├── .gitignore ├── .gitmodules ├── LICENSE ├── README.md ├── src ├── Makefile ├── bpf_dump_helpers.h ├── bpf_dump_structs.h ├── events.h ├── logger.c ├── logger.h ├── lsmtrace.bpf.c ├── lsmtrace.c ├── statedump.c ├── statedump.h ├── syscall_helpers.c ├── syscall_helpers.h └── vmlinux.h └── tools ├── bpftool └── gen_vmlinux_h.sh /.gitignore: -------------------------------------------------------------------------------- 1 | .cache 2 | .output 3 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "libbpf"] 2 | path = libbpf 3 | url = https://github.com/libbpf/libbpf.git 4 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "[]" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright [yyyy] [name of copyright owner] 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # lsmtrace 2 | 3 | Trace all Linux Security Modules hooks touched by executable. 4 | Have a look at my **[blog post](https://lumontec.com/1-building-a-security-tracing)** to find out more. 5 | 6 | ## Requirements 7 | 8 | Your kernel must have been compiled with the follwing options: 9 | * BPF_SYSCALL 10 | * BPF_LSM 11 | * DEBUG_INFO 12 | * DEBUG_INFO_BTF 13 | 14 | ## Compilation 15 | 16 | ```shell 17 | $ git submodule update --init --recursive # check out libbpf 18 | $ cd src 19 | $ make 20 | ``` 21 | 22 | ## Run 23 | 24 | ```shell 25 | $ sudo ./lsmtrace /usr/bin/ls -a /home 26 | 27 | Attaching hooks, don`t rush.. 28 | 29 | -> HOOK_CALL: -> cred_getsecid( const struct cred *c, u32 *secid ) 30 | -> HOOK_CALL: -> file_permission( struct file *file, int mask ) 31 | file,f_mode = 32797 32 | file,f_path.dentry,d_flags = 64 33 | file,f_path.dentry,d_name.name = ls 34 | file,f_path.dentry,d_inode,i_ino = 3670696 35 | ... 36 | ``` 37 | 38 | 39 | -------------------------------------------------------------------------------- /src/Makefile: -------------------------------------------------------------------------------- 1 | # SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) 2 | OUTPUT := .output 3 | CLANG = clang-12 4 | LLVM_STRIP ?= llvm-strip 5 | BPFTOOL ?= $(abspath ../tools/bpftool) 6 | LIBBPF_SRC := $(abspath ../libbpf/src) 7 | LIBBPF_OBJ := $(abspath $(OUTPUT)/libbpf.a) 8 | INCLUDES := -I$(OUTPUT) 9 | CFLAGS := -g -Wall 10 | ARCH := $(shell uname -m | sed 's/x86_64/x86/') 11 | DIRT := compile_commands.json 12 | 13 | APPS = lsmtrace 14 | LIBS = statedump 15 | 16 | # Get Clang's default includes on this system. We'll explicitly add these dirs 17 | # to the includes list when compiling with `-target bpf` because otherwise some 18 | # architecture-specific dirs will be "missing" on some architectures/distros - 19 | # headers such as asm/types.h, asm/byteorder.h, asm/socket.h, asm/sockios.h, 20 | # sys/cdefs.h etc. might be missing. 21 | # 22 | # Use '-idirafter': Don't interfere with include mechanics except where the 23 | # build would have failed anyways. 24 | CLANG_BPF_SYS_INCLUDES = $(shell $(CLANG) -v -E - &1 \ 25 | | sed -n '/<...> search starts here:/,/End of search list./{ s| \(/.*\)|-idirafter \1|p }') 26 | 27 | ifeq ($(V),1) 28 | Q = 29 | msg = 30 | else 31 | Q = @ 32 | msg = @printf ' %-8s %s%s\n' \ 33 | "$(1)" \ 34 | "$(patsubst $(abspath $(OUTPUT))/%,%,$(2))" \ 35 | "$(if $(3), $(3))"; 36 | MAKEFLAGS += --no-print-directory 37 | endif 38 | 39 | .PHONY: all 40 | all: $(APPS) 41 | 42 | .PHONY: clean 43 | clean: 44 | $(call msg,CLEAN) 45 | $(Q)rm -rf $(OUTPUT) $(APPS) $(DIRT) 46 | 47 | $(OUTPUT) $(OUTPUT)/libbpf: 48 | $(call msg,MKDIR,$@) 49 | $(Q)mkdir -p $@ 50 | 51 | # Build libbpf 52 | $(LIBBPF_OBJ): $(wildcard $(LIBBPF_SRC)/*.[ch] $(LIBBPF_SRC)/Makefile) | $(OUTPUT)/libbpf 53 | $(call msg,LIB,$@) 54 | $(Q)$(MAKE) -C $(LIBBPF_SRC) BUILD_STATIC_ONLY=1 \ 55 | OBJDIR=$(dir $@)/libbpf DESTDIR=$(dir $@) \ 56 | INCLUDEDIR= LIBDIR= UAPIDIR= \ 57 | install 58 | 59 | # Build BPF code 60 | $(OUTPUT)/%.bpf.o: %.bpf.c $(LIBBPF_OBJ) $(wildcard %.h) vmlinux.h | $(OUTPUT) 61 | $(call msg,BPF,$@) 62 | $(Q)$(CLANG) \ 63 | -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH) $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) -c $(filter %.c,$^) -o $@ 64 | $(Q)$(LLVM_STRIP) -g $@ # strip useless DWARF info 65 | 66 | # Generate BPF skeletons 67 | $(OUTPUT)/%.skel.h: $(OUTPUT)/%.bpf.o | $(OUTPUT) 68 | $(call msg,GEN-SKEL,$@) 69 | $(Q)$(BPFTOOL) gen skeleton $< > $@ 70 | 71 | # Build user-space code 72 | $(patsubst %,$(OUTPUT)/%.o,$(APPS)): %.o: %.skel.h 73 | 74 | # Build logger obj 75 | $(OUTPUT)/logger.o: logger.c logger.h | $(OUTPUT) 76 | $(call msg,CC,$@) 77 | $(Q)$(CLANG) $(CFLAGS) -Wno-unknown-attributes -fPIE -c $(filter %.c,$^) -o $@ 78 | 79 | # Build statedump obj 80 | $(OUTPUT)/syscall_helpers.o: syscall_helpers.c syscall_helpers.h | $(OUTPUT) 81 | $(call msg,CC,$@) 82 | $(Q)$(CLANG) $(CFLAGS) -Wno-unknown-attributes -fPIE -c $(filter %.c,$^) -o $@ 83 | 84 | # Build statedump obj 85 | $(OUTPUT)/statedump.o: statedump.c statedump.h | $(OUTPUT) 86 | $(call msg,CC,$@) 87 | $(Q)$(CLANG) $(CFLAGS) -Wno-unknown-attributes -fPIE -c $(filter %.c,$^) -o $@ 88 | # $(Q)$(CC) $(CFLAGS) -c $(filter %.c,$^) -o $@ 89 | 90 | # Build lsmtrace obj 91 | $(OUTPUT)/lsmtrace.o: lsmtrace.c | $(OUTPUT) 92 | $(call msg,CC,$@) 93 | $(Q)$(CC) $(CFLAGS) $(INCLUDES) -c $(filter %.c,$^) -o $@ 94 | 95 | # Build application binary 96 | $(APPS): %: $(OUTPUT)/logger.o $(OUTPUT)/syscall_helpers.o $(OUTPUT)/statedump.o $(OUTPUT)/lsmtrace.o $(LIBBPF_OBJ) | $(OUTPUT) 97 | $(call msg,BINARY,$@) 98 | $(Q)$(CC) $(CFLAGS) $^ -lelf -lz -o $@ 99 | 100 | 101 | 102 | # delete failed targets 103 | .DELETE_ON_ERROR: 104 | 105 | # keep intermediate (.skel.h, .bpf.o, etc) targets 106 | .SECONDARY: 107 | 108 | -------------------------------------------------------------------------------- /src/bpf_dump_helpers.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 (C) Luca Montechiesi 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | 17 | #ifndef __BPF_HELPERS_H 18 | #define __BPF_HELPERS_H 19 | 20 | 21 | #include "vmlinux.h" 22 | #include 23 | #include 24 | #include 25 | #include "events.h" 26 | 27 | #define FILTER_CATHEGORY_INT(CATH) \ 28 | if (CATH != cathegory && cathegory != ALL_CATH) \ 29 | return 0; 30 | 31 | #define FILTER_CATHEGORY_VOID(CATH) \ 32 | if (CATH != cathegory && cathegory != ALL_CATH) \ 33 | return ; 34 | 35 | 36 | #define FILTER_OWN_PID_INT() \ 37 | int pid = bpf_get_current_pid_tgid() >> 32; \ 38 | if (pid != my_pid) \ 39 | return 0; 40 | 41 | #define FILTER_OWN_PID_VOID() \ 42 | int pid = bpf_get_current_pid_tgid() >> 32; \ 43 | if (pid != my_pid) \ 44 | return; 45 | 46 | 47 | /* Maps declaration */ 48 | struct { 49 | __uint(type, BPF_MAP_TYPE_RINGBUF); 50 | __uint(max_entries, 1 << 24); 51 | } ringbuf SEC(".maps"); 52 | 53 | 54 | /* Globals */ 55 | 56 | long ringbuffer_flags = 0; 57 | int my_pid = 0; 58 | const volatile enum { 59 | ALL_CATH = 0, 60 | PROG_EXEC_CATH = 1, 61 | MOUNT_FS_CATH = 2, 62 | FILE_CATH = 10, 63 | INODE_CATH = 20 64 | } cathegory; 65 | 66 | 67 | char struct_dump_label[MAX_MSG_SIZE] = "STRUCT_DUMP"; 68 | 69 | 70 | /* Dirty macro hacks to work around libbpf lack of string locals */ 71 | 72 | #define DUMP_FUNC(FNAME, ...) { \ 73 | const char func_call_name[] = #FNAME; \ 74 | const char func_call_args[] = #__VA_ARGS__; \ 75 | dump_func(func_call_name, func_call_args); \ 76 | } 77 | 78 | #define DUMP_MEMBER_SUINT(...) { \ 79 | const char dump_member_name[] = #__VA_ARGS__; \ 80 | short unsigned int mptr = BPF_CORE_READ(__VA_ARGS__); \ 81 | dump_suint_member(dump_member_name, mptr); \ 82 | } 83 | 84 | #define DUMP_MEMBER_UINT(...) { \ 85 | const char dump_member_name[] = #__VA_ARGS__; \ 86 | unsigned int mptr = BPF_CORE_READ(__VA_ARGS__); \ 87 | dump_uint_member(dump_member_name, mptr); \ 88 | } 89 | 90 | #define DUMP_MEMBER_LUINT(...) { \ 91 | const char dump_member_name[] = #__VA_ARGS__; \ 92 | long unsigned int mptr = BPF_CORE_READ(__VA_ARGS__); \ 93 | dump_luint_member(dump_member_name, mptr); \ 94 | } 95 | 96 | #define DUMP_MEMBER_LINT(...) { \ 97 | const char dump_member_name[] = #__VA_ARGS__; \ 98 | long int mptr = BPF_CORE_READ(__VA_ARGS__); \ 99 | dump_lint_member(dump_member_name, mptr); \ 100 | } 101 | 102 | #define DUMP_MEMBER_LLINT(...) { \ 103 | const char dump_member_name[] = #__VA_ARGS__; \ 104 | long long int mptr = BPF_CORE_READ(__VA_ARGS__); \ 105 | dump_llint_member(dump_member_name, mptr); \ 106 | } 107 | 108 | #define DUMP_MEMBER_USTR(...) { \ 109 | const char dump_member_name[] = #__VA_ARGS__; \ 110 | const unsigned char *mptr = BPF_CORE_READ(__VA_ARGS__); \ 111 | dump_ustr_member(dump_member_name, mptr); \ 112 | } 113 | 114 | #define DUMP_MEMBER_STR(...) { \ 115 | const char dump_member_name[] = #__VA_ARGS__; \ 116 | const char *mptr = BPF_CORE_READ(__VA_ARGS__); \ 117 | dump_str_member(dump_member_name, mptr); \ 118 | } 119 | 120 | 121 | 122 | static int dump_func(const char *fname, const char *fargs) { 123 | 124 | struct func_call_Event *evt; 125 | char func_call_label[] = "HOOK_CALL"; 126 | 127 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 128 | 129 | if (!evt) 130 | return -1; 131 | 132 | evt->super.etype = FUNCTION_CALL; 133 | 134 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), func_call_label); 135 | bpf_probe_read_str(evt->name, sizeof(evt->name), fname); 136 | bpf_probe_read_str(evt->args, sizeof(evt->args), fargs); 137 | 138 | bpf_ringbuf_submit(evt, ringbuffer_flags); 139 | 140 | return 0; 141 | } 142 | 143 | static int dump_suint_member(const char *mname, short unsigned int mptr) { 144 | 145 | struct suint_member_Event *evt; 146 | char suint_member_label[] = "MEMBER_DUMP"; 147 | 148 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 149 | 150 | if (!evt) 151 | return -1; 152 | 153 | evt->super.etype = MEMBER_SUINT; 154 | 155 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), suint_member_label); 156 | evt->member = mptr; 157 | bpf_probe_read_str(evt->msg, sizeof(evt->msg), mname); 158 | bpf_ringbuf_submit(evt, ringbuffer_flags); 159 | 160 | return 0; 161 | } 162 | 163 | static int dump_uint_member(const char *mname, unsigned int mptr) { 164 | 165 | struct uint_member_Event *evt; 166 | char uint_member_label[] = "MEMBER_DUMP"; 167 | 168 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 169 | 170 | if (!evt) 171 | return -1; 172 | 173 | evt->super.etype = MEMBER_UINT; 174 | 175 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), uint_member_label); 176 | evt->member = mptr; 177 | bpf_probe_read_str(evt->msg, sizeof(evt->msg), mname); 178 | bpf_ringbuf_submit(evt, ringbuffer_flags); 179 | 180 | return 0; 181 | } 182 | 183 | static int dump_luint_member(const char *mname, long unsigned int mptr) { 184 | 185 | struct luint_member_Event *evt; 186 | char luint_member_label[] = "MEMBER_DUMP"; 187 | 188 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 189 | 190 | if (!evt) 191 | return -1; 192 | 193 | evt->super.etype = MEMBER_LUINT; 194 | 195 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), luint_member_label); 196 | evt->member = mptr; 197 | bpf_probe_read_str(evt->msg, sizeof(evt->msg), mname); 198 | bpf_ringbuf_submit(evt, ringbuffer_flags); 199 | 200 | return 0; 201 | } 202 | 203 | static long dump_lint_member(const char *mname, unsigned int mptr) { 204 | 205 | struct lint_member_Event *evt; 206 | char lint_member_label[] = "MEMBER_DUMP"; 207 | 208 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 209 | 210 | if (!evt) 211 | return -1; 212 | 213 | evt->super.etype = MEMBER_LINT; 214 | 215 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), lint_member_label); 216 | evt->member = mptr; 217 | bpf_probe_read_str(evt->msg, sizeof(evt->msg), mname); 218 | bpf_ringbuf_submit(evt, ringbuffer_flags); 219 | 220 | return 0; 221 | } 222 | 223 | static long dump_llint_member(const char *mname, unsigned int mptr) { 224 | 225 | struct llint_member_Event *evt; 226 | char llint_member_label[] = "MEMBER_DUMP"; 227 | 228 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 229 | 230 | if (!evt) 231 | return -1; 232 | 233 | evt->super.etype = MEMBER_LLINT; 234 | 235 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), llint_member_label); 236 | evt->member = mptr; 237 | bpf_probe_read_str(evt->msg, sizeof(evt->msg), mname); 238 | bpf_ringbuf_submit(evt, ringbuffer_flags); 239 | 240 | return 0; 241 | } 242 | 243 | 244 | 245 | 246 | 247 | static int dump_str_member(const char *mname, const char *mptr) { 248 | 249 | struct str_member_Event *evt; 250 | char uint_member_label[] = "MEMBER_DUMP"; 251 | 252 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 253 | 254 | if (!evt) 255 | return -1; 256 | 257 | evt->super.etype = MEMBER_STR; 258 | 259 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), uint_member_label); 260 | bpf_probe_read_str(evt->member, sizeof(evt->member), mptr); 261 | bpf_probe_read_str(evt->msg, sizeof(evt->msg), mname); 262 | bpf_ringbuf_submit(evt, ringbuffer_flags); 263 | 264 | return 0; 265 | } 266 | 267 | 268 | static int dump_ustr_member(const char *mname, const unsigned char *mptr) { 269 | 270 | struct str_member_Event *evt; 271 | char uint_member_label[] = "MEMBER_DUMP"; 272 | 273 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 274 | 275 | if (!evt) 276 | return -1; 277 | 278 | evt->super.etype = MEMBER_STR; 279 | 280 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), uint_member_label); 281 | bpf_probe_read_str(evt->member, sizeof(evt->member), mptr); 282 | bpf_probe_read_str(evt->msg, sizeof(evt->msg), mname); 283 | bpf_ringbuf_submit(evt, ringbuffer_flags); 284 | 285 | return 0; 286 | } 287 | 288 | #endif /* _BPF_HELPERS_H */ 289 | -------------------------------------------------------------------------------- /src/bpf_dump_structs.