18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0
28c2ecf20Sopenharmony_ci/*
38c2ecf20Sopenharmony_ci * Augment the filename syscalls with the contents of the filename pointer argument
48c2ecf20Sopenharmony_ci * filtering only those that do not start with /etc/.
58c2ecf20Sopenharmony_ci *
68c2ecf20Sopenharmony_ci * Test it with:
78c2ecf20Sopenharmony_ci *
88c2ecf20Sopenharmony_ci * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null
98c2ecf20Sopenharmony_ci *
108c2ecf20Sopenharmony_ci * It'll catch some openat syscalls related to the dynamic linked and
118c2ecf20Sopenharmony_ci * the last one should be the one for '/etc/passwd'.
128c2ecf20Sopenharmony_ci *
138c2ecf20Sopenharmony_ci * This matches what is marshalled into the raw_syscall:sys_enter payload
148c2ecf20Sopenharmony_ci * expected by the 'perf trace' beautifiers, and can be used by them unmodified,
158c2ecf20Sopenharmony_ci * which will be done as that feature is implemented in the next csets, for now
168c2ecf20Sopenharmony_ci * it will appear in a dump done by the default tracepoint handler in 'perf trace',
178c2ecf20Sopenharmony_ci * that uses bpf_output__fprintf() to just dump those contents, as done with
188c2ecf20Sopenharmony_ci * the bpf-output event associated with the __bpf_output__ map declared in
198c2ecf20Sopenharmony_ci * tools/perf/include/bpf/stdio.h.
208c2ecf20Sopenharmony_ci */
218c2ecf20Sopenharmony_ci
228c2ecf20Sopenharmony_ci#include <stdio.h>
238c2ecf20Sopenharmony_ci
248c2ecf20Sopenharmony_ci/* bpf-output associated map */
258c2ecf20Sopenharmony_cibpf_map(__augmented_syscalls__, PERF_EVENT_ARRAY, int, u32, __NR_CPUS__);
268c2ecf20Sopenharmony_ci
278c2ecf20Sopenharmony_cistruct augmented_filename {
288c2ecf20Sopenharmony_ci	int	size;
298c2ecf20Sopenharmony_ci	int	reserved;
308c2ecf20Sopenharmony_ci	char	value[64];
318c2ecf20Sopenharmony_ci};
328c2ecf20Sopenharmony_ci
338c2ecf20Sopenharmony_ci#define augmented_filename_syscall_enter(syscall) 						\
348c2ecf20Sopenharmony_cistruct augmented_enter_##syscall##_args {			 				\
358c2ecf20Sopenharmony_ci	struct syscall_enter_##syscall##_args	args;				 		\
368c2ecf20Sopenharmony_ci	struct augmented_filename		filename;				 	\
378c2ecf20Sopenharmony_ci};												\
388c2ecf20Sopenharmony_ciint syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args)				\
398c2ecf20Sopenharmony_ci{												\
408c2ecf20Sopenharmony_ci	char etc[6] = "/etc/";									\
418c2ecf20Sopenharmony_ci	struct augmented_enter_##syscall##_args augmented_args = { .filename.reserved = 0, }; 	\
428c2ecf20Sopenharmony_ci	probe_read(&augmented_args.args, sizeof(augmented_args.args), args);			\
438c2ecf20Sopenharmony_ci	augmented_args.filename.size = probe_read_str(&augmented_args.filename.value, 		\
448c2ecf20Sopenharmony_ci						      sizeof(augmented_args.filename.value), 	\
458c2ecf20Sopenharmony_ci						      args->filename_ptr); 			\
468c2ecf20Sopenharmony_ci	if (__builtin_memcmp(augmented_args.filename.value, etc, 4) != 0)			\
478c2ecf20Sopenharmony_ci		return 0;									\
488c2ecf20Sopenharmony_ci	/* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */	\
498c2ecf20Sopenharmony_ci	return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, 		\
508c2ecf20Sopenharmony_ci				 &augmented_args,						\
518c2ecf20Sopenharmony_ci				 (sizeof(augmented_args) - sizeof(augmented_args.filename.value) + \
528c2ecf20Sopenharmony_ci				 augmented_args.filename.size));				\
538c2ecf20Sopenharmony_ci}
548c2ecf20Sopenharmony_ci
558c2ecf20Sopenharmony_cistruct syscall_enter_openat_args {
568c2ecf20Sopenharmony_ci	unsigned long long common_tp_fields;
578c2ecf20Sopenharmony_ci	long		   syscall_nr;
588c2ecf20Sopenharmony_ci	long		   dfd;
598c2ecf20Sopenharmony_ci	char		   *filename_ptr;
608c2ecf20Sopenharmony_ci	long		   flags;
618c2ecf20Sopenharmony_ci	long		   mode;
628c2ecf20Sopenharmony_ci};
638c2ecf20Sopenharmony_ci
648c2ecf20Sopenharmony_ciaugmented_filename_syscall_enter(openat);
658c2ecf20Sopenharmony_ci
668c2ecf20Sopenharmony_cistruct syscall_enter_open_args {
678c2ecf20Sopenharmony_ci	unsigned long long common_tp_fields;
688c2ecf20Sopenharmony_ci	long		   syscall_nr;
698c2ecf20Sopenharmony_ci	char		   *filename_ptr;
708c2ecf20Sopenharmony_ci	long		   flags;
718c2ecf20Sopenharmony_ci	long		   mode;
728c2ecf20Sopenharmony_ci};
738c2ecf20Sopenharmony_ci
748c2ecf20Sopenharmony_ciaugmented_filename_syscall_enter(open);
758c2ecf20Sopenharmony_ci
768c2ecf20Sopenharmony_cilicense(GPL);
77