1 #include "vmlinux.h"
2 #include <bpf/bpf_helpers.h>
3 #include <bpf/bpf_tracing.h>
4 #include <bpf/bpf_core_read.h>
5 #include "commargv.h"
6
7 struct {
8 __uint(type, BPF_MAP_TYPE_RINGBUF);
9 __uint(max_entries, 256 * 1024);
10 } comms SEC(".maps");
11
12
13 struct syscalls_enter_exec_args {
14 char bb[24];
15 char ** argv;
16 };
17
18
19 SEC("tp/syscalls/sys_enter_execve")
trace_enter_execve(struct syscalls_enter_exec_args * ctx)20 int trace_enter_execve(struct syscalls_enter_exec_args *ctx)
21 {
22 struct comm_event *event;
23 event = bpf_ringbuf_reserve(&comms, sizeof(*event), 0);
24 if (!event) return 0;
25 event->pid = bpf_get_current_pid_tgid() >> 32;
26 int i, n;
27 char *args=NULL;
28 void *p = ctx->argv;
29 #pragma unroll
30 for (i=0; i<MAXPN; i++) {
31 args = NULL;
32 bpf_probe_read_user(&args, sizeof(args), p);
33 if (args==NULL) break;
34 n = bpf_probe_read_user_str((void*)(event->argv[i]), sizeof(event->argv[i]), (void*)args);
35 if (n<0) break;
36 p += sizeof(char *);
37 }
38
39 event->n = i;
40 bpf_ringbuf_submit(event, 0);
41 return 0;
42 }
43
44
45 char _license[] SEC("license") = "GPL";
46