177fc0330SKenta Tada // SPDX-License-Identifier: GPL-2.0
277fc0330SKenta Tada /* Copyright 2022 Sony Group Corporation */
377fc0330SKenta Tada #include <vmlinux.h>
477fc0330SKenta Tada
577fc0330SKenta Tada #include <bpf/bpf_core_read.h>
677fc0330SKenta Tada #include <bpf/bpf_helpers.h>
777fc0330SKenta Tada #include <bpf/bpf_tracing.h>
877fc0330SKenta Tada #include "bpf_misc.h"
977fc0330SKenta Tada
1077fc0330SKenta Tada int arg1 = 0;
1177fc0330SKenta Tada unsigned long arg2 = 0;
1277fc0330SKenta Tada unsigned long arg3 = 0;
1377fc0330SKenta Tada unsigned long arg4_cx = 0;
1477fc0330SKenta Tada unsigned long arg4 = 0;
1577fc0330SKenta Tada unsigned long arg5 = 0;
1677fc0330SKenta Tada
1777fc0330SKenta Tada int arg1_core = 0;
1877fc0330SKenta Tada unsigned long arg2_core = 0;
1977fc0330SKenta Tada unsigned long arg3_core = 0;
2077fc0330SKenta Tada unsigned long arg4_core_cx = 0;
2177fc0330SKenta Tada unsigned long arg4_core = 0;
2277fc0330SKenta Tada unsigned long arg5_core = 0;
2377fc0330SKenta Tada
24c2874823SHengqi Chen int option_syscall = 0;
25c2874823SHengqi Chen unsigned long arg2_syscall = 0;
26c2874823SHengqi Chen unsigned long arg3_syscall = 0;
27c2874823SHengqi Chen unsigned long arg4_syscall = 0;
28c2874823SHengqi Chen unsigned long arg5_syscall = 0;
29c2874823SHengqi Chen
3077fc0330SKenta Tada const volatile pid_t filter_pid = 0;
3177fc0330SKenta Tada
3277fc0330SKenta Tada SEC("kprobe/" SYS_PREFIX "sys_prctl")
BPF_KPROBE(handle_sys_prctl)3377fc0330SKenta Tada int BPF_KPROBE(handle_sys_prctl)
3477fc0330SKenta Tada {
3577fc0330SKenta Tada struct pt_regs *real_regs;
3677fc0330SKenta Tada pid_t pid = bpf_get_current_pid_tgid() >> 32;
379e45a377SIlya Leoshkevich unsigned long tmp = 0;
3877fc0330SKenta Tada
3977fc0330SKenta Tada if (pid != filter_pid)
4077fc0330SKenta Tada return 0;
4177fc0330SKenta Tada
423f928cabSIlya Leoshkevich real_regs = PT_REGS_SYSCALL_REGS(ctx);
4377fc0330SKenta Tada
4477fc0330SKenta Tada /* test for PT_REGS_PARM */
454fc49b51SIlya Leoshkevich
469e45a377SIlya Leoshkevich #if !defined(bpf_target_arm64) && !defined(bpf_target_s390)
474fc49b51SIlya Leoshkevich bpf_probe_read_kernel(&tmp, sizeof(tmp), &PT_REGS_PARM1_SYSCALL(real_regs));
489e45a377SIlya Leoshkevich #endif
494fc49b51SIlya Leoshkevich arg1 = tmp;
5077fc0330SKenta Tada bpf_probe_read_kernel(&arg2, sizeof(arg2), &PT_REGS_PARM2_SYSCALL(real_regs));
5177fc0330SKenta Tada bpf_probe_read_kernel(&arg3, sizeof(arg3), &PT_REGS_PARM3_SYSCALL(real_regs));
5277fc0330SKenta Tada bpf_probe_read_kernel(&arg4_cx, sizeof(arg4_cx), &PT_REGS_PARM4(real_regs));
5377fc0330SKenta Tada bpf_probe_read_kernel(&arg4, sizeof(arg4), &PT_REGS_PARM4_SYSCALL(real_regs));
5477fc0330SKenta Tada bpf_probe_read_kernel(&arg5, sizeof(arg5), &PT_REGS_PARM5_SYSCALL(real_regs));
5577fc0330SKenta Tada
5677fc0330SKenta Tada /* test for the CORE variant of PT_REGS_PARM */