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 (C) Luca Montechiesi 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #ifndef __BPF_STRUCT_HELPERS_H 16 | #define __BPF_STRUCT_HELPERS_H 17 | 18 | #include "vmlinux.h" 19 | #include "bpf_dump_helpers.h" 20 | 21 | /* linux_binprm */ 22 | #define DUMP_LINUX_BINPRM_STRUCT(...) { \ 23 | DUMP_FILE_STRUCT(__VA_ARGS__,executable) \ 24 | DUMP_FILE_STRUCT(__VA_ARGS__,interpreter) \ 25 | DUMP_FILE_STRUCT(__VA_ARGS__,file) \ 26 | DUMP_MEMBER_STR (__VA_ARGS__,filename) \ 27 | DUMP_MEMBER_STR (__VA_ARGS__,interp) \ 28 | DUMP_MEMBER_STR (__VA_ARGS__,fdpath) \ 29 | DUMP_MEMBER_UINT(__VA_ARGS__,interp_flags) \ 30 | } 31 | 32 | /* file */ 33 | #define DUMP_FILE_STRUCT(...) { \ 34 | /* DUMP_MEMBER_LLINT(__VA_ARGS__,f_pos) */ \ 35 | DUMP_MEMBER_UINT(__VA_ARGS__,f_mode) \ 36 | DUMP_DENTRY_STRUCT(__VA_ARGS__,f_path.dentry) \ 37 | } 38 | 39 | /* dentry */ 40 | #define DUMP_DENTRY_STRUCT(...) { \ 41 | DUMP_MEMBER_UINT(__VA_ARGS__,d_flags) \ 42 | DUMP_MEMBER_USTR (__VA_ARGS__,d_name.name) \ 43 | DUMP_INODE_STRUCT (__VA_ARGS__,d_inode) \ 44 | } \ 45 | \ 46 | 47 | /* inode */ 48 | #define DUMP_INODE_STRUCT(...) { \ 49 | DUMP_MEMBER_LUINT(__VA_ARGS__,i_ino) \ 50 | DUMP_MEMBER_SUINT(__VA_ARGS__,i_mode) \ 51 | DUMP_MEMBER_UINT(__VA_ARGS__,i_flags) \ 52 | DUMP_MEMBER_LLINT(__VA_ARGS__,i_size) \ 53 | DUMP_MEMBER_UINT(__VA_ARGS__,i_uid.val) \ 54 | DUMP_MEMBER_UINT(__VA_ARGS__,i_gid.val) \ 55 | /* DUMP_MEMBER_UINT(__VA_ARGS__,i_nlink) */ \ 56 | /* DUMP_MEMBER_LLINT(__VA_ARGS__,i_atime.tv_sec) \ 57 | DUMP_MEMBER_LLINT(__VA_ARGS__,i_mtime.tv_sec) \ 58 | DUMP_MEMBER_LLINT(__VA_ARGS__,i_ctime.tv_sec) */ \ 59 | } \ 60 | 61 | 62 | 63 | #endif /* __BPF_STRUCT_HELPERS_H */ 64 | 65 | -------------------------------------------------------------------------------- /src/events.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 (C) Luca Montechiesi 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #ifndef __EVENTS_H 16 | #define __EVENTS_H 17 | 18 | #include "vmlinux.h" 19 | 20 | #define MAX_LABEL_SIZE 100 21 | #define MAX_MSG_SIZE 200 22 | #define MAX_STR_SIZE 200 23 | 24 | enum Event_type { 25 | 26 | FUNCTION_CALL = 0, 27 | 28 | SYS_CALL_ENTER = 5, 29 | SYS_CALL_EXIT = 6, 30 | 31 | MEMBER_SUINT = 9, 32 | MEMBER_UINT = 10, 33 | MEMBER_LUINT = 11, 34 | MEMBER_LINT = 12, 35 | MEMBER_LLINT = 13, 36 | MEMBER_STR = 15, 37 | 38 | STRUCT_FILE = 100, 39 | STRUCT_DENTRY = 101, 40 | STRUCT_QSTR = 102, 41 | }; 42 | 43 | /* Generic event interface */ 44 | 45 | typedef struct Event { 46 | enum Event_type etype; 47 | char label[MAX_LABEL_SIZE]; 48 | } Event; 49 | 50 | 51 | /* Syscall Events */ 52 | 53 | typedef struct sys_enter_Event { 54 | Event super; 55 | long int id; 56 | } sys_enter_Event; 57 | 58 | typedef struct sys_exit_Event { 59 | Event super; 60 | long int id; 61 | long int ret; 62 | } sys_exit_Event; 63 | 64 | 65 | /* Function call events */ 66 | 67 | typedef struct func_call_Event { 68 | Event super; 69 | char name[MAX_MSG_SIZE]; 70 | char args[MAX_MSG_SIZE]; 71 | } func_call_Event; 72 | 73 | 74 | /* Struct member dump events */ 75 | 76 | 77 | typedef struct suint_member_Event { 78 | Event super; 79 | short unsigned int member; 80 | char msg[MAX_MSG_SIZE]; 81 | } suint_member_Event; 82 | 83 | typedef struct uint_member_Event { 84 | Event super; 85 | unsigned int member; 86 | char msg[MAX_MSG_SIZE]; 87 | } uint_member_Event; 88 | 89 | typedef struct luint_member_Event { 90 | Event super; 91 | long unsigned int member; 92 | char msg[MAX_MSG_SIZE]; 93 | } luint_member_Event; 94 | 95 | typedef struct lint_member_Event { 96 | Event super; 97 | long int member; 98 | char msg[MAX_MSG_SIZE]; 99 | } lint_member_Event; 100 | 101 | typedef struct llint_member_Event { 102 | Event super; 103 | long long int member; 104 | char msg[MAX_MSG_SIZE]; 105 | } llint_member_Event; 106 | 107 | typedef struct str_member_Event { 108 | Event super; 109 | char member[MAX_STR_SIZE]; 110 | char msg[MAX_MSG_SIZE]; 111 | } str_member_Event; 112 | 113 | 114 | /* Struct dump events */ 115 | 116 | typedef struct file_struct_Event { 117 | Event super; 118 | struct file file; 119 | char msg[MAX_MSG_SIZE]; 120 | } file_struct_Event; 121 | 122 | typedef struct dentry_struct_Event { 123 | Event super; 124 | struct dentry dentry; 125 | char msg[MAX_MSG_SIZE]; 126 | } dentry_struct_Event; 127 | 128 | typedef struct qstr_struct_Event { 129 | Event super; 130 | struct qstr qstr; 131 | char msg[MAX_MSG_SIZE]; 132 | } qstr_struct_Event; 133 | 134 | 135 | #endif /* __EVENTS_H */ 136 | -------------------------------------------------------------------------------- /src/logger.c: -------------------------------------------------------------------------------- 1 | // Copyright 2020 (C) Luca Montechiesi 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | 16 | #include "logger.h" 17 | #include 18 | 19 | bool verbose = false; 20 | 21 | void setLoggerVerbose(bool setting) { 22 | verbose = setting; 23 | } 24 | 25 | /* logging */ 26 | int log_info(const char *fmt, ...) { 27 | va_list args; 28 | va_start(args, fmt); 29 | int ret = vfprintf(stdout, fmt, args); 30 | va_end(args); 31 | 32 | return ret; 33 | } 34 | 35 | int log_err(const char *fmt, ...) { 36 | va_list args; 37 | va_start(args, fmt); 38 | int ret = vfprintf(stderr, fmt, args); 39 | va_end(args); 40 | 41 | return ret; 42 | } 43 | 44 | int log_verb(const char* fmt, ...) { 45 | if (!verbose) 46 | return 0; 47 | va_list args; 48 | va_start(args, fmt); 49 | int ret = vfprintf(stdout, fmt, args); 50 | va_end(args); 51 | 52 | return ret; 53 | } 54 | 55 | 56 | -------------------------------------------------------------------------------- /src/logger.