1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0 2*4882a593Smuzhiyun /* 3*4882a593Smuzhiyun * Augment the filename syscalls with the contents of the filename pointer argument 4*4882a593Smuzhiyun * filtering only those that do not start with /etc/. 5*4882a593Smuzhiyun * 6*4882a593Smuzhiyun * Test it with: 7*4882a593Smuzhiyun * 8*4882a593Smuzhiyun * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null 9*4882a593Smuzhiyun * 10*4882a593Smuzhiyun * It'll catch some openat syscalls related to the dynamic linked and 11*4882a593Smuzhiyun * the last one should be the one for '/etc/passwd'. 12*4882a593Smuzhiyun * 13*4882a593Smuzhiyun * This matches what is marshalled into the raw_syscall:sys_enter payload 14*4882a593Smuzhiyun * expected by the 'perf trace' beautifiers, and can be used by them unmodified, 15*4882a593Smuzhiyun * which will be done as that feature is implemented in the next csets, for now 16*4882a593Smuzhiyun * it will appear in a dump done by the default tracepoint handler in 'perf trace', 17*4882a593Smuzhiyun * that uses bpf_output__fprintf() to just dump those contents, as done with 18*4882a593Smuzhiyun * the bpf-output event associated with the __bpf_output__ map declared in 19*4882a593Smuzhiyun * tools/perf/include/bpf/stdio.h. 20*4882a593Smuzhiyun */ 21*4882a593Smuzhiyun 22*4882a593Smuzhiyun #include <stdio.h> 23*4882a593Smuzhiyun 24*4882a593Smuzhiyun /* bpf-output associated map */ 25*4882a593Smuzhiyun bpf_map(__augmented_syscalls__, PERF_EVENT_ARRAY, int, u32, __NR_CPUS__); 26*4882a593Smuzhiyun 27*4882a593Smuzhiyun struct augmented_filename { 28*4882a593Smuzhiyun int size; 29*4882a593Smuzhiyun int reserved; 30*4882a593Smuzhiyun char value[64]; 31*4882a593Smuzhiyun }; 32*4882a593Smuzhiyun 33*4882a593Smuzhiyun #define augmented_filename_syscall_enter(syscall) \ 34*4882a593Smuzhiyun struct augmented_enter_##syscall##_args { \ 35*4882a593Smuzhiyun struct syscall_enter_##syscall##_args args; \ 36*4882a593Smuzhiyun struct augmented_filename filename; \ 37*4882a593Smuzhiyun }; \ 38*4882a593Smuzhiyun int syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args) \ 39*4882a593Smuzhiyun { \ 40*4882a593Smuzhiyun char etc[6] = "/etc/"; \ 41*4882a593Smuzhiyun struct augmented_enter_##syscall##_args augmented_args = { .filename.reserved = 0, }; \ 42*4882a593Smuzhiyun probe_read(&augmented_args.args, sizeof(augmented_args.args), args); \ 43*4882a593Smuzhiyun augmented_args.filename.size = probe_read_str(&augmented_args.filename.value, \ 44*4882a593Smuzhiyun sizeof(augmented_args.filename.value), \ 45*4882a593Smuzhiyun args->filename_ptr); \ 46*4882a593Smuzhiyun if (__builtin_memcmp(augmented_args.filename.value, etc, 4) != 0) \ 47*4882a593Smuzhiyun return 0; \ 48*4882a593Smuzhiyun /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */ \ 49*4882a593Smuzhiyun return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, \ 50*4882a593Smuzhiyun &augmented_args, \ 51*4882a593Smuzhiyun (sizeof(augmented_args) - sizeof(augmented_args.filename.value) + \ 52*4882a593Smuzhiyun augmented_args.filename.size)); \ 53*4882a593Smuzhiyun } 54*4882a593Smuzhiyun 55*4882a593Smuzhiyun struct syscall_enter_openat_args { 56*4882a593Smuzhiyun unsigned long long common_tp_fields; 57*4882a593Smuzhiyun long syscall_nr; 58*4882a593Smuzhiyun long dfd; 59*4882a593Smuzhiyun char *filename_ptr; 60*4882a593Smuzhiyun long flags; 61*4882a593Smuzhiyun long mode; 62*4882a593Smuzhiyun }; 63*4882a593Smuzhiyun 64*4882a593Smuzhiyun augmented_filename_syscall_enter(openat); 65*4882a593Smuzhiyun 66*4882a593Smuzhiyun struct syscall_enter_open_args { 67*4882a593Smuzhiyun unsigned long long common_tp_fields; 68*4882a593Smuzhiyun long syscall_nr; 69*4882a593Smuzhiyun char *filename_ptr; 70*4882a593Smuzhiyun long flags; 71*4882a593Smuzhiyun long mode; 72*4882a593Smuzhiyun }; 73*4882a593Smuzhiyun 74*4882a593Smuzhiyun augmented_filename_syscall_enter(open); 75*4882a593Smuzhiyun 76*4882a593Smuzhiyun license(GPL); 77