18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0 28c2ecf20Sopenharmony_ci/* Copyright (c) 2020 Facebook */ 38c2ecf20Sopenharmony_ci#include <vmlinux.h> 48c2ecf20Sopenharmony_ci#include <bpf/bpf_core_read.h> 58c2ecf20Sopenharmony_ci#include <bpf/bpf_helpers.h> 68c2ecf20Sopenharmony_ci#include <bpf/bpf_tracing.h> 78c2ecf20Sopenharmony_ci 88c2ecf20Sopenharmony_ci#include "profiler.h" 98c2ecf20Sopenharmony_ci 108c2ecf20Sopenharmony_ci#ifndef NULL 118c2ecf20Sopenharmony_ci#define NULL 0 128c2ecf20Sopenharmony_ci#endif 138c2ecf20Sopenharmony_ci 148c2ecf20Sopenharmony_ci#define O_WRONLY 00000001 158c2ecf20Sopenharmony_ci#define O_RDWR 00000002 168c2ecf20Sopenharmony_ci#define O_DIRECTORY 00200000 178c2ecf20Sopenharmony_ci#define __O_TMPFILE 020000000 188c2ecf20Sopenharmony_ci#define O_TMPFILE (__O_TMPFILE | O_DIRECTORY) 198c2ecf20Sopenharmony_ci#define MAX_ERRNO 4095 208c2ecf20Sopenharmony_ci#define S_IFMT 00170000 218c2ecf20Sopenharmony_ci#define S_IFSOCK 0140000 228c2ecf20Sopenharmony_ci#define S_IFLNK 0120000 238c2ecf20Sopenharmony_ci#define S_IFREG 0100000 248c2ecf20Sopenharmony_ci#define S_IFBLK 0060000 258c2ecf20Sopenharmony_ci#define S_IFDIR 0040000 268c2ecf20Sopenharmony_ci#define S_IFCHR 0020000 278c2ecf20Sopenharmony_ci#define S_IFIFO 0010000 288c2ecf20Sopenharmony_ci#define S_ISUID 0004000 298c2ecf20Sopenharmony_ci#define S_ISGID 0002000 308c2ecf20Sopenharmony_ci#define S_ISVTX 0001000 318c2ecf20Sopenharmony_ci#define S_ISLNK(m) (((m)&S_IFMT) == S_IFLNK) 328c2ecf20Sopenharmony_ci#define S_ISDIR(m) (((m)&S_IFMT) == S_IFDIR) 338c2ecf20Sopenharmony_ci#define S_ISCHR(m) (((m)&S_IFMT) == S_IFCHR) 348c2ecf20Sopenharmony_ci#define S_ISBLK(m) (((m)&S_IFMT) == S_IFBLK) 358c2ecf20Sopenharmony_ci#define S_ISFIFO(m) (((m)&S_IFMT) == S_IFIFO) 368c2ecf20Sopenharmony_ci#define S_ISSOCK(m) (((m)&S_IFMT) == S_IFSOCK) 378c2ecf20Sopenharmony_ci#define IS_ERR_VALUE(x) (unsigned long)(void*)(x) >= (unsigned long)-MAX_ERRNO 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_ci#define KILL_DATA_ARRAY_SIZE 8 408c2ecf20Sopenharmony_ci 418c2ecf20Sopenharmony_cistruct var_kill_data_arr_t { 428c2ecf20Sopenharmony_ci struct var_kill_data_t array[KILL_DATA_ARRAY_SIZE]; 438c2ecf20Sopenharmony_ci}; 448c2ecf20Sopenharmony_ci 458c2ecf20Sopenharmony_ciunion any_profiler_data_t { 468c2ecf20Sopenharmony_ci struct var_exec_data_t var_exec; 478c2ecf20Sopenharmony_ci struct var_kill_data_t var_kill; 488c2ecf20Sopenharmony_ci struct var_sysctl_data_t var_sysctl; 498c2ecf20Sopenharmony_ci struct var_filemod_data_t var_filemod; 508c2ecf20Sopenharmony_ci struct var_fork_data_t var_fork; 518c2ecf20Sopenharmony_ci struct var_kill_data_arr_t var_kill_data_arr; 528c2ecf20Sopenharmony_ci}; 538c2ecf20Sopenharmony_ci 548c2ecf20Sopenharmony_civolatile struct profiler_config_struct bpf_config = {}; 558c2ecf20Sopenharmony_ci 568c2ecf20Sopenharmony_ci#define FETCH_CGROUPS_FROM_BPF (bpf_config.fetch_cgroups_from_bpf) 578c2ecf20Sopenharmony_ci#define CGROUP_FS_INODE (bpf_config.cgroup_fs_inode) 588c2ecf20Sopenharmony_ci#define CGROUP_LOGIN_SESSION_INODE \ 598c2ecf20Sopenharmony_ci (bpf_config.cgroup_login_session_inode) 608c2ecf20Sopenharmony_ci#define KILL_SIGNALS (bpf_config.kill_signals_mask) 618c2ecf20Sopenharmony_ci#define STALE_INFO (bpf_config.stale_info_secs) 628c2ecf20Sopenharmony_ci#define INODE_FILTER (bpf_config.inode_filter) 638c2ecf20Sopenharmony_ci#define READ_ENVIRON_FROM_EXEC (bpf_config.read_environ_from_exec) 648c2ecf20Sopenharmony_ci#define ENABLE_CGROUP_V1_RESOLVER (bpf_config.enable_cgroup_v1_resolver) 658c2ecf20Sopenharmony_ci 668c2ecf20Sopenharmony_cistruct kernfs_iattrs___52 { 678c2ecf20Sopenharmony_ci struct iattr ia_iattr; 688c2ecf20Sopenharmony_ci}; 698c2ecf20Sopenharmony_ci 708c2ecf20Sopenharmony_cistruct kernfs_node___52 { 718c2ecf20Sopenharmony_ci union /* kernfs_node_id */ { 728c2ecf20Sopenharmony_ci struct { 738c2ecf20Sopenharmony_ci u32 ino; 748c2ecf20Sopenharmony_ci u32 generation; 758c2ecf20Sopenharmony_ci }; 768c2ecf20Sopenharmony_ci u64 id; 778c2ecf20Sopenharmony_ci } id; 788c2ecf20Sopenharmony_ci}; 798c2ecf20Sopenharmony_ci 808c2ecf20Sopenharmony_cistruct { 818c2ecf20Sopenharmony_ci __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); 828c2ecf20Sopenharmony_ci __uint(max_entries, 1); 838c2ecf20Sopenharmony_ci __type(key, u32); 848c2ecf20Sopenharmony_ci __type(value, union any_profiler_data_t); 858c2ecf20Sopenharmony_ci} data_heap SEC(".maps"); 868c2ecf20Sopenharmony_ci 878c2ecf20Sopenharmony_cistruct { 888c2ecf20Sopenharmony_ci __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); 898c2ecf20Sopenharmony_ci __uint(key_size, sizeof(int)); 908c2ecf20Sopenharmony_ci __uint(value_size, sizeof(int)); 918c2ecf20Sopenharmony_ci} events SEC(".maps"); 928c2ecf20Sopenharmony_ci 938c2ecf20Sopenharmony_cistruct { 948c2ecf20Sopenharmony_ci __uint(type, BPF_MAP_TYPE_HASH); 958c2ecf20Sopenharmony_ci __uint(max_entries, KILL_DATA_ARRAY_SIZE); 968c2ecf20Sopenharmony_ci __type(key, u32); 978c2ecf20Sopenharmony_ci __type(value, struct var_kill_data_arr_t); 988c2ecf20Sopenharmony_ci} var_tpid_to_data SEC(".maps"); 998c2ecf20Sopenharmony_ci 1008c2ecf20Sopenharmony_cistruct { 1018c2ecf20Sopenharmony_ci __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY); 1028c2ecf20Sopenharmony_ci __uint(max_entries, profiler_bpf_max_function_id); 1038c2ecf20Sopenharmony_ci __type(key, u32); 1048c2ecf20Sopenharmony_ci __type(value, struct bpf_func_stats_data); 1058c2ecf20Sopenharmony_ci} bpf_func_stats SEC(".maps"); 1068c2ecf20Sopenharmony_ci 1078c2ecf20Sopenharmony_cistruct { 1088c2ecf20Sopenharmony_ci __uint(type, BPF_MAP_TYPE_HASH); 1098c2ecf20Sopenharmony_ci __type(key, u32); 1108c2ecf20Sopenharmony_ci __type(value, bool); 1118c2ecf20Sopenharmony_ci __uint(max_entries, 16); 1128c2ecf20Sopenharmony_ci} allowed_devices SEC(".maps"); 1138c2ecf20Sopenharmony_ci 1148c2ecf20Sopenharmony_cistruct { 1158c2ecf20Sopenharmony_ci __uint(type, BPF_MAP_TYPE_HASH); 1168c2ecf20Sopenharmony_ci __type(key, u64); 1178c2ecf20Sopenharmony_ci __type(value, bool); 1188c2ecf20Sopenharmony_ci __uint(max_entries, 1024); 1198c2ecf20Sopenharmony_ci} allowed_file_inodes SEC(".maps"); 1208c2ecf20Sopenharmony_ci 1218c2ecf20Sopenharmony_cistruct { 1228c2ecf20Sopenharmony_ci __uint(type, BPF_MAP_TYPE_HASH); 1238c2ecf20Sopenharmony_ci __type(key, u64); 1248c2ecf20Sopenharmony_ci __type(value, bool); 1258c2ecf20Sopenharmony_ci __uint(max_entries, 1024); 1268c2ecf20Sopenharmony_ci} allowed_directory_inodes SEC(".maps"); 1278c2ecf20Sopenharmony_ci 1288c2ecf20Sopenharmony_cistruct { 1298c2ecf20Sopenharmony_ci __uint(type, BPF_MAP_TYPE_HASH); 1308c2ecf20Sopenharmony_ci __type(key, u32); 1318c2ecf20Sopenharmony_ci __type(value, bool); 1328c2ecf20Sopenharmony_ci __uint(max_entries, 16); 1338c2ecf20Sopenharmony_ci} disallowed_exec_inodes SEC(".maps"); 1348c2ecf20Sopenharmony_ci 