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 (C) Luca Montechiesi 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #ifndef __LOG_H 16 | #define __LOG_H 17 | 18 | #include 19 | #include 20 | 21 | int log_info(const char *fmt, ...); 22 | int log_verb(const char *fmt, ...); 23 | int log_err(const char *fmt, ...); 24 | 25 | void setLoggerVerbose(bool); 26 | 27 | #endif /* __LOG_H */ 28 | -------------------------------------------------------------------------------- /src/lsmtrace.bpf.c: -------------------------------------------------------------------------------- 1 | // Copyright 2020 (C) Luca Montechiesi 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "vmlinux.h" 16 | #include 17 | #include 18 | #include 19 | #include "bpf_dump_helpers.h" 20 | #include "bpf_dump_structs.h" 21 | #include "events.h" 22 | 23 | // Dump syscalls 24 | 25 | SEC("tracepoint/raw_syscalls/sys_enter") 26 | int sys_enter(struct trace_event_raw_sys_enter *args) 27 | { 28 | FILTER_OWN_PID_INT() 29 | 30 | struct sys_enter_Event *evt; 31 | char sys_enter_label[] = "SYS_CALL_ENTER"; 32 | 33 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 34 | 35 | if (!evt) 36 | return -1; 37 | 38 | evt->super.etype = SYS_CALL_ENTER; 39 | 40 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), sys_enter_label); 41 | evt->id = BPF_CORE_READ(args, id); 42 | 43 | bpf_ringbuf_submit(evt, ringbuffer_flags); 44 | 45 | return 0; 46 | } 47 | 48 | SEC("tracepoint/raw_syscalls/sys_exit") 49 | int sys_exit(struct trace_event_raw_sys_exit *args) 50 | { 51 | FILTER_OWN_PID_INT() 52 | 53 | struct sys_exit_Event *evt; 54 | char sys_exit_label[] = "SYS_CALL_EXIT"; 55 | 56 | evt = bpf_ringbuf_reserve(&ringbuf, sizeof(*evt), ringbuffer_flags); 57 | 58 | if (!evt) 59 | return -1; 60 | 61 | evt->super.etype = SYS_CALL_EXIT; 62 | 63 | bpf_probe_read_str(evt->super.label, sizeof(evt->super.label), sys_exit_label); 64 | evt->id = BPF_CORE_READ(args, id); 65 | evt->ret = BPF_CORE_READ(args, ret); 66 | 67 | bpf_ringbuf_submit(evt, ringbuffer_flags); 68 | 69 | return 0; 70 | } 71 | 72 | 73 | 74 | /********************************************************/ 75 | /* Lsm hooks */ 76 | /********************************************************/ 77 | /* Not implemented: */ 78 | /* - sb_copy_data */ 79 | /* - sb_parse_opts_str */ 80 | /* - chown */ 81 | /********************************************************/ 82 | 83 | 84 | 85 | // Security hooks for program execution operations. 86 | 87 | SEC("lsm/bprm_creds_for_exec") 88 | int BPF_PROG(bprm_creds_for_exec, struct linux_binprm *bprm) 89 | { 90 | FILTER_CATHEGORY_INT(PROG_EXEC_CATH) 91 | FILTER_OWN_PID_INT() 92 | DUMP_FUNC(bprm_creds_for_exec, struct linux_binprm *bprm) 93 | 94 | DUMP_LINUX_BINPRM_STRUCT(bprm) 95 | 96 | bpf_printk("lsm_hook: exec: bprm_creds_for_exec\n"); 97 | return 0; 98 | } 99 | 100 | SEC("lsm/bprm_creds_from_file") 101 | int BPF_PROG(bprm_creds_from_file, struct linux_binprm *bprm, struct file *file) 102 | { 103 | FILTER_CATHEGORY_INT(PROG_EXEC_CATH) 104 | FILTER_OWN_PID_INT() 105 | DUMP_FUNC(bprm_creds_from_file, struct linux_binprm *bprm, struct file *file) 106 | 107 | DUMP_LINUX_BINPRM_STRUCT(bprm) 108 | DUMP_FILE_STRUCT(file) 109 | 110 | bpf_printk("lsm_hook: exec: bprm_creds_from_file\n"); 111 | return 0; 112 | } 113 | 114 | SEC("lsm/bprm_check_security") 115 | int BPF_PROG(bprm_check_security, struct linux_binprm *bprm) 116 | { 117 | FILTER_CATHEGORY_INT(PROG_EXEC_CATH) 118 | FILTER_OWN_PID_INT() 119 | DUMP_FUNC(bprm_check_security, struct linux_binprm *bprm) 120 | 121 | DUMP_LINUX_BINPRM_STRUCT(bprm) 122 | 123 | bpf_printk("lsm_hook: exec: bprm_check_security\n"); 124 | return 0; 125 | } 126 | 127 | 128 | SEC("lsm/bprm_committing_creds") 129 | void BPF_PROG(bprm_committing_creds, struct linux_binprm *bprm) 130 | { 131 | FILTER_CATHEGORY_VOID(PROG_EXEC_CATH) 132 | FILTER_OWN_PID_VOID() 133 | DUMP_FUNC(bprm_committing_creds, struct linux_binprm *bprm) 134 | 135 | DUMP_LINUX_BINPRM_STRUCT(bprm) 136 | 137 | bpf_printk("lsm_hook: exec: bprm_committing_creds\n"); 138 | } 139 | 140 | SEC("lsm/bprm_committed_creds") 141 | void BPF_PROG(bprm_committed_creds, struct linux_binprm *bprm) 142 | { 143 | FILTER_CATHEGORY_VOID(PROG_EXEC_CATH) 144 | FILTER_OWN_PID_VOID() 145 | DUMP_FUNC(bprm_committed_creds, struct linux_binprm *bprm) 146 | 147 | DUMP_LINUX_BINPRM_STRUCT(bprm) 148 | 149 | bpf_printk("lsm_hook: exec: bprm_committed_creds\n"); 150 | } 151 | 152 | 153 | // Security hooks for mount using fs_context. 