_from_hilo(pos_h, pos_l);
385 return pwritev_entry(fd, vec, vlen, pos, 0);
386 }
387
388 SEC("kretprobe/__arm64_sys_pwritev")
BPF_KRETPROBE(__arm64_sys_pwritev_exit,int64_t retval)389 int BPF_KRETPROBE(__arm64_sys_pwritev_exit, int64_t retval)
390 {
391 return pwritev_exit(ctx, retval);
392 }
393
394 SEC("kprobe/__arm64_sys_pwritev2")
BPF_KPROBE(__arm64_sys_pwritev2_entry,unsigned long fd,const struct iovec __user * vec,unsigned long vlen,unsigned long pos_l,unsigned long pos_h,rwf_t flags)395 int BPF_KPROBE(__arm64_sys_pwritev2_entry,
396 unsigned long fd, const struct iovec __user * vec,
397 unsigned long vlen, unsigned long pos_l, unsigned long pos_h, rwf_t flags)
398 {
399 loff_t pos = pos_from_hilo(pos_h, pos_l);
400 if (pos == -1) {
401 return 0;
402 }
403 return pwritev_entry(fd, vec, vlen, pos, flags);
404 }
405
406 SEC("kretprobe/__arm64_sys_pwritev2")
BPF_KRETPROBE(__arm64_sys_pwritev2_exit,int64_t retval)407 int BPF_KRETPROBE(__arm64_sys_pwritev2_exit, int64_t retval)
408 {
409 return pwritev_exit(ctx, retval);
410 }
411
412 SEC("kprobe/__arm64_compat_sys_pwritev")
BPF_KPROBE(__arm64_compat_sys_pwritev_entry,compat_ulong_t fd,const struct iovec __user * vec,compat_ulong_t vlen,u32 pos_low,u32 pos_high)413 int BPF_KPROBE(__arm64_compat_sys_pwritev_entry,
414 compat_ulong_t fd, const struct iovec __user* vec,
415 compat_ulong_t vlen, u32 pos_low, u32 pos_high)
416 {
417 loff_t pos = ((loff_t)pos_high << 32) | pos_low;
418 return pwritev_entry(fd, vec, vlen, pos, 0);
419 }
420
421 SEC("kretprobe/__arm64_compat_sys_pwritev")
BPF_KRETPROBE(__arm64_compat_sys_pwritev_exit,int64_t retval)422 int BPF_KRETPROBE(__arm64_compat_sys_pwritev_exit, int64_t retval)
423 {
424 return pwritev_exit(ctx, retval);
425 }
426
427 SEC("kprobe/__arm64_compat_sys_pwritev2")
BPF_KPROBE(__arm64_compat_sys_pwritev2_entry,compat_ulong_t fd,const struct iovec __user * vec,compat_ulong_t vlen,u32 pos_low,u32 pos_high,rwf_t flags)428 int BPF_KPROBE(__arm64_compat_sys_pwritev2_entry,
429 compat_ulong_t fd, const struct iovec __user* vec,
430 compat_ulong_t vlen, u32 pos_low, u32 pos_high, rwf_t flags)
431 {
432 loff_t pos = ((loff_t)pos_high << 32) | pos_low;
433 if (pos == -1) {
434 return 0;
435 }
436 return pwritev_entry(fd, vec, vlen, pos, flags);
437 }
438
439 SEC("kretprobe/__arm64_compat_sys_pwritev2")
BPF_KRETPROBE(__arm64_compat_sys_pwritev2_exit,int64_t retval)440 int BPF_KRETPROBE(__arm64_compat_sys_pwritev2_exit, int64_t retval)
441 {
442 return pwritev_exit(ctx, retval);
443 }
444
445 SEC("kprobe/__close_fd")
BPF_KPROBE(__close_fd_entry,struct files_struct * files,unsigned fd)446 int BPF_KPROBE(__close_fd_entry, struct files_struct* files, unsigned fd)
447 {
448 if (check_current_pid(-1, -1) != 0) {
449 // not any one of target processes, skip it
450 return 0;
451 }
452 struct start_event_t start_event = {};
453 __builtin_memset(&start_event, 0, sizeof(start_event));
454 struct fstrace_start_event_t *fs_se = &start_event.fs_se;
455 u64 pid_tgid = bpf_get_current_pid_tgid();
456 // get timestamp of the start of system call
457 fs_se->stime = bpf_ktime_get_ns();
458 // get argument of the system call
459 fs_se->type = SYS_CLOSE;
460 struct sys_close_args_t* args = &fs_se->close_args;
461 args->files = files;
462 args->fd = fd;
463 emit_strtrace_event(fs_se->stime, fs_se->type, args, FSTRACE);
464 // store the start event with pid as key
465 int err = (int) bpf_map_update_elem(&start_event_map, &pid_tgid, &start_event, BPF_ANY);
466 if (err != 0) {
467 BPFLOGE(BPF_TRUE, "failed to store fstrace start event");
468 return -1;
469 }
470 return 0;
471 }
472
473 SEC("kretprobe/__close_fd")
BPF_KRETPROBE(__close_fd_exit,int64_t retval)474 int BPF_KRETPROBE(__close_fd_exit, int64_t retval)
475 {
476 if (check_current_pid(-1, -1) != 0) {
477 // not any one of target processes, skip it
478 return 0;
479 }
480 return emit_event(ctx, retval, FSTRACE);
481 }
482 /*************************** fstrace BPF progs END ******************************/
483 #endif // FSTRACE_PROGS_H
484