1 // SPDX-License-Identifier: GPL-2.0
3 * Augment the raw_syscalls tracepoints with the contents of the pointer arguments.
5 * This exactly matches what is marshalled into the raw_syscall:sys_enter
6 * payload expected by the 'perf trace' beautifiers.
10 #include <bpf/bpf_helpers.h>
11 #include <linux/limits.h>
15 // FIXME: These should come from system headers
18 typedef long long int __s64;
19 typedef __s64 time64_t;
26 /* bpf-output associated map */
27 struct __augmented_syscalls__ {
28 __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
31 __uint(max_entries, MAX_CPUS);
32 } __augmented_syscalls__ SEC(".maps");
35 * What to augment at entry?
37 * Pointer arg payloads (filenames, etc) passed from userspace to the kernel
39 struct syscalls_sys_enter {
40 __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
43 __uint(max_entries, 512);
44 } syscalls_sys_enter SEC(".maps");
47 * What to augment at exit?
49 * Pointer arg payloads returned from the kernel (struct stat, etc) to userspace.
51 struct syscalls_sys_exit {
52 __uint(type, BPF_MAP_TYPE_PROG_ARRAY);
55 __uint(max_entries, 512);
56 } syscalls_sys_exit SEC(".maps");
58 struct syscall_enter_args {
59 unsigned long long common_tp_fields;
61 unsigned long args[6];
64 struct syscall_exit_args {
65 unsigned long long common_tp_fields;
70 struct augmented_arg {
76 struct pids_filtered {
77 __uint(type, BPF_MAP_TYPE_HASH);
80 __uint(max_entries, 64);
81 } pids_filtered SEC(".maps");
84 * Desired design of maximum size and alignment (see RFC2553)
86 #define SS_MAXSIZE 128 /* Implementation specific max size */
88 typedef unsigned short sa_family_t;
91 * FIXME: Should come from system headers
93 * The definition uses anonymous union and struct in order to control the
96 struct sockaddr_storage {
99 sa_family_t ss_family; /* address family */
100 /* Following field(s) are implementation specific */
101 char __data[SS_MAXSIZE - sizeof(unsigned short)];
102 /* space to achieve desired size, */
103 /* _SS_MAXSIZE value minus size of ss_family */
105 void *__align; /* implementation specific desired alignment */
109 struct augmented_args_payload {
110 struct syscall_enter_args args;
113 struct augmented_arg arg, arg2;
115 struct sockaddr_storage saddr;
116 char __data[sizeof(struct augmented_arg)];
120 // We need more tmp space than the BPF stack can give us
121 struct augmented_args_tmp {
122 __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
124 __type(value, struct augmented_args_payload);
125 __uint(max_entries, 1);
126 } augmented_args_tmp SEC(".maps");
128 static inline struct augmented_args_payload *augmented_args_payload(void)
131 return bpf_map_lookup_elem(&augmented_args_tmp, &key);
134 static inline int augmented__output(void *ctx, struct augmented_args_payload *args, int len)
136 /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */
137 return bpf_perf_event_output(ctx, &__augmented_syscalls__, BPF_F_CURRENT_CPU, args, len);
141 unsigned int augmented_arg__read_str(struct augmented_arg *augmented_arg, const void *arg, unsigned int arg_len)
143 unsigned int augmented_len = sizeof(*augmented_arg);
144 int string_len = bpf_probe_read_str(&augmented_arg->value, arg_len, arg);
146 augmented_arg->size = augmented_arg->err = 0;
148 * probe_read_str may return < 0, e.g. -EFAULT
149 * So we leave that in the augmented_arg->size that userspace will
151 if (string_len > 0) {
152 augmented_len -= sizeof(augmented_arg->value) - string_len;
153 augmented_len &= sizeof(augmented_arg->value) - 1;
154 augmented_arg->size = string_len;
157 * So that username notice the error while still being able
158 * to skip this augmented arg record
160 augmented_arg->err = string_len;
161 augmented_len = offsetof(struct augmented_arg, value);
164 return augmented_len;
167 SEC("tp/raw_syscalls/sys_enter")
168 int syscall_unaugmented(struct syscall_enter_args *args)
174 * These will be tail_called from SEC("raw_syscalls:sys_enter"), so will find in
175 * augmented_args_tmp what was read by that raw_syscalls:sys_enter and go