1358c2ecf20Sopenharmony_ci#ifndef ARRAY_SIZE 1368c2ecf20Sopenharmony_ci#define ARRAY_SIZE(arr) (sizeof(arr) / sizeof(arr[0])) 1378c2ecf20Sopenharmony_ci#endif 1388c2ecf20Sopenharmony_ci 1398c2ecf20Sopenharmony_cistatic INLINE bool IS_ERR(const void* ptr) 1408c2ecf20Sopenharmony_ci{ 1418c2ecf20Sopenharmony_ci return IS_ERR_VALUE((unsigned long)ptr); 1428c2ecf20Sopenharmony_ci} 1438c2ecf20Sopenharmony_ci 1448c2ecf20Sopenharmony_cistatic INLINE u32 get_userspace_pid() 1458c2ecf20Sopenharmony_ci{ 1468c2ecf20Sopenharmony_ci return bpf_get_current_pid_tgid() >> 32; 1478c2ecf20Sopenharmony_ci} 1488c2ecf20Sopenharmony_ci 1498c2ecf20Sopenharmony_cistatic INLINE bool is_init_process(u32 tgid) 1508c2ecf20Sopenharmony_ci{ 1518c2ecf20Sopenharmony_ci return tgid == 1 || tgid == 0; 1528c2ecf20Sopenharmony_ci} 1538c2ecf20Sopenharmony_ci 1548c2ecf20Sopenharmony_cistatic INLINE unsigned long 1558c2ecf20Sopenharmony_ciprobe_read_lim(void* dst, void* src, unsigned long len, unsigned long max) 1568c2ecf20Sopenharmony_ci{ 1578c2ecf20Sopenharmony_ci len = len < max ? len : max; 1588c2ecf20Sopenharmony_ci if (len > 1) { 1598c2ecf20Sopenharmony_ci if (bpf_probe_read(dst, len, src)) 1608c2ecf20Sopenharmony_ci return 0; 1618c2ecf20Sopenharmony_ci } else if (len == 1) { 1628c2ecf20Sopenharmony_ci if (bpf_probe_read(dst, 1, src)) 1638c2ecf20Sopenharmony_ci return 0; 1648c2ecf20Sopenharmony_ci } 1658c2ecf20Sopenharmony_ci return len; 1668c2ecf20Sopenharmony_ci} 1678c2ecf20Sopenharmony_ci 1688c2ecf20Sopenharmony_cistatic INLINE int get_var_spid_index(struct var_kill_data_arr_t* arr_struct, 1698c2ecf20Sopenharmony_ci int spid) 1708c2ecf20Sopenharmony_ci{ 1718c2ecf20Sopenharmony_ci#ifdef UNROLL 1728c2ecf20Sopenharmony_ci#pragma unroll 1738c2ecf20Sopenharmony_ci#endif 1748c2ecf20Sopenharmony_ci for (int i = 0; i < ARRAY_SIZE(arr_struct->array); i++) 1758c2ecf20Sopenharmony_ci if (arr_struct->array[i].meta.pid == spid) 1768c2ecf20Sopenharmony_ci return i; 1778c2ecf20Sopenharmony_ci return -1; 1788c2ecf20Sopenharmony_ci} 1798c2ecf20Sopenharmony_ci 1808c2ecf20Sopenharmony_cistatic INLINE void populate_ancestors(struct task_struct* task, 1818c2ecf20Sopenharmony_ci struct ancestors_data_t* ancestors_data) 1828c2ecf20Sopenharmony_ci{ 1838c2ecf20Sopenharmony_ci struct task_struct* parent = task; 1848c2ecf20Sopenharmony_ci u32 num_ancestors, ppid; 1858c2ecf20Sopenharmony_ci 1868c2ecf20Sopenharmony_ci ancestors_data->num_ancestors = 0; 1878c2ecf20Sopenharmony_ci#ifdef UNROLL 1888c2ecf20Sopenharmony_ci#pragma unroll 1898c2ecf20Sopenharmony_ci#endif 1908c2ecf20Sopenharmony_ci for (num_ancestors = 0; num_ancestors < MAX_ANCESTORS; num_ancestors++) { 1918c2ecf20Sopenharmony_ci parent = BPF_CORE_READ(parent, real_parent); 1928c2ecf20Sopenharmony_ci if (parent == NULL) 1938c2ecf20Sopenharmony_ci break; 1948c2ecf20Sopenharmony_ci ppid = BPF_CORE_READ(parent, tgid); 1958c2ecf20Sopenharmony_ci if (is_init_process(ppid)) 1968c2ecf20Sopenharmony_ci break; 1978c2ecf20Sopenharmony_ci ancestors_data->ancestor_pids[num_ancestors] = ppid; 1988c2ecf20Sopenharmony_ci ancestors_data->ancestor_exec_ids[num_ancestors] = 1998c2ecf20Sopenharmony_ci BPF_CORE_READ(parent, self_exec_id); 2008c2ecf20Sopenharmony_ci ancestors_data->ancestor_start_times[num_ancestors] = 2018c2ecf20Sopenharmony_ci BPF_CORE_READ(parent, start_time); 2028c2ecf20Sopenharmony_ci ancestors_data->num_ancestors = num_ancestors; 2038c2ecf20Sopenharmony_ci } 2048c2ecf20Sopenharmony_ci} 2058c2ecf20Sopenharmony_ci 2068c2ecf20Sopenharmony_cistatic INLINE void* read_full_cgroup_path(struct kernfs_node* cgroup_node, 2078c2ecf20Sopenharmony_ci struct kernfs_node* cgroup_root_node, 2088c2ecf20Sopenharmony_ci void* payload, 2098c2ecf20Sopenharmony_ci int* root_pos) 2108c2ecf20Sopenharmony_ci{ 2118c2ecf20Sopenharmony_ci void* payload_start = payload; 2128c2ecf20Sopenharmony_ci size_t filepart_length; 2138c2ecf20Sopenharmony_ci 2148c2ecf20Sopenharmony_ci#ifdef UNROLL 2158c2ecf20Sopenharmony_ci#pragma unroll 2168c2ecf20Sopenharmony_ci#endif 2178c2ecf20Sopenharmony_ci for (int i = 0; i < MAX_CGROUPS_PATH_DEPTH; i++) { 2188c2ecf20Sopenharmony_ci filepart_length = 2198c2ecf20Sopenharmony_ci bpf_probe_read_str(payload, MAX_PATH, BPF_CORE_READ(cgroup_node, name)); 2208c2ecf20Sopenharmony_ci if (!cgroup_node) 2218c2ecf20Sopenharmony_ci return payload; 2228c2ecf20Sopenharmony_ci if (cgroup_node == cgroup_root_node) 2238c2ecf20Sopenharmony_ci *root_pos = payload - payload_start; 2248c2ecf20Sopenharmony_ci if (filepart_length <= MAX_PATH) { 2258c2ecf20Sopenharmony_ci barrier_var(filepart_length); 2268c2ecf20Sopenharmony_ci payload += filepart_length; 2278c2ecf20Sopenharmony_ci } 2288c2ecf20Sopenharmony_ci cgroup_node = BPF_CORE_READ(cgroup_node, parent); 2298c2ecf20Sopenharmony_ci } 2308c2ecf20Sopenharmony_ci return payload; 2318c2ecf20Sopenharmony_ci} 2328c2ecf20Sopenharmony_ci 2338c2ecf20Sopenharmony_cistatic ino_t get_inode_from_kernfs(struct kernfs_node* node) 2348c2ecf20Sopenharmony_ci{ 2358c2ecf20Sopenharmony_ci struct kernfs_node___52* node52 = (void*)node; 2368c2ecf20Sopenharmony_ci 2378c2ecf20Sopenharmony_ci if (bpf_core_field_exists(node52->id.ino)) { 2388c2ecf20Sopenharmony_ci barrier_var(node52); 2398c2ecf20Sopenharmony_ci return BPF_CORE_READ(node52, id.ino); 2408c2ecf20Sopenharmony_ci } else { 2418c2ecf20Sopenharmony_ci barrier_var(node); 2428c2ecf20Sopenharmony_ci return (u64)BPF_CORE_READ(node, id); 2438c2ecf20Sopenharmony_ci } 2448c2ecf20Sopenharmony_ci} 2458c2ecf20Sopenharmony_ci 2468c2ecf20Sopenharmony_ciextern bool CONFIG_CGROUP_PIDS __kconfig __weak; 2478c2ecf20Sopenharmony_cienum cgroup_subsys_id___local { 2488c2ecf20Sopenharmony_ci pids_cgrp_id___local = 123, /* value doesn't matter */ 2498c2ecf20Sopenharmony_ci}; 2508c2ecf20Sopenharmony_ci 2518c2ecf20Sopenharmony_cistatic INLINE void* populate_cgroup_info(struct cgroup_data_t* cgroup_data, 2528c2ecf20Sopenharmony_ci struct task_struct* task, 2538c2ecf20Sopenharmony_ci void* payload) 2548c2ecf20Sopenharmony_ci{ 2558c2ecf20Sopenharmony_ci struct kernfs_node* root_kernfs = 2568c2ecf20Sopenharmony_ci BPF_CORE_READ(task, nsproxy, cgroup_ns, root_cset, dfl_cgrp, kn); 2578c2ecf20Sopenharmony_ci struct kernfs_node* proc_kernfs = BPF_CORE_READ(task, cgroups, dfl_cgrp, kn); 2588c2ecf20Sopenharmony_ci 2598c2ecf20Sopenharmony_ci#if __has_builtin(__builtin_preserve_enum_value) 2608c2ecf20Sopenharmony_ci if (ENABLE_CGROUP_V1_RESOLVER && CONFIG_CGROUP_PIDS) { 2618c2ecf20Sopenharmony_ci int cgrp_id = bpf_core_enum_value(enum cgroup_subsys_id___local, 2628c2ecf20Sopenharmony_ci pids_cgrp_id___local); 2638c2ecf20Sopenharmony_ci#ifdef UNROLL 2648c2ecf20Sopenharmony_ci#pragma unroll 2658c2ecf20Sopenharmony_ci#endif 2668c2ecf20Sopenharmony_ci for (int i = 0; i < CGROUP_SUBSYS_COUNT; i++) { 2678c2ecf20Sopenharmony_ci struct cgroup_subsys_state* subsys = 