/
envoy.istio
/
inspektor-gadget
GigaCode
beta
ОбзорЦентр заботыВойти

inspektor-gadget

Форк
0
Ветки: 190Коммиты: 4601Теги: 49
inspektor-gadget
/pkg
/gadgets
/trace
/signal
/tracer
/bpf
/
sigsnoop.bpf.c 
174 строки · 4.0 Кб
1
// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
2
/* Copyright (c) 2021~2022 Hengqi Chen */
3
#include <vmlinux.h>
4
#include <bpf/bpf_core_read.h>
5
#include <bpf/bpf_helpers.h>
6
#include "sigsnoop.h"
7
#include <gadget/mntns_filter.h>
8


9
#define MAX_ENTRIES 10240
10


11
const volatile pid_t filtered_pid = 0;
12
const volatile int target_signal = 0;
13
const volatile bool failed_only = false;
14


15
// we need this to make sure the compiler doesn't remove our struct
16
const struct event *unusedevent __attribute__((unused));
17


18
struct {
19
	__uint(type, BPF_MAP_TYPE_HASH);
20
	__uint(max_entries, MAX_ENTRIES);
21
	__type(key, __u32);
22
	__type(value, struct event);
23
} values SEC(".maps");
24


25
struct {
26
	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
27
	__uint(key_size, sizeof(__u32));
28
	__uint(value_size, sizeof(__u32));
29
} events SEC(".maps");
30


31
static int probe_entry(pid_t tpid, int sig)
32
{
33
	struct event event = {};
34
	__u64 pid_tgid;
35
	__u32 pid, tid;
36
	u64 mntns_id;
37


38
	mntns_id = gadget_get_mntns_id();
39


40
	if (gadget_should_discard_mntns_id(mntns_id))
41
		return 0;
42


43
	if (target_signal && sig != target_signal)
44
		return 0;
45


46
	pid_tgid = bpf_get_current_pid_tgid();
47
	pid = pid_tgid >> 32;
48
	tid = (__u32)pid_tgid;
49
	if (filtered_pid && pid != filtered_pid)
50
		return 0;
51


52
	event.pid = pid;
53
	event.tpid = tpid;
54
	event.sig = sig;
55
	event.mntns_id = mntns_id;
56
	bpf_get_current_comm(event.comm, sizeof(event.comm));
57
	bpf_map_update_elem(&values, &tid, &event, BPF_ANY);
58
	return 0;
59
}
60


61
static int probe_exit(void *ctx, int ret)
62
{
63
	__u64 pid_tgid = bpf_get_current_pid_tgid();
64
	__u64 uid_gid = bpf_get_current_uid_gid();
65
	__u32 tid = (__u32)pid_tgid;
66
	struct event *eventp;
67


68
	eventp = bpf_map_lookup_elem(&values, &tid);
69
	if (!eventp)
70
		return 0;
71


72
	if (failed_only && ret >= 0)
73
		goto cleanup;
74


75
	eventp->ret = ret;
76
	eventp->timestamp = bpf_ktime_get_boot_ns();
77
	eventp->uid = (u32)uid_gid;
78
	eventp->gid = (u32)(uid_gid >> 32);
79
	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, eventp,
80
			      sizeof(*eventp));
81


82
cleanup:
83
	bpf_map_delete_elem(&values, &tid);
84
	return 0;
85
}
86


87
SEC("tracepoint/syscalls/sys_enter_kill")
88
int ig_sig_kill_e(struct trace_event_raw_sys_enter *ctx)
89
{
90
	pid_t tpid = (pid_t)ctx->args[0];
91
	int sig = (int)ctx->args[1];
92


93
	return probe_entry(tpid, sig);
94
}
95


96
SEC("tracepoint/syscalls/sys_exit_kill")
97
int ig_sig_kill_x(struct trace_event_raw_sys_exit *ctx)
98
{
99
	return probe_exit(ctx, ctx->ret);
100
}
101


102
SEC("tracepoint/syscalls/sys_enter_tkill")
103
int ig_sig_tkill_e(struct trace_event_raw_sys_enter *ctx)
104
{
105
	pid_t tpid = (pid_t)ctx->args[0];
106
	int sig = (int)ctx->args[1];
107


108
	return probe_entry(tpid, sig);
109
}
110


111
SEC("tracepoint/syscalls/sys_exit_tkill")
112
int ig_sig_tkill_x(struct trace_event_raw_sys_exit *ctx)
113
{
114
	return probe_exit(ctx, ctx->ret);
115
}
116


117
SEC("tracepoint/syscalls/sys_enter_tgkill")
118
int ig_sig_tgkill_e(struct trace_event_raw_sys_enter *ctx)
119
{
120
	pid_t tpid = (pid_t)ctx->args[1];
121
	int sig = (int)ctx->args[2];
122


123
	return probe_entry(tpid, sig);
124
}
125


126
SEC("tracepoint/syscalls/sys_exit_tgkill")
127
int ig_sig_tgkill_x(struct trace_event_raw_sys_exit *ctx)
128
{
129
	return probe_exit(ctx, ctx->ret);
130
}
131


132
SEC("tracepoint/signal/signal_generate")
133
int ig_sig_generate(struct trace_event_raw_signal_generate *ctx)
134
{
135
	struct event event = {};
136
	pid_t tpid = ctx->pid;
137
	int ret = ctx->errno;
138
	int sig = ctx->sig;
139
	__u64 pid_tgid;
140
	__u32 pid;
141
	u64 mntns_id;
142
	__u64 uid_gid = bpf_get_current_uid_gid();
143


144
	mntns_id = gadget_get_mntns_id();
145


146
	if (gadget_should_discard_mntns_id(mntns_id))
147
		return 0;
148


149
	if (failed_only && ret == 0)
150
		return 0;
151


152
	if (target_signal && sig != target_signal)
153
		return 0;
154


155
	pid_tgid = bpf_get_current_pid_tgid();
156
	pid = pid_tgid >> 32;
157
	if (filtered_pid && pid != filtered_pid)
158
		return 0;
159


160
	event.pid = pid;
161
	event.tpid = tpid;
162
	event.mntns_id = mntns_id;
163
	event.sig = sig;
164
	event.ret = ret;
165
	event.uid = (u32)uid_gid;
166
	event.gid = (u32)(uid_gid >> 32);
167
	bpf_get_current_comm(event.comm, sizeof(event.comm));
168
	event.timestamp = bpf_ktime_get_boot_ns();
169
	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event,
170
			      sizeof(event));
171
	return 0;
172
}
173


174
char LICENSE[] SEC("license") = "Dual BSD/GPL";
175

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.