inspektor-gadget

audit-seccomp.bpf.c
57 строк · 1.4 Кб
Перенос по словам
1
// SPDX-License-Identifier: GPL-2.0
2
/* Copyright (c) 2021 The Inspektor Gadget authors */
3

4
/* This BPF program uses the GPL-restricted function bpf_probe_read*().
5
 */
6

7
#include <vmlinux.h>
8
#include <bpf/bpf_helpers.h>
9
#include <bpf/bpf_core_read.h>
10
#include <bpf/bpf_tracing.h>
11

12
#include "audit-seccomp.h"
13
#include <gadget/mntns_filter.h>
14

15
/* The stack is limited, so use a map to build the event */
16
struct {
17
	__uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
18
	__uint(max_entries, 1);
19
	__type(key, __u32);
20
	__type(value, struct event);
21
} tmp_event SEC(".maps");
22

23
struct {
24
	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
25
} events SEC(".maps");
26

27
SEC("kprobe/audit_seccomp")
28
int ig_audit_secc(struct pt_regs *ctx)
29
{
30
	unsigned long syscall = PT_REGS_PARM1(ctx);
31
	int code = PT_REGS_PARM3(ctx);
32

33
	__u64 mntns_id = gadget_get_mntns_id();
34
	if (mntns_id == 0)
35
		return 0;
36

37
	if (gadget_should_discard_mntns_id(mntns_id))
38
		return 0;
39

40
	__u32 zero = 0;
41
	struct event *event = bpf_map_lookup_elem(&tmp_event, &zero);
42
	if (!event)
43
		return 0;
44

45
	event->timestamp = bpf_ktime_get_boot_ns();
46
	event->pid = bpf_get_current_pid_tgid();
47
	event->mntns_id = mntns_id;
48
	event->syscall = syscall;
49
	event->code = code;
50
	bpf_get_current_comm(&event->comm, sizeof(event->comm));
51

52
	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, event,
53
			      sizeof(*event));
54
	return 0;
55
}
56

57
char _license[] SEC("license") = "GPL";
58
inspektor-gadget

Использование cookies