2688c2ecf20Sopenharmony_ci BPF_CORE_READ(task, cgroups, subsys[i]); 2698c2ecf20Sopenharmony_ci if (subsys != NULL) { 2708c2ecf20Sopenharmony_ci int subsys_id = BPF_CORE_READ(subsys, ss, id); 2718c2ecf20Sopenharmony_ci if (subsys_id == cgrp_id) { 2728c2ecf20Sopenharmony_ci proc_kernfs = BPF_CORE_READ(subsys, cgroup, kn); 2738c2ecf20Sopenharmony_ci root_kernfs = BPF_CORE_READ(subsys, ss, root, kf_root, kn); 2748c2ecf20Sopenharmony_ci break; 2758c2ecf20Sopenharmony_ci } 2768c2ecf20Sopenharmony_ci } 2778c2ecf20Sopenharmony_ci } 2788c2ecf20Sopenharmony_ci } 2798c2ecf20Sopenharmony_ci#endif 2808c2ecf20Sopenharmony_ci 2818c2ecf20Sopenharmony_ci cgroup_data->cgroup_root_inode = get_inode_from_kernfs(root_kernfs); 2828c2ecf20Sopenharmony_ci cgroup_data->cgroup_proc_inode = get_inode_from_kernfs(proc_kernfs); 2838c2ecf20Sopenharmony_ci 2848c2ecf20Sopenharmony_ci if (bpf_core_field_exists(root_kernfs->iattr->ia_mtime)) { 2858c2ecf20Sopenharmony_ci cgroup_data->cgroup_root_mtime = 2868c2ecf20Sopenharmony_ci BPF_CORE_READ(root_kernfs, iattr, ia_mtime.tv_nsec); 2878c2ecf20Sopenharmony_ci cgroup_data->cgroup_proc_mtime = 2888c2ecf20Sopenharmony_ci BPF_CORE_READ(proc_kernfs, iattr, ia_mtime.tv_nsec); 2898c2ecf20Sopenharmony_ci } else { 2908c2ecf20Sopenharmony_ci struct kernfs_iattrs___52* root_iattr = 2918c2ecf20Sopenharmony_ci (struct kernfs_iattrs___52*)BPF_CORE_READ(root_kernfs, iattr); 2928c2ecf20Sopenharmony_ci cgroup_data->cgroup_root_mtime = 2938c2ecf20Sopenharmony_ci BPF_CORE_READ(root_iattr, ia_iattr.ia_mtime.tv_nsec); 2948c2ecf20Sopenharmony_ci 2958c2ecf20Sopenharmony_ci struct kernfs_iattrs___52* proc_iattr = 2968c2ecf20Sopenharmony_ci (struct kernfs_iattrs___52*)BPF_CORE_READ(proc_kernfs, iattr); 2978c2ecf20Sopenharmony_ci cgroup_data->cgroup_proc_mtime = 2988c2ecf20Sopenharmony_ci BPF_CORE_READ(proc_iattr, ia_iattr.ia_mtime.tv_nsec); 2998c2ecf20Sopenharmony_ci } 3008c2ecf20Sopenharmony_ci 3018c2ecf20Sopenharmony_ci cgroup_data->cgroup_root_length = 0; 3028c2ecf20Sopenharmony_ci cgroup_data->cgroup_proc_length = 0; 3038c2ecf20Sopenharmony_ci cgroup_data->cgroup_full_length = 0; 3048c2ecf20Sopenharmony_ci 3058c2ecf20Sopenharmony_ci size_t cgroup_root_length = 3068c2ecf20Sopenharmony_ci bpf_probe_read_str(payload, MAX_PATH, BPF_CORE_READ(root_kernfs, name)); 3078c2ecf20Sopenharmony_ci barrier_var(cgroup_root_length); 3088c2ecf20Sopenharmony_ci if (cgroup_root_length <= MAX_PATH) { 3098c2ecf20Sopenharmony_ci barrier_var(cgroup_root_length); 3108c2ecf20Sopenharmony_ci cgroup_data->cgroup_root_length = cgroup_root_length; 3118c2ecf20Sopenharmony_ci payload += cgroup_root_length; 3128c2ecf20Sopenharmony_ci } 3138c2ecf20Sopenharmony_ci 3148c2ecf20Sopenharmony_ci size_t cgroup_proc_length = 3158c2ecf20Sopenharmony_ci bpf_probe_read_str(payload, MAX_PATH, BPF_CORE_READ(proc_kernfs, name)); 3168c2ecf20Sopenharmony_ci barrier_var(cgroup_proc_length); 3178c2ecf20Sopenharmony_ci if (cgroup_proc_length <= MAX_PATH) { 3188c2ecf20Sopenharmony_ci barrier_var(cgroup_proc_length); 3198c2ecf20Sopenharmony_ci cgroup_data->cgroup_proc_length = cgroup_proc_length; 3208c2ecf20Sopenharmony_ci payload += cgroup_proc_length; 3218c2ecf20Sopenharmony_ci } 3228c2ecf20Sopenharmony_ci 3238c2ecf20Sopenharmony_ci if (FETCH_CGROUPS_FROM_BPF) { 3248c2ecf20Sopenharmony_ci cgroup_data->cgroup_full_path_root_pos = -1; 3258c2ecf20Sopenharmony_ci void* payload_end_pos = read_full_cgroup_path(proc_kernfs, root_kernfs, payload, 3268c2ecf20Sopenharmony_ci &cgroup_data->cgroup_full_path_root_pos); 3278c2ecf20Sopenharmony_ci cgroup_data->cgroup_full_length = payload_end_pos - payload; 3288c2ecf20Sopenharmony_ci payload = payload_end_pos; 3298c2ecf20Sopenharmony_ci } 3308c2ecf20Sopenharmony_ci 3318c2ecf20Sopenharmony_ci return (void*)payload; 3328c2ecf20Sopenharmony_ci} 3338c2ecf20Sopenharmony_ci 3348c2ecf20Sopenharmony_cistatic INLINE void* populate_var_metadata(struct var_metadata_t* metadata, 3358c2ecf20Sopenharmony_ci struct task_struct* task, 3368c2ecf20Sopenharmony_ci u32 pid, void* payload) 3378c2ecf20Sopenharmony_ci{ 3388c2ecf20Sopenharmony_ci u64 uid_gid = bpf_get_current_uid_gid(); 3398c2ecf20Sopenharmony_ci 3408c2ecf20Sopenharmony_ci metadata->uid = (u32)uid_gid; 3418c2ecf20Sopenharmony_ci metadata->gid = uid_gid >> 32; 3428c2ecf20Sopenharmony_ci metadata->pid = pid; 3438c2ecf20Sopenharmony_ci metadata->exec_id = BPF_CORE_READ(task, self_exec_id); 3448c2ecf20Sopenharmony_ci metadata->start_time = BPF_CORE_READ(task, start_time); 3458c2ecf20Sopenharmony_ci metadata->comm_length = 0; 3468c2ecf20Sopenharmony_ci 3478c2ecf20Sopenharmony_ci size_t comm_length = bpf_core_read_str(payload, TASK_COMM_LEN, &task->comm); 3488c2ecf20Sopenharmony_ci barrier_var(comm_length); 3498c2ecf20Sopenharmony_ci if (comm_length <= TASK_COMM_LEN) { 3508c2ecf20Sopenharmony_ci barrier_var(comm_length); 3518c2ecf20Sopenharmony_ci metadata->comm_length = comm_length; 3528c2ecf20Sopenharmony_ci payload += comm_length; 3538c2ecf20Sopenharmony_ci } 3548c2ecf20Sopenharmony_ci 3558c2ecf20Sopenharmony_ci return (void*)payload; 3568c2ecf20Sopenharmony_ci} 3578c2ecf20Sopenharmony_ci 3588c2ecf20Sopenharmony_cistatic INLINE struct var_kill_data_t* 3598c2ecf20Sopenharmony_ciget_var_kill_data(struct pt_regs* ctx, int spid, int tpid, int sig) 3608c2ecf20Sopenharmony_ci{ 3618c2ecf20Sopenharmony_ci int zero = 0; 3628c2ecf20Sopenharmony_ci struct var_kill_data_t* kill_data = bpf_map_lookup_elem(&data_heap, &zero); 3638c2ecf20Sopenharmony_ci 3648c2ecf20Sopenharmony_ci if (kill_data == NULL) 3658c2ecf20Sopenharmony_ci return NULL; 3668c2ecf20Sopenharmony_ci struct task_struct* task = (struct task_struct*)bpf_get_current_task(); 3678c2ecf20Sopenharmony_ci 3688c2ecf20Sopenharmony_ci void* payload = populate_var_metadata(&kill_data->meta, task, spid, kill_data->payload); 3698c2ecf20Sopenharmony_ci payload = populate_cgroup_info(&kill_data->cgroup_data, task, payload); 3708c2ecf20Sopenharmony_ci size_t payload_length = payload - (void*)kill_data->payload; 3718c2ecf20Sopenharmony_ci kill_data->payload_length = payload_length; 3728c2ecf20Sopenharmony_ci populate_ancestors(task, &kill_data->ancestors_info); 3738c2ecf20Sopenharmony_ci kill_data->meta.type = KILL_EVENT; 3748c2ecf20Sopenharmony_ci kill_data->kill_target_pid = tpid; 3758c2ecf20Sopenharmony_ci kill_data->kill_sig = sig; 3768c2ecf20Sopenharmony_ci kill_data->kill_count = 1; 3778c2ecf20Sopenharmony_ci kill_data->last_kill_time = bpf_ktime_get_ns(); 3788c2ecf20Sopenharmony_ci return kill_data; 3798c2ecf20Sopenharmony_ci} 3808c2ecf20Sopenharmony_ci 3818c2ecf20Sopenharmony_cistatic INLINE int trace_var_sys_kill(void* ctx, int tpid, int sig) 3828c2ecf20Sopenharmony_ci{ 3838c2ecf20Sopenharmony_ci if ((KILL_SIGNALS & (1ULL << sig)) == 0) 3848c2ecf20Sopenharmony_ci return 0; 3858c2ecf20Sopenharmony_ci 3868c2ecf20Sopenharmony_ci u32 spid = get_userspace_pid(); 3878c2ecf20Sopenharmony_ci struct var_kill_data_arr_t* arr_struct = bpf_map_lookup_elem(&var_tpid_to_data, &tpid); 3888c2ecf20Sopenharmony_ci 3898c2ecf20Sopenharmony_ci if (arr_struct == NULL) { 3908c2ecf20Sopenharmony_ci struct var_kill_data_t* kill_data = get_var_kill_data(ctx, spid, tpid, sig); 3918c2ecf20Sopenharmony_ci int zero = 0; 3928c2ecf20Sopenharmony_ci 3938c2ecf20Sopenharmony_ci if (kill_data == NULL) 3948c2ecf20Sopenharmony_ci return 0; 3958c2ecf20Sopenharmony_ci arr_struct = bpf_map_lookup_elem(&data_heap, &zero); 3968c2ecf20Sopenharmony_ci if (arr_struct == NULL) 3978c2ecf20Sopenharmony_ci return 0; 3988c2ecf20Sopenharmony_ci bpf_probe_read(&arr_struct->array[0], sizeof(arr_struct->array[0]), kill_data); 3998c2ecf20Sopenharmony_ci } else { 4008c2ecf20Sopenharmony_ci int index = get_var_spid_index(arr_struct, spid); 4018c2ecf20Sopenharmony_ci 4028c2ecf20Sopenharmony_ci if (index == -1) { 4038c2ecf20Sopenharmony_ci struct var_kill_data_t* kill_data = 4048c2ecf20Sopenharmony_ci get_var_kill_data(ctx, spid, tpid, sig); 4058c2ecf20Sopenharmony_ci if (kill_data == NULL) 4068c2ecf20Sopenharmony_ci return 0; 4078c2ecf20Sopenharmony_ci#ifdef UNROLL 4088c2ecf20Sopenharmony_ci#pragma unroll 4098c2ecf20Sopenharmony_ci#endif 4108c2ecf20Sopenharmony_ci for (int i = 0; i < ARRAY_SIZE(arr_struct->array); i++) 4118c2ecf20Sopenharmony_ci if (arr_struct->array[i].meta.pid == 0) { 4128c2ecf20Sopenharmony_ci bpf_probe_read(&arr_struct->array[i], 4138c2ecf20Sopenharmony_ci sizeof(arr_struct->array[i]), kill_data); 4148c2ecf20Sopenharmony_ci bpf_map_update_elem(&var_tpid_to_data, &tpid, 4158c2ecf20Sopenharmony_ci arr_struct, 0); 4168c2ecf20Sopenharmony_ci 4178c2ecf20Sopenharmony_ci return 0; 4188c2ecf20Sopenharmony_ci } 4198c2ecf20Sopenharmony_ci return 0; 4208c2ecf20Sopenharmony_ci } 4218c2ecf20Sopenharmony_ci 4228c2ecf20Sopenharmony_ci struct var_kill_data_t* kill_data = &arr_struct->array[index]; 4238c2ecf20Sopenharmony_ci 4248c2ecf20Sopenharmony_ci u64 delta_sec = 4258c2ecf20Sopenharmony_ci (bpf_ktime_get_ns() - kill_data->last_kill_time) / 1000000000; 4268c2ecf20Sopenharmony_ci 4278c2ecf20Sopenharmony_ci if (delta_sec < STALE_INFO) { 4288c2ecf20Sopenharmony_ci kill_data->kill_count++; 4298c2ecf20Sopenharmony_ci kill_data->last_kill_time = bpf_ktime_get_ns(); 4308c2ecf20Sopenharmony_ci bpf_probe_read(&arr_struct->array[index], 4318c2ecf20Sopenharmony_ci sizeof(arr_struct->array[index]), 4328c2ecf20Sopenharmony_ci kill_data); 4338c2ecf20Sopenharmony_ci } else { 4348c2ecf20Sopenharmony_ci struct var_kill_data_t* kill_data = 4358c2ecf20Sopenharmony_ci get_var_kill_data(ctx, spid, tpid, sig); 4368c2ecf20Sopenharmony_ci if (kill_data == NULL) 4378c2ecf20Sopenharmony_ci return 0; 4388c2ecf20Sopenharmony_ci bpf_probe_read(&arr_struct->array[index], 4398c2ecf20Sopenharmony_ci sizeof(arr_struct->array[index]), 4408c2ecf20Sopenharmony_ci kill_data); 4418c2ecf20Sopenharmony_ci } 4428c2ecf20Sopenharmony_ci } 4438c2ecf20Sopenharmony_ci bpf_map_update_elem(&var_tpid_to_data, &tpid, arr_struct, 0); 4448c2ecf20Sopenharmony_ci return 0; 4458c2ecf20Sopenharmony_ci} 4468c2ecf20Sopenharmony_ci 4478c2ecf20Sopenharmony_cistatic INLINE void bpf_stats_enter(struct bpf_func_stats_ctx* bpf_stat_ctx, 4488c2ecf20Sopenharmony_ci enum bpf_function_id func_id) 4498c2ecf20Sopenharmony_ci{ 4508c2ecf20Sopenharmony_ci int func_id_key = func_id; 4518c2ecf20Sopenharmony_ci 4528c2ecf20Sopenharmony_ci bpf_stat_ctx->start_time_ns = bpf_ktime_get_ns(); 4538c2ecf20Sopenharmony_ci bpf_stat_ctx->bpf_func_stats_data_val = 4548c2ecf20Sopenharmony_ci bpf_map_lookup_elem(&bpf_func_stats, &func_id_key); 4558c2ecf20Sopenharmony_ci if (bpf_stat_ctx->bpf_func_stats_data_val) 4568c2ecf20Sopenharmony_ci bpf_stat_ctx->bpf_func_stats_data_val->num_executions++; 4578c2ecf20Sopenharmony_ci} 4588c2ecf20Sopenharmony_ci 4598c2ecf20Sopenharmony_cistatic INLINE void bpf_stats_exit(struct bpf_func_stats_ctx* bpf_stat_ctx) 4608c2ecf20Sopenharmony_ci{ 4618c2ecf20Sopenharmony_ci if (bpf_stat_ctx->bpf_func_stats_data_val) 4628c2ecf20Sopenharmony_ci bpf_stat_ctx->bpf_func_stats_data_val->time_elapsed_ns += 4638c2ecf20Sopenharmony_ci bpf_ktime_get_ns() - bpf_stat_ctx->start_time_ns; 4648c2ecf20Sopenharmony_ci} 4658c2ecf20Sopenharmony_ci 4668c2ecf20Sopenharmony_cistatic INLINE void 4678c2ecf20Sopenharmony_cibpf_stats_pre_submit_var_perf_event(struct bpf_func_stats_ctx* bpf_stat_ctx, 4688c2ecf20Sopenharmony_ci struct var_metadata_t* meta) 4698c2ecf20Sopenharmony_ci{ 4708c2ecf20Sopenharmony_ci if (bpf_stat_ctx->bpf_func_stats_data_val) { 4718c2ecf20Sopenharmony_ci bpf_stat_ctx->bpf_func_stats_data_val->num_perf_events++; 4728c2ecf20Sopenharmony_ci meta->bpf_stats_num_perf_events = 4738c2ecf20Sopenharmony_ci bpf_stat_ctx->bpf_func_stats_data_val->num_perf_events; 4748c2ecf20Sopenharmony_ci } 4758c2ecf20Sopenharmony_ci meta->bpf_stats_start_ktime_ns = bpf_stat_ctx->start_time_ns; 4768c2ecf20Sopenharmony_ci meta->cpu_id = bpf_get_smp_processor_id(); 4778c2ecf20Sopenharmony_ci} 4788c2ecf20Sopenharmony_ci 4798c2ecf20Sopenharmony_cistatic INLINE size_t 4808c2ecf20Sopenharmony_ciread_absolute_file_path_from_dentry(struct dentry* filp_dentry, void* payload) 4818c2ecf20Sopenharmony_ci{ 4828c2ecf20Sopenharmony_ci size_t length = 0; 4838c2ecf20Sopenharmony_ci size_t filepart_length; 4848c2ecf20Sopenharmony_ci struct dentry* parent_dentry; 4858c2ecf20Sopenharmony_ci 4868c2ecf20Sopenharmony_ci#ifdef UNROLL 4878c2ecf20Sopenharmony_ci#pragma unroll 4888c2ecf20Sopenharmony_ci#endif 4898c2ecf20Sopenharmony_ci for (int i = 0; i < MAX_PATH_DEPTH; i++) { 4908c2ecf20Sopenharmony_ci filepart_length = bpf_probe_read_str(payload, MAX_PATH, 4918c2ecf20Sopenharmony_ci BPF_CORE_READ(filp_dentry, d_name.name)); 4928c2ecf20Sopenharmony_ci barrier_var(filepart_length); 4938c2ecf20Sopenharmony_ci if (filepart_length > MAX_PATH) 4948c2ecf20Sopenharmony_ci break; 4958c2ecf20Sopenharmony_ci barrier_var(filepart_length); 4968c2ecf20Sopenharmony_ci payload += filepart_length; 4978c2ecf20Sopenharmony_ci length += filepart_length; 4988c2ecf20Sopenharmony_ci 4998c2ecf20Sopenharmony_ci parent_dentry = BPF_CORE_READ(filp_dentry, d_parent); 5008c2ecf20Sopenharmony_ci if (filp_dentry == parent_dentry) 5018c2ecf20Sopenharmony_ci break; 5028c2ecf20Sopenharmony_ci filp_dentry = parent_dentry; 5038c2ecf20Sopenharmony_ci } 5048c2ecf20Sopenharmony_ci 5058c2ecf20Sopenharmony_ci return length; 5068c2ecf20Sopenharmony_ci} 5078c2ecf20Sopenharmony_ci 5088c2ecf20Sopenharmony_cistatic INLINE bool 5098c2ecf20Sopenharmony_ciis_ancestor_in_allowed_inodes(struct dentry* filp_dentry) 5108c2ecf20Sopenharmony_ci{ 5118c2ecf20Sopenharmony_ci struct dentry* parent_dentry; 5128c2ecf20Sopenharmony_ci#ifdef UNROLL 5138c2ecf20Sopenharmony_ci#pragma unroll 5148c2ecf20Sopenharmony_ci#endif 5158c2ecf20Sopenharmony_ci for (int i = 0; i < MAX_PATH_DEPTH; i++) { 5168c2ecf20Sopenharmony_ci u64 dir_ino = BPF_CORE_READ(filp_dentry, d_inode, i_ino); 5178c2ecf20Sopenharmony_ci bool* allowed_dir = bpf_map_lookup_elem(&allowed_directory_inodes, &dir_ino); 5188c2ecf20Sopenharmony_ci 5198c2ecf20Sopenharmony_ci if (allowed_dir != NULL) 5208c2ecf20Sopenharmony_ci return true; 5218c2ecf20Sopenharmony_ci parent_dentry = BPF_CORE_READ(filp_dentry, d_parent); 5228c2ecf20Sopenharmony_ci if (filp_dentry == parent_dentry) 5238c2ecf20Sopenharmony_ci break; 5248c2ecf20Sopenharmony_ci filp_dentry = parent_dentry; 5258c2ecf20Sopenharmony_ci } 5268c2ecf20Sopenharmony_ci return false; 5278c2ecf20Sopenharmony_ci} 5288c2ecf20Sopenharmony_ci 5298c2ecf20Sopenharmony_cistatic INLINE bool is_dentry_allowed_for_filemod(struct dentry* file_dentry, 5308c2ecf20Sopenharmony_ci u32* device_id, 5318c2ecf20Sopenharmony_ci u64* file_ino) 5328c2ecf20Sopenharmony_ci{ 5338c2ecf20Sopenharmony_ci u32 dev_id = BPF_CORE_READ(file_dentry, d_sb, s_dev); 5348c2ecf20Sopenharmony_ci *device_id = dev_id; 5358c2ecf20Sopenharmony_ci bool* allowed_device = bpf_map_lookup_elem(&allowed_devices, &dev_id); 5368c2ecf20Sopenharmony_ci 5378c2ecf20Sopenharmony_ci if (allowed_device == NULL) 5388c2ecf20Sopenharmony_ci return false; 5398c2ecf20Sopenharmony_ci 5408c2ecf20Sopenharmony_ci u64 ino = BPF_CORE_READ(file_dentry, d_inode, i_ino); 5418c2ecf20Sopenharmony_ci *file_ino = ino; 5428c2ecf20Sopenharmony_ci bool* allowed_file = bpf_map_lookup_elem(&allowed_file_inodes, &ino); 5438c2ecf20Sopenharmony_ci 5448c2ecf20Sopenharmony_ci if (allowed_file == NULL) 5458c2ecf20Sopenharmony_ci if (!is_ancestor_in_allowed_inodes(BPF_CORE_READ(file_dentry, d_parent))) 5468c2ecf20Sopenharmony_ci return false; 5478c2ecf20Sopenharmony_ci return true; 5488c2ecf20Sopenharmony_ci} 5498c2ecf20Sopenharmony_ci 5508c2ecf20Sopenharmony_ciSEC("kprobe/proc_sys_write") 5518c2ecf20Sopenharmony_cissize_t BPF_KPROBE(kprobe__proc_sys_write, 5528c2ecf20Sopenharmony_ci struct file* filp, const char* buf, 5538c2ecf20Sopenharmony_ci size_t count, loff_t* ppos) 5548c2ecf20Sopenharmony_ci{ 5558c2ecf20Sopenharmony_ci struct bpf_func_stats_ctx stats_ctx; 5568c2ecf20Sopenharmony_ci bpf_stats_enter(&stats_ctx, profiler_bpf_proc_sys_write); 5578c2ecf20Sopenharmony_ci 5588c2ecf20Sopenharmony_ci u32 pid = get_userspace_pid(); 5598c2ecf20Sopenharmony_ci int zero = 0; 5608c2ecf20Sopenharmony_ci struct var_sysctl_data_t* sysctl_data = 5618c2ecf20Sopenharmony_ci bpf_map_lookup_elem(&data_heap, &zero); 5628c2ecf20Sopenharmony_ci if (!sysctl_data) 5638c2ecf20Sopenharmony_ci goto out; 5648c2ecf20Sopenharmony_ci 5658c2ecf20Sopenharmony_ci struct task_struct* task = (struct task_struct*)bpf_get_current_task(); 5668c2ecf20Sopenharmony_ci sysctl_data->meta.type = SYSCTL_EVENT; 5678c2ecf20Sopenharmony_ci void* payload = populate_var_metadata(&sysctl_data->meta, task, pid, sysctl_data->payload); 5688c2ecf20Sopenharmony_ci payload = populate_cgroup_info(&sysctl_data->cgroup_data, task, payload); 5698c2ecf20Sopenharmony_ci 5708c2ecf20Sopenharmony_ci populate_ancestors(task, &sysctl_data->ancestors_info); 5718c2ecf20Sopenharmony_ci 5728c2ecf20Sopenharmony_ci sysctl_data->sysctl_val_length = 0; 5738c2ecf20Sopenharmony_ci sysctl_data->sysctl_path_length = 0; 5748c2ecf20Sopenharmony_ci 5758c2ecf20Sopenharmony_ci size_t sysctl_val_length = bpf_probe_read_str(payload, CTL_MAXNAME, buf); 5768c2ecf20Sopenharmony_ci barrier_var(sysctl_val_length); 5778c2ecf20Sopenharmony_ci if (sysctl_val_length <= CTL_MAXNAME) { 5788c2ecf20Sopenharmony_ci barrier_var(sysctl_val_length); 5798c2ecf20Sopenharmony_ci sysctl_data->sysctl_val_length = sysctl_val_length; 5808c2ecf20Sopenharmony_ci payload += sysctl_val_length; 5818c2ecf20Sopenharmony_ci } 5828c2ecf20Sopenharmony_ci 5838c2ecf20Sopenharmony_ci size_t sysctl_path_length = bpf_probe_read_str(payload, MAX_PATH, 5848c2ecf20Sopenharmony_ci BPF_CORE_READ(filp, f_path.dentry, d_name.name)); 5858c2ecf20Sopenharmony_ci barrier_var(sysctl_path_length); 5868c2ecf20Sopenharmony_ci if (sysctl_path_length <= MAX_PATH) { 5878c2ecf20Sopenharmony_ci barrier_var(sysctl_path_length); 5888c2ecf20Sopenharmony_ci sysctl_data->sysctl_path_length = sysctl_path_length; 5898c2ecf20Sopenharmony_ci payload += sysctl_path_length; 5908c2ecf20Sopenharmony_ci } 5918c2ecf20Sopenharmony_ci 5928c2ecf20Sopenharmony_ci bpf_stats_pre_submit_var_perf_event(&stats_ctx, &sysctl_data->meta); 5938c2ecf20Sopenharmony_ci unsigned long data_len = payload - (void*)sysctl_data; 5948c2ecf20Sopenharmony_ci data_len = data_len > sizeof(struct var_sysctl_data_t) 5958c2ecf20Sopenharmony_ci ? sizeof(struct var_sysctl_data_t) 5968c2ecf20Sopenharmony_ci : data_len; 5978c2ecf20Sopenharmony_ci bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, sysctl_data, data_len); 5988c2ecf20Sopenharmony_ciout: 5998c2ecf20Sopenharmony_ci bpf_stats_exit(&stats_ctx); 6008c2ecf20Sopenharmony_ci return 0; 6018c2ecf20Sopenharmony_ci} 6028c2ecf20Sopenharmony_ci 6038c2ecf20Sopenharmony_ciSEC("tracepoint/syscalls/sys_enter_kill") 6048c2ecf20Sopenharmony_ciint tracepoint__syscalls__sys_enter_kill(struct trace_event_raw_sys_enter* ctx) 6058c2ecf20Sopenharmony_ci{ 6068c2ecf20Sopenharmony_ci struct bpf_func_stats_ctx stats_ctx; 6078c2ecf20Sopenharmony_ci 6088c2ecf20Sopenharmony_ci bpf_stats_enter(&stats_ctx, profiler_bpf_sys_enter_kill); 6098c2ecf20Sopenharmony_ci int pid = ctx->args[0]; 6108c2ecf20Sopenharmony_ci int sig = ctx->args[1]; 6118c2ecf20Sopenharmony_ci int ret = trace_var_sys_kill(ctx, pid, sig); 6128c2ecf20Sopenharmony_ci bpf_stats_exit(&stats_ctx); 6138c2ecf20Sopenharmony_ci return ret; 6148c2ecf20Sopenharmony_ci}; 6158c2ecf20Sopenharmony_ci 6168c2ecf20Sopenharmony_ciSEC("raw_tracepoint/sched_process_exit") 6178c2ecf20Sopenharmony_ciint raw_tracepoint__sched_process_exit(void* ctx) 6188c2ecf20Sopenharmony_ci{ 6198c2ecf20Sopenharmony_ci int zero = 0; 6208c2ecf20Sopenharmony_ci struct bpf_func_stats_ctx stats_ctx; 6218c2ecf20Sopenharmony_ci bpf_stats_enter(&stats_ctx, profiler_bpf_sched_process_exit); 6228c2ecf20Sopenharmony_ci 6238c2ecf20Sopenharmony_ci u32 tpid = get_userspace_pid(); 6248c2ecf20Sopenharmony_ci 6258c2ecf20Sopenharmony_ci struct var_kill_data_arr_t* arr_struct = bpf_map_lookup_elem(&var_tpid_to_data, &tpid); 6268c2ecf20Sopenharmony_ci struct var_kill_data_t* kill_data = bpf_map_lookup_elem(&data_heap, &zero); 6278c2ecf20Sopenharmony_ci 6288c2ecf20Sopenharmony_ci if (arr_struct == NULL || kill_data == NULL) 6298c2ecf20Sopenharmony_ci goto out; 6308c2ecf20Sopenharmony_ci 6318c2ecf20Sopenharmony_ci struct task_struct* task = (struct task_struct*)bpf_get_current_task(); 6328c2ecf20Sopenharmony_ci struct kernfs_node* proc_kernfs = BPF_CORE_READ(task, cgroups, dfl_cgrp, kn); 6338c2ecf20Sopenharmony_ci 6348c2ecf20Sopenharmony_ci#ifdef UNROLL 6358c2ecf20Sopenharmony_ci#pragma unroll 