134b82d3aSKP Singh // SPDX-License-Identifier: GPL-2.0 234b82d3aSKP Singh 334b82d3aSKP Singh /* 434b82d3aSKP Singh * Copyright 2020 Google LLC. 534b82d3aSKP Singh */ 634b82d3aSKP Singh 734b82d3aSKP Singh #include "vmlinux.h" 834b82d3aSKP Singh #include <errno.h> 934b82d3aSKP Singh #include <bpf/bpf_helpers.h> 1034b82d3aSKP Singh #include <bpf/bpf_tracing.h> 1134b82d3aSKP Singh 1234b82d3aSKP Singh u32 monitored_pid = 0; 1334b82d3aSKP Singh 14*f446b570SKP Singh struct { 15*f446b570SKP Singh __uint(type, BPF_MAP_TYPE_RINGBUF); 16*f446b570SKP Singh __uint(max_entries, 1 << 12); 17*f446b570SKP Singh } ringbuf SEC(".maps"); 18*f446b570SKP Singh 1934b82d3aSKP Singh char _license[] SEC("license") = "GPL"; 2034b82d3aSKP Singh 2134b82d3aSKP Singh SEC("lsm.s/bprm_committed_creds") 22*f446b570SKP Singh void BPF_PROG(ima, struct linux_binprm *bprm) 2334b82d3aSKP Singh { 24*f446b570SKP Singh u64 ima_hash = 0; 25*f446b570SKP Singh u64 *sample; 26*f446b570SKP Singh int ret; 27*f446b570SKP Singh u32 pid; 2834b82d3aSKP Singh 29*f446b570SKP Singh pid = bpf_get_current_pid_tgid() >> 32; 30*f446b570SKP Singh if (pid == monitored_pid) { 31*f446b570SKP Singh ret = bpf_ima_inode_hash(bprm->file->f_inode, &ima_hash, 32*f446b570SKP Singh sizeof(ima_hash)); 33*f446b570SKP Singh if (ret < 0 || ima_hash == 0) 34*f446b570SKP Singh return; 3534b82d3aSKP Singh 36*f446b570SKP Singh sample = bpf_ringbuf_reserve(&ringbuf, sizeof(u64), 0); 37*f446b570SKP Singh if (!sample) 38*f446b570SKP Singh return; 39*f446b570SKP Singh 40*f446b570SKP Singh *sample = ima_hash; 41*f446b570SKP Singh bpf_ringbuf_submit(sample, 0); 42*f446b570SKP Singh } 43*f446b570SKP Singh 44*f446b570SKP Singh return; 4534b82d3aSKP Singh } 46