cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

etcsnoop.c (2655B)

      1// SPDX-License-Identifier: GPL-2.0
      2/*
      3 * Augment the filename syscalls with the contents of the filename pointer argument
      4 * filtering only those that do not start with /etc/.
      5 *
      6 * Test it with:
      7 *
      8 * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null
      9 *
     10 * It'll catch some openat syscalls related to the dynamic linked and
     11 * the last one should be the one for '/etc/passwd'.
     12 *
     13 * This matches what is marshalled into the raw_syscall:sys_enter payload
     14 * expected by the 'perf trace' beautifiers, and can be used by them unmodified,
     15 * which will be done as that feature is implemented in the next csets, for now
     16 * it will appear in a dump done by the default tracepoint handler in 'perf trace',
     17 * that uses bpf_output__fprintf() to just dump those contents, as done with
     18 * the bpf-output event associated with the __bpf_output__ map declared in
     19 * tools/perf/include/bpf/stdio.h.
     20 */
     21
     22#include <stdio.h>
     23
     24/* bpf-output associated map */
     25bpf_map(__augmented_syscalls__, PERF_EVENT_ARRAY, int, u32, __NR_CPUS__);
     26
     27struct augmented_filename {
     28	int	size;
     29	int	reserved;
     30	char	value[64];
     31};
     32
     33#define augmented_filename_syscall_enter(syscall) 						\
     34struct augmented_enter_##syscall##_args {			 				\
     35	struct syscall_enter_##syscall##_args	args;				 		\
     36	struct augmented_filename		filename;				 	\
     37};												\
     38int syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args)				\
     39{												\
     40	char etc[6] = "/etc/";									\
     41	struct augmented_enter_##syscall##_args augmented_args = { .filename.reserved = 0, }; 	\
     42	probe_read(&augmented_args.args, sizeof(augmented_args.args), args);			\
     43	augmented_args.filename.size = probe_read_str(&augmented_args.filename.value, 		\
     44						      sizeof(augmented_args.filename.value), 	\
     45						      args->filename_ptr); 			\
     46	if (__builtin_memcmp(augmented_args.filename.value, etc, 4) != 0)			\
     47		return 0;									\
     48	/* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */	\
     49	return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, 		\
     50				 &augmented_args,						\
     51				 (sizeof(augmented_args) - sizeof(augmented_args.filename.value) + \
     52				 augmented_args.filename.size));				\
     53}
     54
     55struct syscall_enter_openat_args {
     56	unsigned long long common_tp_fields;
     57	long		   syscall_nr;
     58	long		   dfd;
     59	char		   *filename_ptr;
     60	long		   flags;
     61	long		   mode;
     62};
     63
     64augmented_filename_syscall_enter(openat);
     65
     66struct syscall_enter_open_args {
     67	unsigned long long common_tp_fields;
     68	long		   syscall_nr;
     69	char		   *filename_ptr;
     70	long		   flags;
     71	long		   mode;
     72};
     73
     74augmented_filename_syscall_enter(open);
     75
     76license(GPL);