6368c2ecf20Sopenharmony_ci#endif 6378c2ecf20Sopenharmony_ci for (int i = 0; i < ARRAY_SIZE(arr_struct->array); i++) { 6388c2ecf20Sopenharmony_ci struct var_kill_data_t* past_kill_data = &arr_struct->array[i]; 6398c2ecf20Sopenharmony_ci 6408c2ecf20Sopenharmony_ci if (past_kill_data != NULL && past_kill_data->kill_target_pid == tpid) { 6418c2ecf20Sopenharmony_ci bpf_probe_read(kill_data, sizeof(*past_kill_data), past_kill_data); 6428c2ecf20Sopenharmony_ci void* payload = kill_data->payload; 6438c2ecf20Sopenharmony_ci size_t offset = kill_data->payload_length; 6448c2ecf20Sopenharmony_ci if (offset >= MAX_METADATA_PAYLOAD_LEN + MAX_CGROUP_PAYLOAD_LEN) 6458c2ecf20Sopenharmony_ci return 0; 6468c2ecf20Sopenharmony_ci payload += offset; 6478c2ecf20Sopenharmony_ci 6488c2ecf20Sopenharmony_ci kill_data->kill_target_name_length = 0; 6498c2ecf20Sopenharmony_ci kill_data->kill_target_cgroup_proc_length = 0; 6508c2ecf20Sopenharmony_ci 6518c2ecf20Sopenharmony_ci size_t comm_length = bpf_core_read_str(payload, TASK_COMM_LEN, &task->comm); 6528c2ecf20Sopenharmony_ci barrier_var(comm_length); 6538c2ecf20Sopenharmony_ci if (comm_length <= TASK_COMM_LEN) { 6548c2ecf20Sopenharmony_ci barrier_var(comm_length); 6558c2ecf20Sopenharmony_ci kill_data->kill_target_name_length = comm_length; 6568c2ecf20Sopenharmony_ci payload += comm_length; 6578c2ecf20Sopenharmony_ci } 6588c2ecf20Sopenharmony_ci 6598c2ecf20Sopenharmony_ci size_t cgroup_proc_length = bpf_probe_read_str(payload, KILL_TARGET_LEN, 6608c2ecf20Sopenharmony_ci BPF_CORE_READ(proc_kernfs, name)); 6618c2ecf20Sopenharmony_ci barrier_var(cgroup_proc_length); 6628c2ecf20Sopenharmony_ci if (cgroup_proc_length <= KILL_TARGET_LEN) { 6638c2ecf20Sopenharmony_ci barrier_var(cgroup_proc_length); 6648c2ecf20Sopenharmony_ci kill_data->kill_target_cgroup_proc_length = cgroup_proc_length; 6658c2ecf20Sopenharmony_ci payload += cgroup_proc_length; 6668c2ecf20Sopenharmony_ci } 6678c2ecf20Sopenharmony_ci 6688c2ecf20Sopenharmony_ci bpf_stats_pre_submit_var_perf_event(&stats_ctx, &kill_data->meta); 6698c2ecf20Sopenharmony_ci unsigned long data_len = (void*)payload - (void*)kill_data; 6708c2ecf20Sopenharmony_ci data_len = data_len > sizeof(struct var_kill_data_t) 6718c2ecf20Sopenharmony_ci ? sizeof(struct var_kill_data_t) 6728c2ecf20Sopenharmony_ci : data_len; 6738c2ecf20Sopenharmony_ci bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, kill_data, data_len); 6748c2ecf20Sopenharmony_ci } 6758c2ecf20Sopenharmony_ci } 6768c2ecf20Sopenharmony_ci bpf_map_delete_elem(&var_tpid_to_data, &tpid); 6778c2ecf20Sopenharmony_ciout: 6788c2ecf20Sopenharmony_ci bpf_stats_exit(&stats_ctx); 6798c2ecf20Sopenharmony_ci return 0; 6808c2ecf20Sopenharmony_ci} 6818c2ecf20Sopenharmony_ci 6828c2ecf20Sopenharmony_ciSEC("raw_tracepoint/sched_process_exec") 6838c2ecf20Sopenharmony_ciint raw_tracepoint__sched_process_exec(struct bpf_raw_tracepoint_args* ctx) 6848c2ecf20Sopenharmony_ci{ 6858c2ecf20Sopenharmony_ci struct bpf_func_stats_ctx stats_ctx; 6868c2ecf20Sopenharmony_ci bpf_stats_enter(&stats_ctx, profiler_bpf_sched_process_exec); 6878c2ecf20Sopenharmony_ci 6888c2ecf20Sopenharmony_ci struct linux_binprm* bprm = (struct linux_binprm*)ctx->args[2]; 6898c2ecf20Sopenharmony_ci u64 inode = BPF_CORE_READ(bprm, file, f_inode, i_ino); 6908c2ecf20Sopenharmony_ci 6918c2ecf20Sopenharmony_ci bool* should_filter_binprm = bpf_map_lookup_elem(&disallowed_exec_inodes, &inode); 6928c2ecf20Sopenharmony_ci if (should_filter_binprm != NULL) 6938c2ecf20Sopenharmony_ci goto out; 6948c2ecf20Sopenharmony_ci 6958c2ecf20Sopenharmony_ci int zero = 0; 6968c2ecf20Sopenharmony_ci struct var_exec_data_t* proc_exec_data = bpf_map_lookup_elem(&data_heap, &zero); 6978c2ecf20Sopenharmony_ci if (!proc_exec_data) 6988c2ecf20Sopenharmony_ci goto out; 6998c2ecf20Sopenharmony_ci 7008c2ecf20Sopenharmony_ci if (INODE_FILTER && inode != INODE_FILTER) 7018c2ecf20Sopenharmony_ci return 0; 7028c2ecf20Sopenharmony_ci 7038c2ecf20Sopenharmony_ci u32 pid = get_userspace_pid(); 7048c2ecf20Sopenharmony_ci struct task_struct* task = (struct task_struct*)bpf_get_current_task(); 7058c2ecf20Sopenharmony_ci 7068c2ecf20Sopenharmony_ci proc_exec_data->meta.type = EXEC_EVENT; 7078c2ecf20Sopenharmony_ci proc_exec_data->bin_path_length = 0; 7088c2ecf20Sopenharmony_ci proc_exec_data->cmdline_length = 0; 7098c2ecf20Sopenharmony_ci proc_exec_data->environment_length = 0; 7108c2ecf20Sopenharmony_ci void* payload = populate_var_metadata(&proc_exec_data->meta, task, pid, 7118c2ecf20Sopenharmony_ci proc_exec_data->payload); 7128c2ecf20Sopenharmony_ci payload = populate_cgroup_info(&proc_exec_data->cgroup_data, task, payload); 7138c2ecf20Sopenharmony_ci 7148c2ecf20Sopenharmony_ci struct task_struct* parent_task = BPF_CORE_READ(task, real_parent); 7158c2ecf20Sopenharmony_ci proc_exec_data->parent_pid = BPF_CORE_READ(parent_task, tgid); 7168c2ecf20Sopenharmony_ci proc_exec_data->parent_uid = BPF_CORE_READ(parent_task, real_cred, uid.val); 7178c2ecf20Sopenharmony_ci proc_exec_data->parent_exec_id = BPF_CORE_READ(parent_task, self_exec_id); 7188c2ecf20Sopenharmony_ci proc_exec_data->parent_start_time = BPF_CORE_READ(parent_task, start_time); 7198c2ecf20Sopenharmony_ci 7208c2ecf20Sopenharmony_ci const char* filename = BPF_CORE_READ(bprm, filename); 7218c2ecf20Sopenharmony_ci size_t bin_path_length = bpf_probe_read_str(payload, MAX_FILENAME_LEN, filename); 7228c2ecf20Sopenharmony_ci barrier_var(bin_path_length); 7238c2ecf20Sopenharmony_ci if (bin_path_length <= MAX_FILENAME_LEN) { 7248c2ecf20Sopenharmony_ci barrier_var(bin_path_length); 7258c2ecf20Sopenharmony_ci proc_exec_data->bin_path_length = bin_path_length; 7268c2ecf20Sopenharmony_ci payload += bin_path_length; 7278c2ecf20Sopenharmony_ci } 7288c2ecf20Sopenharmony_ci 7298c2ecf20Sopenharmony_ci void* arg_start = (void*)BPF_CORE_READ(task, mm, arg_start); 7308c2ecf20Sopenharmony_ci void* arg_end = (void*)BPF_CORE_READ(task, mm, arg_end); 7318c2ecf20Sopenharmony_ci unsigned int cmdline_length = probe_read_lim(payload, arg_start, 7328c2ecf20Sopenharmony_ci arg_end - arg_start, MAX_ARGS_LEN); 7338c2ecf20Sopenharmony_ci 7348c2ecf20Sopenharmony_ci if (cmdline_length <= MAX_ARGS_LEN) { 7358c2ecf20Sopenharmony_ci barrier_var(cmdline_length); 7368c2ecf20Sopenharmony_ci proc_exec_data->cmdline_length = cmdline_length; 7378c2ecf20Sopenharmony_ci payload += cmdline_length; 7388c2ecf20Sopenharmony_ci } 7398c2ecf20Sopenharmony_ci 7408c2ecf20Sopenharmony_ci if (READ_ENVIRON_FROM_EXEC) { 7418c2ecf20Sopenharmony_ci void* env_start = (void*)BPF_CORE_READ(task, mm, env_start); 7428c2ecf20Sopenharmony_ci void* env_end = (void*)BPF_CORE_READ(task, mm, env_end); 7438c2ecf20Sopenharmony_ci unsigned long env_len = probe_read_lim(payload, env_start, 7448c2ecf20Sopenharmony_ci env_end - env_start, MAX_ENVIRON_LEN); 7458c2ecf20Sopenharmony_ci if (cmdline_length <= MAX_ENVIRON_LEN) { 7468c2ecf20Sopenharmony_ci proc_exec_data->environment_length = env_len; 7478c2ecf20Sopenharmony_ci payload += env_len; 7488c2ecf20Sopenharmony_ci } 7498c2ecf20Sopenharmony_ci } 7508c2ecf20Sopenharmony_ci 7518c2ecf20Sopenharmony_ci bpf_stats_pre_submit_var_perf_event(&stats_ctx, &proc_exec_data->meta); 7528c2ecf20Sopenharmony_ci unsigned long data_len = payload - (void*)proc_exec_data; 7538c2ecf20Sopenharmony_ci data_len = data_len > sizeof(struct var_exec_data_t) 7548c2ecf20Sopenharmony_ci ? sizeof(struct var_exec_data_t) 7558c2ecf20Sopenharmony_ci : data_len; 7568c2ecf20Sopenharmony_ci bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, proc_exec_data, data_len); 7578c2ecf20Sopenharmony_ciout: 7588c2ecf20Sopenharmony_ci bpf_stats_exit(&stats_ctx); 7598c2ecf20Sopenharmony_ci return 0; 7608c2ecf20Sopenharmony_ci} 7618c2ecf20Sopenharmony_ci 7628c2ecf20Sopenharmony_ciSEC("kretprobe/do_filp_open") 7638c2ecf20Sopenharmony_ciint kprobe_ret__do_filp_open(struct pt_regs* ctx) 7648c2ecf20Sopenharmony_ci{ 7658c2ecf20Sopenharmony_ci struct bpf_func_stats_ctx stats_ctx; 7668c2ecf20Sopenharmony_ci bpf_stats_enter(&stats_ctx, profiler_bpf_do_filp_open_ret); 7678c2ecf20Sopenharmony_ci 7688c2ecf20Sopenharmony_ci struct file* filp = (struct file*)PT_REGS_RC_CORE(ctx); 7698c2ecf20Sopenharmony_ci 7708c2ecf20Sopenharmony_ci if (filp == NULL || IS_ERR(filp)) 7718c2ecf20Sopenharmony_ci goto out; 7728c2ecf20Sopenharmony_ci unsigned int flags = BPF_CORE_READ(filp, f_flags); 7738c2ecf20Sopenharmony_ci if ((flags & (O_RDWR | O_WRONLY)) == 0) 7748c2ecf20Sopenharmony_ci goto out; 7758c2ecf20Sopenharmony_ci if ((flags & O_TMPFILE) > 0) 7768c2ecf20Sopenharmony_ci goto out; 7778c2ecf20Sopenharmony_ci struct inode* file_inode = BPF_CORE_READ(filp, f_inode); 7788c2ecf20Sopenharmony_ci umode_t mode = BPF_CORE_READ(file_inode, i_mode); 7798c2ecf20Sopenharmony_ci if (S_ISDIR(mode) || S_ISCHR(mode) || S_ISBLK(mode) || S_ISFIFO(mode) || 7808c2ecf20Sopenharmony_ci S_ISSOCK(mode)) 7818c2ecf20Sopenharmony_ci goto out; 7828c2ecf20Sopenharmony_ci 7838c2ecf20Sopenharmony_ci struct dentry* filp_dentry = BPF_CORE_READ(filp, f_path.dentry); 7848c2ecf20Sopenharmony_ci u32 device_id = 0; 7858c2ecf20Sopenharmony_ci u64 file_ino = 0; 7868c2ecf20Sopenharmony_ci if (!is_dentry_allowed_for_filemod(filp_dentry, &device_id, &file_ino)) 7878c2ecf20Sopenharmony_ci goto out; 7888c2ecf20Sopenharmony_ci 7898c2ecf20Sopenharmony_ci int zero = 0; 7908c2ecf20Sopenharmony_ci struct var_filemod_data_t* filemod_data = bpf_map_lookup_elem(&data_heap, &zero); 7918c2ecf20Sopenharmony_ci if (!filemod_data) 7928c2ecf20Sopenharmony_ci goto out; 7938c2ecf20Sopenharmony_ci 7948c2ecf20Sopenharmony_ci u32 pid = get_userspace_pid(); 7958c2ecf20Sopenharmony_ci struct task_struct* task = (struct task_struct*)bpf_get_current_task(); 7968c2ecf20Sopenharmony_ci 7978c2ecf20Sopenharmony_ci filemod_data->meta.type = FILEMOD_EVENT; 7988c2ecf20Sopenharmony_ci filemod_data->fmod_type = FMOD_OPEN; 7998c2ecf20Sopenharmony_ci filemod_data->dst_flags = flags; 8008c2ecf20Sopenharmony_ci filemod_data->src_inode = 0; 8018c2ecf20Sopenharmony_ci filemod_data->dst_inode = file_ino; 8028c2ecf20Sopenharmony_ci filemod_data->src_device_id = 0; 8038c2ecf20Sopenharmony_ci filemod_data->dst_device_id = device_id; 8048c2ecf20Sopenharmony_ci filemod_data->src_filepath_length = 0; 8058c2ecf20Sopenharmony_ci filemod_data->dst_filepath_length = 0; 8068c2ecf20Sopenharmony_ci 8078c2ecf20Sopenharmony_ci void* payload = populate_var_metadata(&filemod_data->meta, task, pid, 8088c2ecf20Sopenharmony_ci filemod_data->payload); 8098c2ecf20Sopenharmony_ci payload = populate_cgroup_info(&filemod_data->cgroup_data, task, payload); 8108c2ecf20Sopenharmony_ci 8118c2ecf20Sopenharmony_ci size_t len = read_absolute_file_path_from_dentry(filp_dentry, payload); 8128c2ecf20Sopenharmony_ci barrier_var(len); 8138c2ecf20Sopenharmony_ci if (len <= MAX_FILEPATH_LENGTH) { 8148c2ecf20Sopenharmony_ci barrier_var(len); 8158c2ecf20Sopenharmony_ci payload += len; 8168c2ecf20Sopenharmony_ci filemod_data->dst_filepath_length = len; 8178c2ecf20Sopenharmony_ci } 8188c2ecf20Sopenharmony_ci bpf_stats_pre_submit_var_perf_event(&stats_ctx, &filemod_data->meta); 8198c2ecf20Sopenharmony_ci unsigned long data_len = payload - (void*)filemod_data; 8208c2ecf20Sopenharmony_ci data_len = data_len > sizeof(*filemod_data) ? sizeof(*filemod_data) : data_len; 8218c2ecf20Sopenharmony_ci bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, filemod_data, data_len); 8228c2ecf20Sopenharmony_ciout: 8238c2ecf20Sopenharmony_ci bpf_stats_exit(&stats_ctx); 8248c2ecf20Sopenharmony_ci return 0; 8258c2ecf20Sopenharmony_ci} 8268c2ecf20Sopenharmony_ci 8278c2ecf20Sopenharmony_ciSEC("kprobe/vfs_link") 8288c2ecf20Sopenharmony_ciint BPF_KPROBE(kprobe__vfs_link, 8298c2ecf20Sopenharmony_ci struct dentry* old_dentry, struct inode* dir, 8308c2ecf20Sopenharmony_ci struct dentry* new_dentry, struct inode** delegated_inode) 8318c2ecf20Sopenharmony_ci{ 8328c2ecf20Sopenharmony_ci struct bpf_func_stats_ctx stats_ctx; 8338c2ecf20Sopenharmony_ci bpf_stats_enter(&stats_ctx, profiler_bpf_vfs_link); 8348c2ecf20Sopenharmony_ci 8358c2ecf20Sopenharmony_ci u32 src_device_id = 0; 8368c2ecf20Sopenharmony_ci u64 src_file_ino = 0; 8378c2ecf20Sopenharmony_ci u32 dst_device_id = 0; 8388c2ecf20Sopenharmony_ci u64 dst_file_ino = 0; 8398c2ecf20Sopenharmony_ci if (!is_dentry_allowed_for_filemod(old_dentry, &src_device_id, &src_file_ino) && 8408c2ecf20Sopenharmony_ci !is_dentry_allowed_for_filemod(new_dentry, &dst_device_id, &dst_file_ino)) 8418c2ecf20Sopenharmony_ci goto out; 8428c2ecf20Sopenharmony_ci 8438c2ecf20Sopenharmony_ci int zero = 0; 8448c2ecf20Sopenharmony_ci struct var_filemod_data_t* filemod_data = bpf_map_lookup_elem(&data_heap, &zero); 8458c2ecf20Sopenharmony_ci if (!filemod_data) 8468c2ecf20Sopenharmony_ci goto out; 8478c2ecf20Sopenharmony_ci 8488c2ecf20Sopenharmony_ci u32 pid = get_userspace_pid(); 8498c2ecf20Sopenharmony_ci struct task_struct* task = (struct task_struct*)bpf_get_current_task(); 8508c2ecf20Sopenharmony_ci 8518c2ecf20Sopenharmony_ci filemod_data->meta.type = FILEMOD_EVENT; 8528c2ecf20Sopenharmony_ci filemod_data->fmod_type = FMOD_LINK; 8538c2ecf20Sopenharmony_ci filemod_data->dst_flags = 0; 8548c2ecf20Sopenharmony_ci filemod_data->src_inode = src_file_ino; 8558c2ecf20Sopenharmony_ci filemod_data->dst_inode = dst_file_ino; 8568c2ecf20Sopenharmony_ci filemod_data->src_device_id = src_device_id; 8578c2ecf20Sopenharmony_ci filemod_data->dst_device_id = dst_device_id; 8588c2ecf20Sopenharmony_ci filemod_data->src_filepath_length = 0; 8598c2ecf20Sopenharmony_ci filemod_data->dst_filepath_length = 0; 8608c2ecf20Sopenharmony_ci 8618c2ecf20Sopenharmony_ci void* payload = populate_var_metadata(&filemod_data->meta, task, pid, 8628c2ecf20Sopenharmony_ci