176 * on from there, reading the first syscall arg as a string, i.e. open's
179 SEC("tp/syscalls/sys_enter_connect")
180 int sys_enter_connect(struct syscall_enter_args *args)
182 struct augmented_args_payload *augmented_args = augmented_args_payload();
183 const void *sockaddr_arg = (const void *)args->args[1];
184 unsigned int socklen = args->args[2];
185 unsigned int len = sizeof(augmented_args->args);
187 if (augmented_args == NULL)
188 return 1; /* Failure: don't filter */
190 if (socklen > sizeof(augmented_args->saddr))
191 socklen = sizeof(augmented_args->saddr);
193 bpf_probe_read(&augmented_args->saddr, socklen, sockaddr_arg);
195 return augmented__output(args, augmented_args, len + socklen);
198 SEC("tp/syscalls/sys_enter_sendto")
199 int sys_enter_sendto(struct syscall_enter_args *args)
201 struct augmented_args_payload *augmented_args = augmented_args_payload();
202 const void *sockaddr_arg = (const void *)args->args[4];
203 unsigned int socklen = args->args[5];
204 unsigned int len = sizeof(augmented_args->args);
206 if (augmented_args == NULL)
207 return 1; /* Failure: don't filter */
209 if (socklen > sizeof(augmented_args->saddr))
210 socklen = sizeof(augmented_args->saddr);
212 bpf_probe_read(&augmented_args->saddr, socklen, sockaddr_arg);
214 return augmented__output(args, augmented_args, len + socklen);
217 SEC("tp/syscalls/sys_enter_open")
218 int sys_enter_open(struct syscall_enter_args *args)
220 struct augmented_args_payload *augmented_args = augmented_args_payload();
221 const void *filename_arg = (const void *)args->args[0];
222 unsigned int len = sizeof(augmented_args->args);
224 if (augmented_args == NULL)
225 return 1; /* Failure: don't filter */
227 len += augmented_arg__read_str(&augmented_args->arg, filename_arg, sizeof(augmented_args->arg.value));
229 return augmented__output(args, augmented_args, len);
232 SEC("tp/syscalls/sys_enter_openat")
233 int sys_enter_openat(struct syscall_enter_args *args)
235 struct augmented_args_payload *augmented_args = augmented_args_payload();
236 const void *filename_arg = (const void *)args->args[1];
237 unsigned int len = sizeof(augmented_args->args);
239 if (augmented_args == NULL)
240 return 1; /* Failure: don't filter */
242 len += augmented_arg__read_str(&augmented_args->arg, filename_arg, sizeof(augmented_args->arg.value));
244 return augmented__output(args, augmented_args, len);
247 SEC("tp/syscalls/sys_enter_rename")
248 int sys_enter_rename(struct syscall_enter_args *args)
250 struct augmented_args_payload *augmented_args = augmented_args_payload();
251 const void *oldpath_arg = (const void *)args->args[0],
252 *newpath_arg = (const void *)args->args[1];
253 unsigned int len = sizeof(augmented_args->args), oldpath_len;
255 if (augmented_args == NULL)
256 return 1; /* Failure: don't filter */
258 oldpath_len = augmented_arg__read_str(&augmented_args->arg, oldpath_arg, sizeof(augmented_args->arg.value));
259 len += oldpath_len + augmented_arg__read_str((void *)(&augmented_args->arg) + oldpath_len, newpath_arg, sizeof(augmented_args->arg.value));
261 return augmented__output(args, augmented_args, len);
264 SEC("tp/syscalls/sys_enter_renameat")
265 int sys_enter_renameat(struct syscall_enter_args *args)
267 struct augmented_args_payload *augmented_args = augmented_args_payload();
268 const void *oldpath_arg = (const void *)args->args[1],
269 *newpath_arg = (const void *)args->args[3];
270 unsigned int len = sizeof(augmented_args->args), oldpath_len;
272 if (augmented_args == NULL)
273 return 1; /* Failure: don't filter */
275 oldpath_len = augmented_arg__read_str(&augmented_args->arg, oldpath_arg, sizeof(augmented_args->arg.value));
276 len += oldpath_len + augmented_arg__read_str((void *)(&augmented_args->arg) + oldpath_len, newpath_arg, sizeof(augmented_args->arg.value));
278 return augmented__output(args, augmented_args, len);
281 #define PERF_ATTR_SIZE_VER0 64 /* sizeof first published struct */
283 // we need just the start, get the size to then copy it
284 struct perf_event_attr_size {
287 * Size of the attr structure, for fwd/bwd compat.
