1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright 2022 Sony Group Corporation */ 3 #include <vmlinux.h> 4 5 #include <bpf/bpf_core_read.h> 6 #include <bpf/bpf_helpers.h> 7 #include <bpf/bpf_tracing.h> 8 #include "bpf_misc.h" 9 10 int arg1 = 0; 11 unsigned long arg2 = 0; 12 unsigned long arg3 = 0; 13 unsigned long arg4_cx = 0; 14 unsigned long arg4 = 0; 15 unsigned long arg5 = 0; 16 17 int arg1_core = 0; 18 unsigned long arg2_core = 0; 19 unsigned long arg3_core = 0; 20 unsigned long arg4_core_cx = 0; 21 unsigned long arg4_core = 0; 22 unsigned long arg5_core = 0; 23 24 const volatile pid_t filter_pid = 0; 25 26 SEC("kprobe/" SYS_PREFIX "sys_prctl") 27 int BPF_KPROBE(handle_sys_prctl) 28 { 29 struct pt_regs *real_regs; 30 pid_t pid = bpf_get_current_pid_tgid() >> 32; 31 32 if (pid != filter_pid) 33 return 0; 34 35 real_regs = (struct pt_regs *)PT_REGS_PARM1(ctx); 36 37 /* test for PT_REGS_PARM */ 38 bpf_probe_read_kernel(&arg1, sizeof(arg1), &PT_REGS_PARM1_SYSCALL(real_regs)); 39 bpf_probe_read_kernel(&arg2, sizeof(arg2), &PT_REGS_PARM2_SYSCALL(real_regs)); 40 bpf_probe_read_kernel(&arg3, sizeof(arg3), &PT_REGS_PARM3_SYSCALL(real_regs)); 41 bpf_probe_read_kernel(&arg4_cx, sizeof(arg4_cx), &PT_REGS_PARM4(real_regs)); 42 bpf_probe_read_kernel(&arg4, sizeof(arg4), &PT_REGS_PARM4_SYSCALL(real_regs)); 43 bpf_probe_read_kernel(&arg5, sizeof(arg5), &PT_REGS_PARM5_SYSCALL(real_regs)); 44 45 /* test for the CORE variant of PT_REGS_PARM */ 46 arg1_core = PT_REGS_PARM1_CORE_SYSCALL(real_regs); 47 arg2_core = PT_REGS_PARM2_CORE_SYSCALL(real_regs); 48 arg3_core = PT_REGS_PARM3_CORE_SYSCALL(real_regs); 49 arg4_core_cx = PT_REGS_PARM4_CORE(real_regs); 50 arg4_core = PT_REGS_PARM4_CORE_SYSCALL(real_regs); 51 arg5_core = PT_REGS_PARM5_CORE_SYSCALL(real_regs); 52 53 return 0; 54 } 55 56 char _license[] SEC("license") = "GPL"; 57