154 | 155 | SEC("lsm/fs_context_dup") 156 | int BPF_PROG(fs_context_dup, struct fs_context *fc, struct fs_context *src_sc) 157 | { 158 | FILTER_CATHEGORY_INT(MOUNT_FS_CATH) 159 | FILTER_OWN_PID_INT() 160 | DUMP_FUNC(fs_context_dup, struct fs_context *fc, struct fs_context *src_sc) 161 | 162 | bpf_printk("lsm_hook: fs_context: fs_context_dup\n"); 163 | return 0; 164 | } 165 | 166 | SEC("lsm/fs_context_parse_param") 167 | int BPF_PROG(fs_context_parse_param, struct fs_context *fc, struct fs_parameter *param) 168 | { 169 | FILTER_CATHEGORY_INT(MOUNT_FS_CATH) 170 | FILTER_OWN_PID_INT() 171 | DUMP_FUNC(fs_context_parse_param, struct fs_context *fc, struct fs_parameter *param) 172 | 173 | bpf_printk("lsm_hook: fs_context: fs_context_parse_param\n"); 174 | return 0; 175 | } 176 | 177 | 178 | // Security hooks for filesystem operations. 179 | 180 | SEC("lsm/sb_alloc_security") 181 | int BPF_PROG(sb_alloc_security, struct super_block *sb) 182 | { 183 | FILTER_CATHEGORY_INT(FILE_CATH) 184 | FILTER_OWN_PID_INT() 185 | DUMP_FUNC(sb_alloc_security, struct super_block *sb) 186 | 187 | bpf_printk("lsm_hook: fs: sb_alloc_security\n"); 188 | return 0; 189 | } 190 | 191 | SEC("lsm/sb_free_security") 192 | void BPF_PROG(sb_free_security, struct super_block *sb) 193 | { 194 | FILTER_CATHEGORY_VOID(FILE_CATH) 195 | FILTER_OWN_PID_VOID() 196 | DUMP_FUNC(sb_alloc_security, struct super_block *sb) 197 | 198 | bpf_printk("lsm_hook: fs: sb_free_security\n"); 199 | } 200 | 201 | SEC("lsm/sb_free_mnt_opts") 202 | void BPF_PROG(sb_free_mnt_opts, void *mnt_opts) 203 | { 204 | FILTER_CATHEGORY_VOID(FILE_CATH) 205 | FILTER_OWN_PID_VOID() 206 | DUMP_FUNC(sb_free_mnt_opts, void *mnt_opts) 207 | 208 | bpf_printk("lsm_hook: fs: sb_free_mnt_opts\n"); 209 | } 210 | 211 | SEC("lsm/sb_eat_lsm_opts") 212 | int BPF_PROG(sb_eat_lsm_opts, char *orig, void **mnt_opts) 213 | { 214 | FILTER_CATHEGORY_INT(FILE_CATH) 215 | FILTER_OWN_PID_INT() 216 | DUMP_FUNC(sb_eat_lsm_opts, char *orig, void **mnt_opts) 217 | 218 | bpf_printk("lsm_hook: fs: sb_eat_lsm_opts\n"); 219 | return 0; 220 | } 221 | 222 | SEC("lsm/sb_statfs") 223 | int BPF_PROG(sb_statfs, struct dentry *dentry) 224 | { 225 | FILTER_CATHEGORY_INT(FILE_CATH) 226 | FILTER_OWN_PID_INT() 227 | DUMP_FUNC(sb_statfs, struct dentry *dentry) 228 | 229 | DUMP_DENTRY_STRUCT(dentry) 230 | 231 | bpf_printk("lsm_hook: fs: sb_statfs\n"); 232 | return 0; 233 | } 234 | 235 | SEC("lsm/sb_mount") 236 | int BPF_PROG(sb_mount, const char *dev_name, const struct path *path, 237 | const char *type, unsigned long flags, void *data) 238 | { 239 | FILTER_CATHEGORY_INT(FILE_CATH) 240 | FILTER_OWN_PID_INT() 241 | DUMP_FUNC(sb_mount, const char *dev_name, const struct path *path, 242 | const char *type, unsigned long flags, void *data) 243 | 244 | bpf_printk("lsm_hook: fs: sb_mount\n"); 245 | return 0; 246 | } 247 | 248 | // @sb_copy_data 249 | 250 | SEC("lsm/sb_remount") 251 | int BPF_PROG(sb_remount, struct super_block *sb, void *mnt_opts) 252 | { 253 | FILTER_CATHEGORY_INT(FILE_CATH) 254 | FILTER_OWN_PID_INT() 255 | DUMP_FUNC(sb_remount, struct super_block *sb, void *mnt_opts) 256 | 257 | bpf_printk("lsm_hook: fs: sb_mount\n"); 258 | return 0; 259 | } 260 | 261 | SEC("lsm/sb_kern_mount") 262 | int BPF_PROG(sb_kern_mount, struct super_block *sb) 263 | { 264 | FILTER_CATHEGORY_INT(FILE_CATH) 265 | FILTER_OWN_PID_INT() 266 | DUMP_FUNC(sb_kern_mount, struct super_block *sb) 267 | 268 | // bpf_printk("lsm_hook: fs: sb_kern_mount\n"); 269 | return 0; 270 | } 271 | 272 | SEC("lsm/sb_show_options") 273 | int BPF_PROG(sb_show_options, struct seq_file *m, struct super_block *sb) 274 | { 275 | FILTER_CATHEGORY_INT(FILE_CATH) 276 | FILTER_OWN_PID_INT() 277 | DUMP_FUNC(sb_show_options, struct seq_file *m, struct super_block *sb) 278 | 279 | bpf_printk("lsm_hook: fs: sb_show_options\n"); 280 | return 0; 281 | } 282 | 283 | SEC("lsm/sb_umount") 284 | int BPF_PROG(sb_umount, struct vfsmount *mnt, int flags) 285 | { 286 | FILTER_CATHEGORY_INT(FILE_CATH) 287 | FILTER_OWN_PID_INT() 288 | DUMP_FUNC(sb_umount, struct vfsmount *mnt, int flags) 289 | 290 | bpf_printk("lsm_hook: fs: sb_umount\n"); 291 | return 0; 292 | } 293 | 294 | SEC("lsm/sb_pivotroot") 295 | int BPF_PROG(sb_pivotroot, const struct path *old_path, 296 | const struct path *new_path) 297 | { 298 | FILTER_CATHEGORY_INT(FILE_CATH) 299 | FILTER_OWN_PID_INT() 300 | DUMP_FUNC(sb_pivotroot, const struct path *old_path, 301 | const struct path *new_path) 302 | 303 | bpf_printk("lsm_hook: fs: sb_pivotroot\n"); 304 | return 0; 305 | } 306 | 307 | SEC("lsm/sb_set_mnt_opts") 308 | int