292 SEC("tp/syscalls/sys_enter_perf_event_open")
293 int sys_enter_perf_event_open(struct syscall_enter_args *args)
295 struct augmented_args_payload *augmented_args = augmented_args_payload();
296 const struct perf_event_attr_size *attr = (const struct perf_event_attr_size *)args->args[0], *attr_read;
297 unsigned int len = sizeof(augmented_args->args);
299 if (augmented_args == NULL)
302 if (bpf_probe_read(&augmented_args->__data, sizeof(*attr), attr) < 0)
305 attr_read = (const struct perf_event_attr_size *)augmented_args->__data;
307 __u32 size = attr_read->size;
310 size = PERF_ATTR_SIZE_VER0;
312 if (size > sizeof(augmented_args->__data))
315 // Now that we read attr->size and tested it against the size limits, read it completely
316 if (bpf_probe_read(&augmented_args->__data, size, attr) < 0)
319 return augmented__output(args, augmented_args, len + size);
321 return 1; /* Failure: don't filter */
324 SEC("tp/syscalls/sys_enter_clock_nanosleep")
325 int sys_enter_clock_nanosleep(struct syscall_enter_args *args)
327 struct augmented_args_payload *augmented_args = augmented_args_payload();
328 const void *rqtp_arg = (const void *)args->args[2];
329 unsigned int len = sizeof(augmented_args->args);
330 __u32 size = sizeof(struct timespec64);
332 if (augmented_args == NULL)
335 if (size > sizeof(augmented_args->__data))
338 bpf_probe_read(&augmented_args->__data, size, rqtp_arg);
340 return augmented__output(args, augmented_args, len + size);
342 return 1; /* Failure: don't filter */
345 static pid_t getpid(void)
347 return bpf_get_current_pid_tgid();
350 static bool pid_filter__has(struct pids_filtered *pids, pid_t pid)
352 return bpf_map_lookup_elem(pids, &pid) != NULL;
355 SEC("tp/raw_syscalls/sys_enter")
356 int sys_enter(struct syscall_enter_args *args)
358 struct augmented_args_payload *augmented_args;
360 * We start len, the amount of data that will be in the perf ring
361 * buffer, if this is not filtered out by one of pid_filter__has(),
362 * syscall->enabled, etc, with the non-augmented raw syscall payload,
363 * i.e. sizeof(augmented_args->args).
365 * We'll add to this as we add augmented syscalls right after that
366 * initial, non-augmented raw_syscalls:sys_enter payload.
369 if (pid_filter__has(&pids_filtered, getpid()))
372 augmented_args = augmented_args_payload();
373 if (augmented_args == NULL)
376 bpf_probe_read(&augmented_args->args, sizeof(augmented_args->args), args);
379 * Jump to syscall specific augmenter, even if the default one,
380 * "!raw_syscalls:unaugmented" that will just return 1 to return the
381 * unaugmented tracepoint payload.
383 bpf_tail_call(args, &syscalls_sys_enter, augmented_args->args.syscall_nr);
385 // If not found on the PROG_ARRAY syscalls map, then we're filtering it:
389 SEC("tp/raw_syscalls/sys_exit")
390 int sys_exit(struct syscall_exit_args *args)
392 struct syscall_exit_args exit_args;
394 if (pid_filter__has(&pids_filtered, getpid()))
397 bpf_probe_read(&exit_args, sizeof(exit_args), args);
399 * Jump to syscall specific return augmenter, even if the default one,
400 * "!raw_syscalls:unaugmented" that will just return 1 to return the
401 * unaugmented tracepoint payload.
403 bpf_tail_call(args, &syscalls_sys_exit, exit_args.syscall_nr);
405 * If not found on the PROG_ARRAY syscalls map, then we're filtering it:
410 char _license[] SEC("license") = "GPL";