1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright 2022 Sony Group Corporation */
3 #include <vmlinux.h>
4
5 #include <bpf/bpf_core_read.h>
6 #include <bpf/bpf_helpers.h>
7 #include <bpf/bpf_tracing.h>
8 #include "bpf_misc.h"
9
10 int arg1 = 0;
11 unsigned long arg2 = 0;
12 unsigned long arg3 = 0;
13 unsigned long arg4_cx = 0;
14 unsigned long arg4 = 0;
15 unsigned long arg5 = 0;
16
17 int arg1_core = 0;
18 unsigned long arg2_core = 0;
19 unsigned long arg3_core = 0;
20 unsigned long arg4_core_cx = 0;
21 unsigned long arg4_core = 0;
22 unsigned long arg5_core = 0;
23
24 int option_syscall = 0;
25 unsigned long arg2_syscall = 0;
26 unsigned long arg3_syscall = 0;
27 unsigned long arg4_syscall = 0;
28 unsigned long arg5_syscall = 0;
29
30 const volatile pid_t filter_pid = 0;
31
32 SEC("kprobe/" SYS_PREFIX "sys_prctl")
BPF_KPROBE(handle_sys_prctl)33 int BPF_KPROBE(handle_sys_prctl)
34 {
35 struct pt_regs *real_regs;
36 pid_t pid = bpf_get_current_pid_tgid() >> 32;
37 unsigned long tmp = 0;
38
39 if (pid != filter_pid)
40 return 0;
41
42 real_regs = PT_REGS_SYSCALL_REGS(ctx);
43
44 /* test for PT_REGS_PARM */
45
46 #if !defined(bpf_target_arm64) && !defined(bpf_target_s390)
47 bpf_probe_read_kernel(&tmp, sizeof(tmp), &PT_REGS_PARM1_SYSCALL(real_regs));
48 #endif
49 arg1 = tmp;
50 bpf_probe_read_kernel(&arg2, sizeof(arg2), &PT_REGS_PARM2_SYSCALL(real_regs));
51 bpf_probe_read_kernel(&arg3, sizeof(arg3), &PT_REGS_PARM3_SYSCALL(real_regs));
52 bpf_probe_read_kernel(&arg4_cx, sizeof(arg4_cx), &PT_REGS_PARM4(real_regs));
53 bpf_probe_read_kernel(&arg4, sizeof(arg4), &PT_REGS_PARM4_SYSCALL(real_regs));
54 bpf_probe_read_kernel(&arg5, sizeof(arg5), &PT_REGS_PARM5_SYSCALL(real_regs));
55
56 /* test for the CORE variant of PT_REGS_PARM */
57 arg1_core = PT_REGS_PARM1_CORE_SYSCALL(real_regs);
58 arg2_core = PT_REGS_PARM2_CORE_SYSCALL(real_regs);
59 arg3_core = PT_REGS_PARM3_CORE_SYSCALL(real_regs);
60 arg4_core_cx = PT_REGS_PARM4_CORE(real_regs);
61 arg4_core = PT_REGS_PARM4_CORE_SYSCALL(real_regs);
62 arg5_core = PT_REGS_PARM5_CORE_SYSCALL(real_regs);
63
64 return 0;
65 }
66
67 SEC("ksyscall/prctl")
BPF_KSYSCALL(prctl_enter,int option,unsigned long arg2,unsigned long arg3,unsigned long arg4,unsigned long arg5)68 int BPF_KSYSCALL(prctl_enter, int option, unsigned long arg2,
69 unsigned long arg3, unsigned long arg4, unsigned long arg5)
70 {
71 pid_t pid = bpf_get_current_pid_tgid() >> 32;
72
73 if (pid != filter_pid)
74 return 0;
75
76 option_syscall = option;
77 arg2_syscall = arg2;
78 arg3_syscall = arg3;
79 arg4_syscall = arg4;
80 arg5_syscall = arg5;
81 return 0;
82 }
83
84 char _license[] SEC("license") = "GPL";
85