filemod_data->payload); 8638c2ecf20Sopenharmony_ci payload = populate_cgroup_info(&filemod_data->cgroup_data, task, payload); 8648c2ecf20Sopenharmony_ci 8658c2ecf20Sopenharmony_ci size_t len = read_absolute_file_path_from_dentry(old_dentry, payload); 8668c2ecf20Sopenharmony_ci barrier_var(len); 8678c2ecf20Sopenharmony_ci if (len <= MAX_FILEPATH_LENGTH) { 8688c2ecf20Sopenharmony_ci barrier_var(len); 8698c2ecf20Sopenharmony_ci payload += len; 8708c2ecf20Sopenharmony_ci filemod_data->src_filepath_length = len; 8718c2ecf20Sopenharmony_ci } 8728c2ecf20Sopenharmony_ci 8738c2ecf20Sopenharmony_ci len = read_absolute_file_path_from_dentry(new_dentry, payload); 8748c2ecf20Sopenharmony_ci barrier_var(len); 8758c2ecf20Sopenharmony_ci if (len <= MAX_FILEPATH_LENGTH) { 8768c2ecf20Sopenharmony_ci barrier_var(len); 8778c2ecf20Sopenharmony_ci payload += len; 8788c2ecf20Sopenharmony_ci filemod_data->dst_filepath_length = len; 8798c2ecf20Sopenharmony_ci } 8808c2ecf20Sopenharmony_ci 8818c2ecf20Sopenharmony_ci bpf_stats_pre_submit_var_perf_event(&stats_ctx, &filemod_data->meta); 8828c2ecf20Sopenharmony_ci unsigned long data_len = payload - (void*)filemod_data; 8838c2ecf20Sopenharmony_ci data_len = data_len > sizeof(*filemod_data) ? sizeof(*filemod_data) : data_len; 8848c2ecf20Sopenharmony_ci bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, filemod_data, data_len); 8858c2ecf20Sopenharmony_ciout: 8868c2ecf20Sopenharmony_ci bpf_stats_exit(&stats_ctx); 8878c2ecf20Sopenharmony_ci return 0; 8888c2ecf20Sopenharmony_ci} 8898c2ecf20Sopenharmony_ci 8908c2ecf20Sopenharmony_ciSEC("kprobe/vfs_symlink") 8918c2ecf20Sopenharmony_ciint BPF_KPROBE(kprobe__vfs_symlink, struct inode* dir, struct dentry* dentry, 8928c2ecf20Sopenharmony_ci const char* oldname) 8938c2ecf20Sopenharmony_ci{ 8948c2ecf20Sopenharmony_ci struct bpf_func_stats_ctx stats_ctx; 8958c2ecf20Sopenharmony_ci bpf_stats_enter(&stats_ctx, profiler_bpf_vfs_symlink); 8968c2ecf20Sopenharmony_ci 8978c2ecf20Sopenharmony_ci u32 dst_device_id = 0; 8988c2ecf20Sopenharmony_ci u64 dst_file_ino = 0; 8998c2ecf20Sopenharmony_ci if (!is_dentry_allowed_for_filemod(dentry, &dst_device_id, &dst_file_ino)) 9008c2ecf20Sopenharmony_ci goto out; 9018c2ecf20Sopenharmony_ci 9028c2ecf20Sopenharmony_ci int zero = 0; 9038c2ecf20Sopenharmony_ci struct var_filemod_data_t* filemod_data = bpf_map_lookup_elem(&data_heap, &zero); 9048c2ecf20Sopenharmony_ci if (!filemod_data) 9058c2ecf20Sopenharmony_ci goto out; 9068c2ecf20Sopenharmony_ci 9078c2ecf20Sopenharmony_ci u32 pid = get_userspace_pid(); 9088c2ecf20Sopenharmony_ci struct task_struct* task = (struct task_struct*)bpf_get_current_task(); 9098c2ecf20Sopenharmony_ci 9108c2ecf20Sopenharmony_ci filemod_data->meta.type = FILEMOD_EVENT; 9118c2ecf20Sopenharmony_ci filemod_data->fmod_type = FMOD_SYMLINK; 9128c2ecf20Sopenharmony_ci filemod_data->dst_flags = 0; 9138c2ecf20Sopenharmony_ci filemod_data->src_inode = 0; 9148c2ecf20Sopenharmony_ci filemod_data->dst_inode = dst_file_ino; 9158c2ecf20Sopenharmony_ci filemod_data->src_device_id = 0; 9168c2ecf20Sopenharmony_ci filemod_data->dst_device_id = dst_device_id; 9178c2ecf20Sopenharmony_ci filemod_data->src_filepath_length = 0; 9188c2ecf20Sopenharmony_ci filemod_data->dst_filepath_length = 0; 9198c2ecf20Sopenharmony_ci 9208c2ecf20Sopenharmony_ci void* payload = populate_var_metadata(&filemod_data->meta, task, pid, 9218c2ecf20Sopenharmony_ci filemod_data->payload); 9228c2ecf20Sopenharmony_ci payload = populate_cgroup_info(&filemod_data->cgroup_data, task, payload); 9238c2ecf20Sopenharmony_ci 9248c2ecf20Sopenharmony_ci size_t len = bpf_probe_read_str(payload, MAX_FILEPATH_LENGTH, oldname); 9258c2ecf20Sopenharmony_ci barrier_var(len); 9268c2ecf20Sopenharmony_ci if (len <= MAX_FILEPATH_LENGTH) { 9278c2ecf20Sopenharmony_ci barrier_var(len); 9288c2ecf20Sopenharmony_ci payload += len; 9298c2ecf20Sopenharmony_ci filemod_data->src_filepath_length = len; 9308c2ecf20Sopenharmony_ci } 9318c2ecf20Sopenharmony_ci len = read_absolute_file_path_from_dentry(dentry, payload); 9328c2ecf20Sopenharmony_ci barrier_var(len); 9338c2ecf20Sopenharmony_ci if (len <= MAX_FILEPATH_LENGTH) { 9348c2ecf20Sopenharmony_ci barrier_var(len); 9358c2ecf20Sopenharmony_ci payload += len; 9368c2ecf20Sopenharmony_ci filemod_data->dst_filepath_length = len; 9378c2ecf20Sopenharmony_ci } 9388c2ecf20Sopenharmony_ci bpf_stats_pre_submit_var_perf_event(&stats_ctx, &filemod_data->meta); 9398c2ecf20Sopenharmony_ci unsigned long data_len = payload - (void*)filemod_data; 9408c2ecf20Sopenharmony_ci data_len = data_len > sizeof(*filemod_data) ? sizeof(*filemod_data) : data_len; 9418c2ecf20Sopenharmony_ci bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, filemod_data, data_len); 9428c2ecf20Sopenharmony_ciout: 9438c2ecf20Sopenharmony_ci bpf_stats_exit(&stats_ctx); 9448c2ecf20Sopenharmony_ci return 0; 9458c2ecf20Sopenharmony_ci} 9468c2ecf20Sopenharmony_ci 9478c2ecf20Sopenharmony_ciSEC("raw_tracepoint/sched_process_fork") 9488c2ecf20Sopenharmony_ciint raw_tracepoint__sched_process_fork(struct bpf_raw_tracepoint_args* ctx) 9498c2ecf20Sopenharmony_ci{ 9508c2ecf20Sopenharmony_ci struct bpf_func_stats_ctx stats_ctx; 9518c2ecf20Sopenharmony_ci bpf_stats_enter(&stats_ctx, profiler_bpf_sched_process_fork); 9528c2ecf20Sopenharmony_ci 9538c2ecf20Sopenharmony_ci int zero = 0; 9548c2ecf20Sopenharmony_ci struct var_fork_data_t* fork_data = bpf_map_lookup_elem(&data_heap, &zero); 9558c2ecf20Sopenharmony_ci if (!fork_data) 9568c2ecf20Sopenharmony_ci goto out; 9578c2ecf20Sopenharmony_ci 9588c2ecf20Sopenharmony_ci struct task_struct* parent = (struct task_struct*)ctx->args[0]; 9598c2ecf20Sopenharmony_ci struct task_struct* child = (struct task_struct*)ctx->args[1]; 9608c2ecf20Sopenharmony_ci fork_data->meta.type = FORK_EVENT; 9618c2ecf20Sopenharmony_ci 9628c2ecf20Sopenharmony_ci void* payload = populate_var_metadata(&fork_data->meta, child, 9638c2ecf20Sopenharmony_ci BPF_CORE_READ(child, pid), fork_data->payload); 9648c2ecf20Sopenharmony_ci fork_data->parent_pid = BPF_CORE_READ(parent, pid); 9658c2ecf20Sopenharmony_ci fork_data->parent_exec_id = BPF_CORE_READ(parent, self_exec_id); 9668c2ecf20Sopenharmony_ci fork_data->parent_start_time = BPF_CORE_READ(parent, start_time); 9678c2ecf20Sopenharmony_ci bpf_stats_pre_submit_var_perf_event(&stats_ctx, &fork_data->meta); 9688c2ecf20Sopenharmony_ci 9698c2ecf20Sopenharmony_ci unsigned long data_len = payload - (void*)fork_data; 9708c2ecf20Sopenharmony_ci data_len = data_len > sizeof(*fork_data) ? sizeof(*fork_data) : data_len; 9718c2ecf20Sopenharmony_ci bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, fork_data, data_len); 9728c2ecf20Sopenharmony_ciout: 9738c2ecf20Sopenharmony_ci bpf_stats_exit(&stats_ctx); 9748c2ecf20Sopenharmony_ci return 0; 9758c2ecf20Sopenharmony_ci} 9768c2ecf20Sopenharmony_cichar _license[] SEC("license") = "GPL"; 977