bccprograms/watcher.bpf.c at master · hirata0813/bccprograms · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
#include <linux/sched.h>
#include <linux/fdtable.h>
struct data_t {
    u64 syscallnum;
    u64 pid;
    u64 time;
    char pathname1[128];
    char pathname2[128];
};


// トレースするプロセスを指定するためのハッシュテーブルを定義
// シェルスクリプト内で生成されたプロセス(つまり親プロセスになりうるプロセス)のPIDを保持する
// ppidlist内に格納されているPPIDを持つプロセスのみを監視する
BPF_HASH(ppidlist, int, int);
BPF_PERF_OUTPUT(events);

int syscall__execve(struct pt_regs *ctx){
    //execveが発行されたら，そのプロセスの親プロセスが何かを判定し，PIDをppidlistに書き込む
    struct data_t data = {};
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
    int ppid = task->real_parent->tgid;
    int pid = bpf_get_current_pid_tgid() >> 32;
    int *p;

    p = ppidlist.lookup(&ppid); //PPIDがBPF MAPに存在するか判定

    if(p != 0){//この中に行いたい処理を書く
        ppidlist.update(&pid, &ppid); //PIDを登録
    }

    return 0;
}

int syscall__openat(struct pt_regs *ctx, int dirfd, const char __user *pathname){
    struct data_t data = {};
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
    int ppid = task->real_parent->tgid;
    int pid = bpf_get_current_pid_tgid() >> 32;
    int *p;

    p = ppidlist.lookup(&ppid); //PPIDがBPF MAPに存在するか判定
    if(p != 0){
        if(pathname[5] == 's' && pathname[6] == 'h'){
            data.syscallnum = 1;
            data.time = bpf_ktime_get_ns();
            data.pid = pid;
            //bpf_get_current_comm(&data.comm, sizeof(data.comm));
            bpf_probe_read_user(&data.pathname1, sizeof(data.pathname1), (void *)pathname);
            events.perf_submit(ctx, &data, sizeof(struct data_t));
        }
    }

    return 0;
}

int syscall__link(struct pt_regs *ctx, const char __user *pathname1, const char __user *pathname2){
    struct data_t data = {};
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
    int ppid = task->real_parent->tgid;
    int pid = bpf_get_current_pid_tgid() >> 32;
    int *p;

    p = ppidlist.lookup(&ppid); //PPIDがBPF MAPに存在するか判定

    if(p != 0){//この中に行いたい処理を書く
        if((pathname1[5] == 's' && pathname1[6] == 'h') && (pathname2[5] == 's' && pathname2[6] == 'h')){
            data.syscallnum = 2;
            data.time = bpf_ktime_get_ns();
            data.pid = pid;
            bpf_probe_read_user(&data.pathname1, sizeof(data.pathname1), (void *)pathname1);
            bpf_probe_read_user(&data.pathname2, sizeof(data.pathname2), (void *)pathname2);
            events.perf_submit(ctx, &data, sizeof(struct data_t));
        }
    }

    return 0;
}

int syscall__unlink(struct pt_regs *ctx, const char __user *pathname){
    struct data_t data = {};
    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
    int ppid = task->real_parent->tgid;
    int pid = bpf_get_current_pid_tgid() >> 32;
    int *p;

    p = ppidlist.lookup(&ppid); //PPIDがBPF MAPに存在するか判定

    if(p != 0){//この中に行いたい処理を書く
        if(pathname[5] == 's' && pathname[6] == 'h'){
            data.syscallnum = 3;
            data.time = bpf_ktime_get_ns();
            data.pid = pid;
            bpf_probe_read_user(&data.pathname1, sizeof(data.pathname1), (void *)pathname);
            events.perf_submit(ctx, &data, sizeof(struct data_t));
        }
    }

    return 0;
}