63 lines
1.7 KiB
C
63 lines
1.7 KiB
C
#include <linux/bpf.h>
|
|
#include <bpf/bpf_helpers.h>
|
|
#include <bpf/bpf_tracing.h>
|
|
#include <bpf/bpf_core_read.h>
|
|
#include <linux/uio.h>
|
|
//#include <linux/sched.h>
|
|
#include "common.h"
|
|
|
|
struct {
|
|
__uint(type, BPF_MAP_TYPE_RINGBUF);
|
|
__uint(max_entries, 256 * 1024 /* 256kb */);
|
|
} data SEC(".maps");
|
|
|
|
struct {
|
|
__uint(type, BPF_MAP_TYPE_ARRAY);
|
|
__uint(max_entries, 4194304); /* /proc/sys/kernel/pid_max */
|
|
__type(key, __u32);
|
|
__type(value, __u32);
|
|
} m_pid SEC(".maps");
|
|
|
|
// https://lwn.net/Articles/605828/
|
|
|
|
// https://lwn.net/Articles/625077/
|
|
// cat /proc/kallsyms | grep get_random_bytes
|
|
SEC("kprobe/get_random_bytes_user")
|
|
int get_random_user(){
|
|
struct random *s_random = 0;
|
|
__u32 pid = bpf_get_current_pid_tgid() >> 32;
|
|
|
|
__u32 *n_pid = bpf_map_lookup_elem(&m_pid, &pid);
|
|
if (!n_pid)
|
|
return 0;
|
|
// bpf_printk("pid: %d", pid);
|
|
|
|
/*
|
|
* To avoid to "burst" the user-space
|
|
* We add the pid in a map. If doesn't exist, we send data to the ring buffer
|
|
*/
|
|
if (*n_pid == 0){
|
|
// bpf_printk("value: %d %d", pid, *n_pid);
|
|
/* TODO: get the procname */
|
|
/*struct task_struct *task = (struct task_struct *)bpf_get_current_task();
|
|
if (!task)
|
|
return 0;
|
|
struct mm_struct *mm = task->mm;*/
|
|
|
|
if (bpf_map_update_elem(&m_pid, &pid, &pid, BPF_ANY) < 0){
|
|
bpf_printk("Failed to update map");
|
|
return 0;
|
|
}
|
|
|
|
s_random = bpf_ringbuf_reserve(&data, sizeof(struct random *), 0);
|
|
if (!s_random)
|
|
return 0;
|
|
|
|
s_random->pid = pid;
|
|
bpf_ringbuf_submit(s_random, 0);
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
char LICENSE[] SEC("license") = "Dual BSD/GPL";
|