1 // SPDX-License-Identifier: GPL-2.0
2 /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */
5 #include <bpf/bpf_helpers.h>
7 char _license[] SEC("license") = "GPL";
10 __uint(type, BPF_MAP_TYPE_HASH);
11 __uint(max_entries, 1);
14 } hash_map SEC(".maps");
17 __uint(type, BPF_MAP_TYPE_STACK);
18 __uint(max_entries, 1);
20 } stack_map SEC(".maps");
23 __uint(type, BPF_MAP_TYPE_ARRAY);
24 __uint(max_entries, 1);
27 } array_map SEC(".maps");
29 const volatile pid_t pid;
32 static u64 callback(u64 map, u64 key, u64 val, u64 ctx, u64 flags)
37 SEC("tp/syscalls/sys_enter_getpid")
38 int map_update(void *ctx)
43 if (pid != (bpf_get_current_pid_tgid() >> 32))
46 err = bpf_map_update_elem(&hash_map, &key, &val, BPF_NOEXIST);
51 SEC("tp/syscalls/sys_enter_getppid")
52 int map_delete(void *ctx)
56 if (pid != (bpf_get_current_pid_tgid() >> 32))
59 err = bpf_map_delete_elem(&hash_map, &key);
64 SEC("tp/syscalls/sys_enter_getuid")
65 int map_push(void *ctx)
69 if (pid != (bpf_get_current_pid_tgid() >> 32))
72 err = bpf_map_push_elem(&stack_map, &val, 0);
77 SEC("tp/syscalls/sys_enter_geteuid")
78 int map_pop(void *ctx)
82 if (pid != (bpf_get_current_pid_tgid() >> 32))
85 err = bpf_map_pop_elem(&stack_map, &val);
90 SEC("tp/syscalls/sys_enter_getgid")
91 int map_peek(void *ctx)
95 if (pid != (bpf_get_current_pid_tgid() >> 32))
98 err = bpf_map_peek_elem(&stack_map, &val);
103 SEC("tp/syscalls/sys_enter_gettid")
104 int map_for_each_pass(void *ctx)
111 if (pid != (bpf_get_current_pid_tgid() >> 32))
114 bpf_map_update_elem(&array_map, &key, &val, flags);
116 err = bpf_for_each_map_elem(&array_map, callback, &callback_ctx, flags);
121 SEC("tp/syscalls/sys_enter_getpgid")
122 int map_for_each_fail(void *ctx)
126 const u64 flags = BPF_NOEXIST;
129 if (pid != (bpf_get_current_pid_tgid() >> 32))
132 bpf_map_update_elem(&array_map, &key, &val, flags);
134 /* calling for_each with non-zero flags will return error */
135 err = bpf_for_each_map_elem(&array_map, callback, &callback_ctx, flags);