mirror of
https://github.com/eunomia-bpf/bpf-developer-tutorial.git
synced 2026-02-12 22:56:28 +08:00
50 lines
1.2 KiB
C
50 lines
1.2 KiB
C
// SPDX-License-Identifier: BSD-3-Clause
|
|
#include "vmlinux.h"
|
|
#include <bpf/bpf_helpers.h>
|
|
#include <bpf/bpf_tracing.h>
|
|
#include <bpf/bpf_core_read.h>
|
|
#include "signal.h"
|
|
|
|
char LICENSE[] SEC("license") = "Dual BSD/GPL";
|
|
|
|
// Ringbuffer Map to pass messages from kernel to user
|
|
struct {
|
|
__uint(type, BPF_MAP_TYPE_RINGBUF);
|
|
__uint(max_entries, 256 * 1024);
|
|
} rb SEC(".maps");
|
|
|
|
// Optional Target Parent PID
|
|
const volatile int target_ppid = 0;
|
|
|
|
SEC("tp/syscalls/sys_enter_ptrace")
|
|
int bpf_dos(struct trace_event_raw_sys_enter *ctx)
|
|
{
|
|
long ret = 0;
|
|
size_t pid_tgid = bpf_get_current_pid_tgid();
|
|
int pid = pid_tgid >> 32;
|
|
|
|
// if target_ppid is 0 then we target all pids
|
|
if (target_ppid != 0) {
|
|
struct task_struct *task = (struct task_struct *)bpf_get_current_task();
|
|
int ppid = BPF_CORE_READ(task, real_parent, tgid);
|
|
if (ppid != target_ppid) {
|
|
return 0;
|
|
}
|
|
}
|
|
|
|
// Send signal. 9 == SIGKILL
|
|
ret = bpf_send_signal(9);
|
|
|
|
// Log event
|
|
struct event *e;
|
|
e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
|
|
if (e) {
|
|
e->success = (ret == 0);
|
|
e->pid = pid;
|
|
bpf_get_current_comm(&e->comm, sizeof(e->comm));
|
|
bpf_ringbuf_submit(e, 0);
|
|
}
|
|
|
|
return 0;
|
|
}
|