1 #include "vmlinux.h" 2 #include <bpf/bpf_helpers.h> 3 #include <bpf/bpf_tracing.h> 4 #include <bpf/bpf_core_read.h> 5 #include "commargv.h" 6 7 struct { 8 __uint(type, BPF_MAP_TYPE_RINGBUF); 9 __uint(max_entries, 256 * 1024); 10 } comms SEC(".maps"); 11 12 13 struct syscalls_enter_exec_args { 14 char bb[24]; 15 char ** argv; 16 }; 17 18 19 SEC("tp/syscalls/sys_enter_execve") 20 int trace_enter_execve(struct syscalls_enter_exec_args *ctx) 21 { 22 struct comm_event *event; 23 event = bpf_ringbuf_reserve(&comms, sizeof(*event), 0); 24 if (!event) return 0; 25 event->pid = bpf_get_current_pid_tgid() >> 32; 26 int i, n; 27 char *args=NULL; 28 void *p = ctx->argv; 29 #pragma unroll 30 for (i=0; i<MAXPN; i++) { 31 args = NULL; 32 bpf_probe_read_user(&args, sizeof(args), p); 33 if (args==NULL) break; 34 n = bpf_probe_read_user_str((void*)(event->argv[i]), sizeof(event->argv[i]), (void*)args); 35 if (n<0) break; 36 p += sizeof(char *); 37 } 38 39 event->n = i; 40 bpf_ringbuf_submit(event, 0); 41 return 0; 42 } 43 44 45 char _license[] SEC("license") = "GPL"; 46