1 // SPDX-License-Identifier: GPL-2.0 2 /* Copyright (c) 2020 Facebook */ 3 4 #include "vmlinux.h" 5 #include <bpf/bpf_helpers.h> 6 #include <bpf/bpf_tracing.h> 7 #include <bpf/bpf_core_read.h> 8 9 #define MAX_LEN 256 10 11 char buf_in1[MAX_LEN] = {}; 12 char buf_in2[MAX_LEN] = {}; 13 14 int test_pid = 0; 15 bool capture = false; 16 17 /* .bss */ 18 __u64 payload1_len1 = 0; 19 __u64 payload1_len2 = 0; 20 __u64 total1 = 0; 21 char payload1[MAX_LEN + MAX_LEN] = {}; 22 23 /* .data */ 24 int payload2_len1 = -1; 25 int payload2_len2 = -1; 26 int total2 = -1; 27 char payload2[MAX_LEN + MAX_LEN] = { 1 }; 28 29 int payload3_len1 = -1; 30 int payload3_len2 = -1; 31 int total3= -1; 32 char payload3[MAX_LEN + MAX_LEN] = { 1 }; 33 34 int payload4_len1 = -1; 35 int payload4_len2 = -1; 36 int total4= -1; 37 char payload4[MAX_LEN + MAX_LEN] = { 1 }; 38 39 SEC("raw_tp/sys_enter") 40 int handler64_unsigned(void *regs) 41 { 42 int pid = bpf_get_current_pid_tgid() >> 32; 43 void *payload = payload1; 44 long len; 45 46 /* ignore irrelevant invocations */ 47 if (test_pid != pid || !capture) 48 return 0; 49 50 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in1[0]); 51 if (len >= 0) { 52 payload += len; 53 payload1_len1 = len; 54 } 55 56 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in2[0]); 57 if (len >= 0) { 58 payload += len; 59 payload1_len2 = len; 60 } 61 62 total1 = payload - (void *)payload1; 63 64 return 0; 65 } 66 67 SEC("raw_tp/sys_exit") 68 int handler64_signed(void *regs) 69 { 70 int pid = bpf_get_current_pid_tgid() >> 32; 71 void *payload = payload3; 72 long len; 73 74 /* ignore irrelevant invocations */ 75 if (test_pid != pid || !capture) 76 return 0; 77 78 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in1[0]); 79 if (len >= 0) { 80 payload += len; 81 payload3_len1 = len; 82 } 83 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in2[0]); 84 if (len >= 0) { 85 payload += len; 86 payload3_len2 = len; 87 } 88 total3 = payload - (void *)payload3; 89 90 return 0; 91 } 92 93 SEC("tp/raw_syscalls/sys_enter") 94 int handler32_unsigned(void *regs) 95 { 96 int pid = bpf_get_current_pid_tgid() >> 32; 97 void *payload = payload2; 98 u32 len; 99 100 /* ignore irrelevant invocations */ 101 if (test_pid != pid || !capture) 102 return 0; 103 104 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in1[0]); 105 if (len <= MAX_LEN) { 106 payload += len; 107 payload2_len1 = len; 108 } 109 110 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in2[0]); 111 if (len <= MAX_LEN) { 112 payload += len; 113 payload2_len2 = len; 114 } 115 116 total2 = payload - (void *)payload2; 117 118 return 0; 119 } 120 121 SEC("tp/raw_syscalls/sys_exit") 122 int handler32_signed(void *regs) 123 { 124 int pid = bpf_get_current_pid_tgid() >> 32; 125 void *payload = payload4; 126 long len; 127 128 /* ignore irrelevant invocations */ 129 if (test_pid != pid || !capture) 130 return 0; 131 132 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in1[0]); 133 if (len >= 0) { 134 payload += len; 135 payload4_len1 = len; 136 } 137 len = bpf_probe_read_kernel_str(payload, MAX_LEN, &buf_in2[0]); 138 if (len >= 0) { 139 payload += len; 140 payload4_len2 = len; 141 } 142 total4 = payload - (void *)payload4; 143 144 return 0; 145 } 146 147 SEC("tp/syscalls/sys_exit_getpid") 148 int handler_exit(void *regs) 149 { 150 long bla; 151 152 if (bpf_probe_read_kernel(&bla, sizeof(bla), 0)) 153 return 1; 154 else 155 return 0; 156 } 157 158 char LICENSE[] SEC("license") = "GPL"; 159