BPF_PROG(sb_set_mnt_opts, struct super_block *sb, void *mnt_opts, 309 | unsigned long kern_flags, unsigned long *set_kern_flags) 310 | { 311 | FILTER_CATHEGORY_INT(FILE_CATH) 312 | FILTER_OWN_PID_INT() 313 | DUMP_FUNC(sb_set_mnt_opts, struct super_block *sb, void *mnt_opts, 314 | unsigned long kern_flags, unsigned long *set_kern_flags) 315 | 316 | bpf_printk("lsm_hook: fs: sb_set_mnt_opts\n"); 317 | return 0; 318 | } 319 | 320 | SEC("lsm/sb_clone_mnt_opts") 321 | int BPF_PROG(sb_clone_mnt_opts, const struct super_block *oldsb, 322 | struct super_block *newsb, unsigned long kern_flags, 323 | unsigned long *set_kern_flags) 324 | { 325 | FILTER_CATHEGORY_INT(FILE_CATH) 326 | FILTER_OWN_PID_INT() 327 | DUMP_FUNC(sb_clone_mnt_opts, const struct super_block *oldsb, 328 | struct super_block *newsb, unsigned long kern_flags, 329 | unsigned long *set_kern_flags) 330 | 331 | bpf_printk("lsm_hook: fs: sb_clone_mnt_opts\n"); 332 | return 0; 333 | } 334 | 335 | SEC("lsm/sb_add_mnt_opt") 336 | int BPF_PROG(sb_add_mnt_opt, const char *option, const char *val, 337 | int len, void **mnt_opts) 338 | { 339 | FILTER_CATHEGORY_INT(FILE_CATH) 340 | FILTER_OWN_PID_INT() 341 | DUMP_FUNC(sb_add_mnt_opt, const char *option, const char *val, 342 | int len, void **mnt_opts) 343 | 344 | bpf_printk("lsm_hook: fs: sb_add_mnt_opt\n"); 345 | return 0; 346 | } 347 | 348 | // @sb_parse_opts_str 349 | 350 | 351 | SEC("lsm/move_mount") 352 | int BPF_PROG(move_mount, const struct path *from_path, 353 | const struct path *to_path) 354 | { 355 | FILTER_CATHEGORY_INT(FILE_CATH) 356 | FILTER_OWN_PID_INT() 357 | DUMP_FUNC(move_mount, const struct path *from_path, 358 | const struct path *to_path) 359 | 360 | bpf_printk("lsm_hook: fs: move_mount\n"); 361 | return 0; 362 | } 363 | 364 | SEC("lsm/dentry_init_security") 365 | int BPF_PROG(dentry_init_security, struct dentry *dentry, 366 | int mode, const struct qstr *name, void **lsm_ctx, u32 *ctxlen) 367 | { 368 | FILTER_CATHEGORY_INT(FILE_CATH) 369 | FILTER_OWN_PID_INT() 370 | DUMP_FUNC(dentry_init_security, struct dentry *dentry, 371 | int mode, const struct qstr *name, void **lsm_ctx, u32 *ctxlen) 372 | 373 | DUMP_DENTRY_STRUCT(dentry) 374 | 375 | bpf_printk("lsm_hook: fs: dentry_init_security\n"); 376 | return 0; 377 | } 378 | 379 | SEC("lsm/dentry_create_files_as") 380 | int BPF_PROG(dentry_create_files_as, struct dentry *dentry, int mode, 381 | struct qstr *name, const struct cred *old, struct cred *new) 382 | { 383 | FILTER_CATHEGORY_INT(FILE_CATH) 384 | FILTER_OWN_PID_INT() 385 | DUMP_FUNC(dentry_create_files_as, struct dentry *dentry, int mode, 386 | struct qstr *name, const struct cred *old, struct cred *new) 387 | 388 | DUMP_DENTRY_STRUCT(dentry) 389 | 390 | bpf_printk("lsm_hook: fs: dentry_create_files_as\n"); 391 | return 0; 392 | } 393 | 394 | 395 | // Security hooks for inode operations. 396 | 397 | SEC("lsm/inode_alloc_security") 398 | int BPF_PROG(inode_alloc_security, struct inode *inode) 399 | { 400 | FILTER_CATHEGORY_INT(INODE_CATH) 401 | FILTER_OWN_PID_INT() 402 | DUMP_FUNC(inode_alloc_security, struct inode *inode) 403 | 404 | DUMP_INODE_STRUCT(inode) 405 | 406 | bpf_printk("lsm_hook: inode: inode_alloc_security\n"); 407 | return 0; 408 | } 409 | 410 | SEC("lsm/inode_free_security") 411 | void BPF_PROG(inode_free_security, struct inode *inode) 412 | { 413 | FILTER_CATHEGORY_VOID(INODE_CATH) 414 | FILTER_OWN_PID_VOID() 415 | DUMP_FUNC(inode_free_security, struct inode *inode) 416 | 417 | DUMP_INODE_STRUCT(inode) 418 | 419 | bpf_printk("lsm_hook: inode: inode_free_security\n"); 420 | } 421 | 422 | SEC("lsm/inode_init_security") 423 | int BPF_PROG(inode_init_security, struct inode *inode, 424 | struct inode *dir, const struct qstr *qstr, const char **name, 425 | void **value, size_t *len) 426 | { 427 | FILTER_CATHEGORY_INT(INODE_CATH) 428 | FILTER_OWN_PID_INT() 429 | DUMP_FUNC(inode_init_security, struct inode *inode, 430 | struct inode *dir, const struct qstr *qstr, const char **name, 431 | void **value, size_t *len) 432 | 433 | DUMP_INODE_STRUCT(inode) 434 | 435 | bpf_printk("lsm_hook: inode: inode_init_security\n"); 436 | return 0; 437 | } 438 | 439 | SEC("lsm/inode_create") 440 | int BPF_PROG(inode_create, struct inode *inode_dir, struct dentry *dentry, 441 | umode_t mode) 442 | { 443 | FILTER_CATHEGORY_INT(INODE_CATH) 444 | FILTER_OWN_PID_INT() 445 | DUMP_FUNC(inode_create, struct inode *dir, struct dentry *dentry, 446 | umode_t mode) 447 | 448 | DUMP_INODE_STRUCT(inode_dir) 449 | 450 | bpf_printk("lsm_hook: inode: inode_create\n"); 451 | return 0; 452 | } 453 | 454 | SEC("lsm/inode_link") 455 | int BPF_PROG(inode_link, struct dentry *old_dentry, struct inode *inode_dir, 456 | struct dentry *new_dentry) 457 | { 458 | FILTER_CATHEGORY_INT(INODE_CATH) 