Loading...
// SPDX-License-Identifier: GPL-2.0 #include "vmlinux.h" #include <bpf/bpf_helpers.h> #include <bpf/bpf_tracing.h> #define MAX_PATH_LEN 128 #define MAX_FILES 7 pid_t my_pid = 0; __u32 cnt_stat = 0; __u32 cnt_close = 0; char paths_stat[MAX_FILES][MAX_PATH_LEN] = {}; char paths_close[MAX_FILES][MAX_PATH_LEN] = {}; int rets_stat[MAX_FILES] = {}; int rets_close[MAX_FILES] = {}; int called_stat = 0; int called_close = 0; SEC("fentry/security_inode_getattr") int BPF_PROG(prog_stat, struct path *path, struct kstat *stat, __u32 request_mask, unsigned int query_flags) { pid_t pid = bpf_get_current_pid_tgid() >> 32; __u32 cnt = cnt_stat; int ret; called_stat = 1; if (pid != my_pid) return 0; if (cnt >= MAX_FILES) return 0; ret = bpf_d_path(path, paths_stat[cnt], MAX_PATH_LEN); rets_stat[cnt] = ret; cnt_stat++; return 0; } SEC("fentry/filp_close") int BPF_PROG(prog_close, struct file *file, void *id) { pid_t pid = bpf_get_current_pid_tgid() >> 32; __u32 cnt = cnt_close; int ret; called_close = 1; if (pid != my_pid) return 0; if (cnt >= MAX_FILES) return 0; ret = bpf_d_path(&file->f_path, paths_close[cnt], MAX_PATH_LEN); rets_close[cnt] = ret; cnt_close++; return 0; } char _license[] SEC("license") = "GPL"; |