mirror of
https://github.com/eunomia-bpf/bpf-developer-tutorial.git
synced 2026-02-04 02:34:16 +08:00
37 lines
1007 B
C
Executable File
37 lines
1007 B
C
Executable File
// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
|
|
#include <vmlinux.h>
|
|
#include <bpf/bpf_helpers.h>
|
|
#include <bpf/bpf_core_read.h>
|
|
#include "execsnoop.h"
|
|
|
|
struct {
|
|
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
|
|
__uint(key_size, sizeof(u32));
|
|
__uint(value_size, sizeof(u32));
|
|
} events SEC(".maps");
|
|
|
|
SEC("tracepoint/syscalls/sys_enter_execve")
|
|
int tracepoint__syscalls__sys_enter_execve(struct trace_event_raw_sys_enter* ctx)
|
|
{
|
|
u64 id;
|
|
pid_t pid, tgid;
|
|
struct event event={0};
|
|
struct task_struct *task;
|
|
|
|
uid_t uid = (u32)bpf_get_current_uid_gid();
|
|
id = bpf_get_current_pid_tgid();
|
|
tgid = id >> 32;
|
|
|
|
event.pid = tgid;
|
|
event.uid = uid;
|
|
task = (struct task_struct*)bpf_get_current_task();
|
|
event.ppid = BPF_CORE_READ(task, real_parent, tgid);
|
|
char *cmd_ptr = (char *) BPF_CORE_READ(ctx, args[0]);
|
|
bpf_probe_read_str(&event.comm, sizeof(event.comm), cmd_ptr);
|
|
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
|
|
return 0;
|
|
}
|
|
|
|
char LICENSE[] SEC("license") = "GPL";
|
|
|