1 // SPDX-License-Identifier: GPL-2.0
2 // Copyright (c) 2019 Facebook
3 // Copyright (c) 2020 Netflix
4 #include <vmlinux.h>
5 #include <bpf/bpf_helpers.h>
6 #include "opensnoop.h"
7
8 const volatile pid_t targ_pid = 0;
9 const volatile pid_t targ_tgid = 0;
10 const volatile uid_t targ_uid = 0;
11 const volatile bool targ_failed = false;
12
13 struct {
14 __uint(type, BPF_MAP_TYPE_HASH);
15 __uint(max_entries, 10240);
16 __type(key, u32);
17 __type(value, struct args_t);
18 } start SEC(".maps");
19
20 struct {
21 __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
22 __uint(key_size, sizeof(u32));
23 __uint(value_size, sizeof(u32));
24 } events SEC(".maps");
25
valid_uid(uid_t uid)26 static __always_inline bool valid_uid(uid_t uid) {
27 return uid != INVALID_UID;
28 }
29
30 static __always_inline
trace_allowed(u32 tgid,u32 pid)31 bool trace_allowed(u32 tgid, u32 pid)
32 {
33 u32 uid;
34
35 /* filters */
36 if (targ_tgid && targ_tgid != tgid)
37 return false;
38 if (targ_pid && targ_pid != pid)
39 return false;
40 if (valid_uid(targ_uid)) {
41 uid = (u32)bpf_get_current_uid_gid();
42 if (targ_uid != uid) {
43 return false;
44 }
45 }
46 return true;
47 }
48
49 SEC("tracepoint/syscalls/sys_enter_open")
tracepoint__syscalls__sys_enter_open(struct trace_event_raw_sys_enter * ctx)50 int tracepoint__syscalls__sys_enter_open(struct trace_event_raw_sys_enter* ctx)
51 {
52 u64 id = bpf_get_current_pid_tgid();
53 /* use kernel terminology here for tgid/pid: */
54 u32 tgid = id >> 32;
55 u32 pid = id;
56
57 /* store arg info for later lookup */
58 if (trace_allowed(tgid, pid)) {
59 struct args_t args = {};
60 args.fname = (const char *)ctx->args[0];
61 args.flags = (int)ctx->args[1];
62 bpf_map_update_elem(&start, &pid, &args, 0);
63 }
64 return 0;
65 }
66
67 SEC("tracepoint/syscalls/sys_enter_openat")
tracepoint__syscalls__sys_enter_openat(struct trace_event_raw_sys_enter * ctx)68 int tracepoint__syscalls__sys_enter_openat(struct trace_event_raw_sys_enter* ctx)
69 {
70 u64 id = bpf_get_current_pid_tgid();
71 /* use kernel terminology here for tgid/pid: */
72 u32 tgid = id >> 32;
73 u32 pid = id;
74
75 /* store arg info for later lookup */
76 if (trace_allowed(tgid, pid)) {
77 struct args_t args = {};
78 args.fname = (const char *)ctx->args[1];
79 args.flags = (int)ctx->args[2];
80 bpf_map_update_elem(&start, &pid, &args, 0);
81 }
82 return 0;
83 }
84
85 static __always_inline
trace_exit(struct trace_event_raw_sys_exit * ctx)86 int trace_exit(struct trace_event_raw_sys_exit* ctx)
87 {
88 struct event event = {};
89 struct args_t *ap;
90 int ret;
91 u32 pid = bpf_get_current_pid_tgid();
92
93 ap = bpf_map_lookup_elem(&start, &pid);
94 if (!ap)
95 return 0; /* missed entry */
96 ret = ctx->ret;
97 if (targ_failed && ret >= 0)
98 goto cleanup; /* want failed only */
99
100 /* event data */
101 event.pid = bpf_get_current_pid_tgid() >> 32;
102 event.uid = bpf_get_current_uid_gid();
103 bpf_get_current_comm(&event.comm, sizeof(event.comm));
104 bpf_probe_read_user_str(&event.fname, sizeof(event.fname), ap->fname);
105 event.flags = ap->flags;
106 event.ret = ret;
107
108 /* emit event */
109 bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU,
110 &event, sizeof(event));
111
112 cleanup:
113 bpf_map_delete_elem(&start, &pid);
114 return 0;
115 }
116
117 SEC("tracepoint/syscalls/sys_exit_open")
tracepoint__syscalls__sys_exit_open(struct trace_event_raw_sys_exit * ctx)118 int tracepoint__syscalls__sys_exit_open(struct trace_event_raw_sys_exit* ctx)
119 {
120 return trace_exit(ctx);
121 }
122
123 SEC("tracepoint/syscalls/sys_exit_openat")
tracepoint__syscalls__sys_exit_openat(struct trace_event_raw_sys_exit * ctx)124 int tracepoint__syscalls__sys_exit_openat(struct trace_event_raw_sys_exit* ctx)
125 {
126 return trace_exit(ctx);
127 }
128
129 char LICENSE[] SEC("license") = "GPL";
130