1*10599214SDavid Wang #include "vmlinux.h"
2*10599214SDavid Wang #include <bpf/bpf_helpers.h>
3*10599214SDavid Wang #include <bpf/bpf_tracing.h>
4*10599214SDavid Wang #include <bpf/bpf_core_read.h>
5*10599214SDavid Wang #include "commargv.h"
6*10599214SDavid Wang
7*10599214SDavid Wang struct {
8*10599214SDavid Wang __uint(type, BPF_MAP_TYPE_RINGBUF);
9*10599214SDavid Wang __uint(max_entries, 256 * 1024);
10*10599214SDavid Wang } comms SEC(".maps");
11*10599214SDavid Wang
12*10599214SDavid Wang
13*10599214SDavid Wang struct syscalls_enter_exec_args {
14*10599214SDavid Wang char bb[24];
15*10599214SDavid Wang char ** argv;
16*10599214SDavid Wang };
17*10599214SDavid Wang
18*10599214SDavid Wang
19*10599214SDavid Wang SEC("tp/syscalls/sys_enter_execve")
trace_enter_execve(struct syscalls_enter_exec_args * ctx)20*10599214SDavid Wang int trace_enter_execve(struct syscalls_enter_exec_args *ctx)
21*10599214SDavid Wang {
22*10599214SDavid Wang struct comm_event *event;
23*10599214SDavid Wang event = bpf_ringbuf_reserve(&comms, sizeof(*event), 0);
24*10599214SDavid Wang if (!event) return 0;
25*10599214SDavid Wang event->pid = bpf_get_current_pid_tgid() >> 32;
26*10599214SDavid Wang int i, n;
27*10599214SDavid Wang char *args=NULL;
28*10599214SDavid Wang void *p = ctx->argv;
29*10599214SDavid Wang #pragma unroll
30*10599214SDavid Wang for (i=0; i<MAXPN; i++) {
31*10599214SDavid Wang args = NULL;
32*10599214SDavid Wang bpf_probe_read_user(&args, sizeof(args), p);
33*10599214SDavid Wang if (args==NULL) break;
34*10599214SDavid Wang n = bpf_probe_read_user_str((void*)(event->argv[i]), sizeof(event->argv[i]), (void*)args);
35*10599214SDavid Wang if (n<0) break;
36*10599214SDavid Wang p += sizeof(char *);
37*10599214SDavid Wang }
38*10599214SDavid Wang
39*10599214SDavid Wang event->n = i;
40*10599214SDavid Wang bpf_ringbuf_submit(event, 0);
41*10599214SDavid Wang return 0;
42*10599214SDavid Wang }
43*10599214SDavid Wang
44*10599214SDavid Wang
45*10599214SDavid Wang char _license[] SEC("license") = "GPL";
46