| Arnaldo Carvalho de Melo | 9ab5aad | 2018-08-21 15:02:09 -0300 | [diff] [blame] | 1 | // SPDX-License-Identifier: GPL-2.0 |
| 2 | /* |
| 3 | * Augment the filename syscalls with the contents of the filename pointer argument |
| 4 | * filtering only those that do not start with /etc/. |
| 5 | * |
| 6 | * Test it with: |
| 7 | * |
| 8 | * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null |
| 9 | * |
| 10 | * It'll catch some openat syscalls related to the dynamic linked and |
| 11 | * the last one should be the one for '/etc/passwd'. |
| 12 | * |
| 13 | * This matches what is marshalled into the raw_syscall:sys_enter payload |
| 14 | * expected by the 'perf trace' beautifiers, and can be used by them unmodified, |
| 15 | * which will be done as that feature is implemented in the next csets, for now |
| 16 | * it will appear in a dump done by the default tracepoint handler in 'perf trace', |
| 17 | * that uses bpf_output__fprintf() to just dump those contents, as done with |
| 18 | * the bpf-output event associated with the __bpf_output__ map declared in |
| 19 | * tools/perf/include/bpf/stdio.h. |
| 20 | */ |
| 21 | |
| 22 | #include <stdio.h> |
| 23 | |
| Arnaldo Carvalho de Melo | f52fdd6 | 2019-01-24 15:48:05 +0100 | [diff] [blame] | 24 | /* bpf-output associated map */ |
| 25 | bpf_map(__augmented_syscalls__, PERF_EVENT_ARRAY, int, u32, __NR_CPUS__); |
| Arnaldo Carvalho de Melo | 9ab5aad | 2018-08-21 15:02:09 -0300 | [diff] [blame] | 26 | |
| 27 | struct augmented_filename { |
| 28 | int size; |
| 29 | int reserved; |
| 30 | char value[64]; |
| 31 | }; |
| 32 | |
| 33 | #define augmented_filename_syscall_enter(syscall) \ |
| 34 | struct augmented_enter_##syscall##_args { \ |
| 35 | struct syscall_enter_##syscall##_args args; \ |
| 36 | struct augmented_filename filename; \ |
| 37 | }; \ |
| 38 | int syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args) \ |
| 39 | { \ |
| 40 | char etc[6] = "/etc/"; \ |
| 41 | struct augmented_enter_##syscall##_args augmented_args = { .filename.reserved = 0, }; \ |
| 42 | probe_read(&augmented_args.args, sizeof(augmented_args.args), args); \ |
| 43 | augmented_args.filename.size = probe_read_str(&augmented_args.filename.value, \ |
| 44 | sizeof(augmented_args.filename.value), \ |
| 45 | args->filename_ptr); \ |
| 46 | if (__builtin_memcmp(augmented_args.filename.value, etc, 4) != 0) \ |
| 47 | return 0; \ |
| Arnaldo Carvalho de Melo | 5620196 | 2019-01-11 13:20:20 -0300 | [diff] [blame] | 48 | /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */ \ |
| 49 | return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, \ |
| 50 | &augmented_args, \ |
| 51 | (sizeof(augmented_args) - sizeof(augmented_args.filename.value) + \ |
| 52 | augmented_args.filename.size)); \ |
| Arnaldo Carvalho de Melo | 9ab5aad | 2018-08-21 15:02:09 -0300 | [diff] [blame] | 53 | } |
| 54 | |
| 55 | struct syscall_enter_openat_args { |
| 56 | unsigned long long common_tp_fields; |
| 57 | long syscall_nr; |
| 58 | long dfd; |
| 59 | char *filename_ptr; |
| 60 | long flags; |
| 61 | long mode; |
| 62 | }; |
| 63 | |
| 64 | augmented_filename_syscall_enter(openat); |
| 65 | |
| 66 | struct syscall_enter_open_args { |
| 67 | unsigned long long common_tp_fields; |
| 68 | long syscall_nr; |
| 69 | char *filename_ptr; |
| 70 | long flags; |
| 71 | long mode; |
| 72 | }; |
| 73 | |
| 74 | augmented_filename_syscall_enter(open); |
| 75 | |
| 76 | license(GPL); |