5777fc0330SKenta Tada arg1_core = PT_REGS_PARM1_CORE_SYSCALL(real_regs);
5877fc0330SKenta Tada arg2_core = PT_REGS_PARM2_CORE_SYSCALL(real_regs);
5977fc0330SKenta Tada arg3_core = PT_REGS_PARM3_CORE_SYSCALL(real_regs);
6077fc0330SKenta Tada arg4_core_cx = PT_REGS_PARM4_CORE(real_regs);
6177fc0330SKenta Tada arg4_core = PT_REGS_PARM4_CORE_SYSCALL(real_regs);
6277fc0330SKenta Tada arg5_core = PT_REGS_PARM5_CORE_SYSCALL(real_regs);
6377fc0330SKenta Tada
6477fc0330SKenta Tada return 0;
6577fc0330SKenta Tada }
6677fc0330SKenta Tada
67d814ed62SAndrii Nakryiko SEC("ksyscall/prctl")
BPF_KSYSCALL(prctl_enter,int option,unsigned long arg2,unsigned long arg3,unsigned long arg4,unsigned long arg5)68d814ed62SAndrii Nakryiko int BPF_KSYSCALL(prctl_enter, int option, unsigned long arg2,
69c2874823SHengqi Chen unsigned long arg3, unsigned long arg4, unsigned long arg5)
70c2874823SHengqi Chen {
71c2874823SHengqi Chen pid_t pid = bpf_get_current_pid_tgid() >> 32;
72c2874823SHengqi Chen
73c2874823SHengqi Chen if (pid != filter_pid)
74c2874823SHengqi Chen return 0;
75c2874823SHengqi Chen
76c2874823SHengqi Chen option_syscall = option;
77c2874823SHengqi Chen arg2_syscall = arg2;
78c2874823SHengqi Chen arg3_syscall = arg3;
79c2874823SHengqi Chen arg4_syscall = arg4;
80c2874823SHengqi Chen arg5_syscall = arg5;
81c2874823SHengqi Chen return 0;
82c2874823SHengqi Chen }
83c2874823SHengqi Chen
84*92dc5cdfSAndrii Nakryiko __u64 splice_fd_in;
85*92dc5cdfSAndrii Nakryiko __u64 splice_off_in;
86*92dc5cdfSAndrii Nakryiko __u64 splice_fd_out;
87*92dc5cdfSAndrii Nakryiko __u64 splice_off_out;
88*92dc5cdfSAndrii Nakryiko __u64 splice_len;
89*92dc5cdfSAndrii Nakryiko __u64 splice_flags;
90*92dc5cdfSAndrii Nakryiko
91*92dc5cdfSAndrii Nakryiko SEC("ksyscall/splice")
BPF_KSYSCALL(splice_enter,int fd_in,loff_t * off_in,int fd_out,loff_t * off_out,size_t len,unsigned int flags)92*92dc5cdfSAndrii Nakryiko int BPF_KSYSCALL(splice_enter, int fd_in, loff_t *off_in, int fd_out,
93*92dc5cdfSAndrii Nakryiko loff_t *off_out, size_t len, unsigned int flags)
94*92dc5cdfSAndrii Nakryiko {
95*92dc5cdfSAndrii Nakryiko pid_t pid = bpf_get_current_pid_tgid() >> 32;
96*92dc5cdfSAndrii Nakryiko
97*92dc5cdfSAndrii Nakryiko if (pid != filter_pid)
98*92dc5cdfSAndrii Nakryiko return 0;
99*92dc5cdfSAndrii Nakryiko
100*92dc5cdfSAndrii Nakryiko splice_fd_in = fd_in;
101*92dc5cdfSAndrii Nakryiko splice_off_in = (__u64)off_in;
102*92dc5cdfSAndrii Nakryiko splice_fd_out = fd_out;
103*92dc5cdfSAndrii Nakryiko splice_off_out = (__u64)off_out;
104*92dc5cdfSAndrii Nakryiko splice_len = len;
105*92dc5cdfSAndrii Nakryiko splice_flags = flags;
106*92dc5cdfSAndrii Nakryiko
107*92dc5cdfSAndrii Nakryiko return 0;
108*92dc5cdfSAndrii Nakryiko }
109*92dc5cdfSAndrii Nakryiko
11077fc0330SKenta Tada char _license[] SEC("license") = "GPL";
111