Deploying to gh-pages from @ eunomia-bpf/bpf-developer-tutorial@52ae3ae26d 🚀

7-execsnoop/.gitignore

@@ -0,0 +1,3 @@
+ecli
+*.json
+

7-execsnoop/execsnoop.bpf.c

@@ -0,0 +1,36 @@
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_core_read.h>
+#include "execsnoop.h"
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+	__uint(key_size, sizeof(u32));
+	__uint(value_size, sizeof(u32));
+} events SEC(".maps");
+
+SEC("tracepoint/syscalls/sys_enter_execve")
+int tracepoint__syscalls__sys_enter_execve(struct trace_event_raw_sys_enter* ctx)
+{
+	u64 id;
+	pid_t pid, tgid;
+	struct event event;
+	struct task_struct *task;
+
+	uid_t uid = (u32)bpf_get_current_uid_gid();
+	id = bpf_get_current_pid_tgid();
+	pid = (pid_t)id;
+	tgid = id >> 32;
+
+	event.pid = tgid;
+	event.uid = uid;
+	task = (struct task_struct*)bpf_get_current_task();
+	event.ppid = BPF_CORE_READ(task, real_parent, tgid);
+	bpf_get_current_comm(&event.comm, sizeof(event.comm));
+	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
+	return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";
+

7-execsnoop/execsnoop.h

@@ -0,0 +1,16 @@
+/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
+#ifndef __EXECSNOOP_H
+#define __EXECSNOOP_H
+
+#define TASK_COMM_LEN 16
+
+struct event {
+	int pid;
+	int ppid;
+	int uid;
+	char comm[TASK_COMM_LEN];
+};
+
+#endif /* __EXECSNOOP_H */
+
+