1 // SPDX-License-Identifier: GPL-2.0 2 3 /* 4 * Copyright 2020 Google LLC. 5 */ 6 7 #include "vmlinux.h" 8 #include <errno.h> 9 #include <bpf/bpf_helpers.h> 10 #include <bpf/bpf_tracing.h> 11 12 u32 monitored_pid = 0; 13 14 struct { 15 __uint(type, BPF_MAP_TYPE_RINGBUF); 16 __uint(max_entries, 1 << 12); 17 } ringbuf SEC(".maps"); 18 19 char _license[] SEC("license") = "GPL"; 20 21 bool use_ima_file_hash; 22 bool enable_bprm_creds_for_exec; 23 24 static void ima_test_common(struct file *file) 25 { 26 u64 ima_hash = 0; 27 u64 *sample; 28 int ret; 29 u32 pid; 30 31 pid = bpf_get_current_pid_tgid() >> 32; 32 if (pid == monitored_pid) { 33 if (!use_ima_file_hash) 34 ret = bpf_ima_inode_hash(file->f_inode, &ima_hash, 35 sizeof(ima_hash)); 36 else 37 ret = bpf_ima_file_hash(file, &ima_hash, 38 sizeof(ima_hash)); 39 if (ret < 0 || ima_hash == 0) 40 return; 41 42 sample = bpf_ringbuf_reserve(&ringbuf, sizeof(u64), 0); 43 if (!sample) 44 return; 45 46 *sample = ima_hash; 47 bpf_ringbuf_submit(sample, 0); 48 } 49 50 return; 51 } 52 53 SEC("lsm.s/bprm_committed_creds") 54 void BPF_PROG(bprm_committed_creds, struct linux_binprm *bprm) 55 { 56 ima_test_common(bprm->file); 57 } 58 59 SEC("lsm.s/bprm_creds_for_exec") 60 int BPF_PROG(bprm_creds_for_exec, struct linux_binprm *bprm) 61 { 62 if (!enable_bprm_creds_for_exec) 63 return 0; 64 65 ima_test_common(bprm->file); 66 return 0; 67 } 68