459 | FILTER_OWN_PID_INT() 460 | DUMP_FUNC(inode_link, struct dentry *old_dentry, struct inode *dir, 461 | struct dentry *new_dentry) 462 | 463 | DUMP_DENTRY_STRUCT(old_dentry) 464 | DUMP_INODE_STRUCT(inode_dir) 465 | DUMP_DENTRY_STRUCT(new_dentry) 466 | 467 | bpf_printk("lsm_hook: inode: inode_link\n"); 468 | return 0; 469 | } 470 | 471 | SEC("lsm/path_link") 472 | int BPF_PROG(path_link, struct dentry *old_dentry, 473 | const struct path *new_dir, struct dentry *new_dentry) 474 | { 475 | FILTER_CATHEGORY_INT(INODE_CATH) 476 | FILTER_OWN_PID_INT() 477 | DUMP_FUNC(path_link, struct dentry *old_dentry, 478 | const struct path *new_dir, struct dentry *new_dentry) 479 | 480 | DUMP_DENTRY_STRUCT(old_dentry) 481 | DUMP_DENTRY_STRUCT(new_dentry) 482 | 483 | bpf_printk("lsm_hook: inode: path_link\n"); 484 | return 0; 485 | } 486 | 487 | SEC("lsm/inode_unlink") 488 | int BPF_PROG(inode_unlink, struct inode *inode_dir, struct dentry *dentry) 489 | { 490 | FILTER_CATHEGORY_INT(INODE_CATH) 491 | FILTER_OWN_PID_INT() 492 | DUMP_FUNC(inode_unlink, struct inode *dir, struct dentry *dentry) 493 | 494 | DUMP_INODE_STRUCT(inode_dir) 495 | DUMP_DENTRY_STRUCT(dentry) 496 | 497 | bpf_printk("lsm_hook: inode: inode_unlink\n"); 498 | return 0; 499 | } 500 | 501 | SEC("lsm/path_unlink") 502 | int BPF_PROG(path_unlink, const struct path *dir, struct dentry *dentry) 503 | { 504 | FILTER_CATHEGORY_INT(INODE_CATH) 505 | FILTER_OWN_PID_INT() 506 | DUMP_FUNC(path_unlink, const struct path *dir, struct dentry *dentry) 507 | 508 | DUMP_DENTRY_STRUCT(dentry) 509 | 510 | bpf_printk("lsm_hook: inode: path_unlink\n"); 511 | return 0; 512 | } 513 | 514 | SEC("lsm/inode_symlink") 515 | int BPF_PROG(inode_symlink, struct inode *inode_dir, struct dentry *dentry, 516 | const char *old_name) 517 | { 518 | FILTER_CATHEGORY_INT(INODE_CATH) 519 | FILTER_OWN_PID_INT() 520 | DUMP_FUNC(inode_symlink, struct inode *dir, struct dentry *dentry, 521 | const char *old_name) 522 | 523 | DUMP_INODE_STRUCT(inode_dir) 524 | DUMP_DENTRY_STRUCT(dentry) 525 | 526 | bpf_printk("lsm_hook: inode: inode_symlink\n"); 527 | return 0; 528 | } 529 | 530 | SEC("lsm/path_symlink") 531 | int BPF_PROG(path_symlink, const struct path *dir, struct dentry *dentry, 532 | const char *old_name) 533 | { 534 | FILTER_CATHEGORY_INT(INODE_CATH) 535 | FILTER_OWN_PID_INT() 536 | DUMP_FUNC(path_symlink, const struct path *dir, struct dentry *dentry, 537 | const char *old_name) 538 | 539 | DUMP_DENTRY_STRUCT(dentry) 540 | 541 | bpf_printk("lsm_hook: inode: path_symlink\n"); 542 | return 0; 543 | } 544 | 545 | SEC("lsm/inode_mkdir") 546 | int BPF_PROG(inode_mkdir, struct inode *inode_dir, struct dentry *dentry, 547 | umode_t mode) 548 | { 549 | FILTER_CATHEGORY_INT(INODE_CATH) 550 | FILTER_OWN_PID_INT() 551 | DUMP_FUNC(inode_mkdir, struct inode *dir, struct dentry *dentry, 552 | umode_t mode) 553 | 554 | DUMP_INODE_STRUCT(inode_dir) 555 | DUMP_DENTRY_STRUCT(dentry) 556 | 557 | bpf_printk("lsm_hook: inode: inode_mkdir\n"); 558 | return 0; 559 | } 560 | 561 | SEC("lsm/path_mkdir") 562 | int BPF_PROG(path_mkdir, const struct path *dir, struct dentry *dentry, 563 | umode_t mode) 564 | { 565 | FILTER_CATHEGORY_INT(INODE_CATH) 566 | FILTER_OWN_PID_INT() 567 | DUMP_FUNC(path_mkdir, const struct path *dir, struct dentry *dentry, 568 | umode_t mode) 569 | 570 | DUMP_DENTRY_STRUCT(dentry) 571 | 572 | bpf_printk("lsm_hook: inode: path_mkdir\n"); 573 | return 0; 574 | } 575 | 576 | SEC("lsm/inode_rmdir") 577 | int BPF_PROG(inode_rmdir, struct inode *inode_dir, struct dentry *dentry) 578 | { 579 | FILTER_CATHEGORY_INT(INODE_CATH) 580 | FILTER_OWN_PID_INT() 581 | DUMP_FUNC(inode_rmdir, struct inode *dir, struct dentry *dentry) 582 | 583 | DUMP_INODE_STRUCT(inode_dir) 584 | DUMP_DENTRY_STRUCT(dentry) 585 | 586 | bpf_printk("lsm_hook: inode: inode_rmdir\n"); 587 | return 0; 588 | } 589 | 590 | SEC("lsm/path_rmdir") 591 | int BPF_PROG(path_rmdir, const struct path *dir, struct dentry *dentry) 592 | { 593 | FILTER_CATHEGORY_INT(INODE_CATH) 594 | FILTER_OWN_PID_INT() 595 | DUMP_FUNC(path_rmdir, const struct path *dir, struct dentry *dentry) 596 | 597 | DUMP_DENTRY_STRUCT(dentry) 598 | 599 | bpf_printk("lsm_hook: inode: path_rmdir\n"); 600 | return 0; 601 | } 602 | 603 | SEC("lsm/inode_mknod") 604 | int BPF_PROG(inode_mknod, struct inode *inode_dir, struct dentry *dentry, 605 | umode_t mode, dev_t dev) 606 | { 607 | FILTER_CATHEGORY_INT(INODE_CATH) 608 | FILTER_OWN_PID_INT() 609 | DUMP_FUNC(inode_mknod, struct inode *dir, struct dentry *dentry, 610 | umode_t mode, dev_t dev) 611 | 612 | DUMP_INODE_STRUCT(inode_dir) 613 | DUMP_DENTRY_STRUCT(dentry) 614 | 615 | bpf_printk("lsm_hook: inode: inode_mknod\n"); 616 | return 0; 617 | } 618 | 619 | SEC("lsm/inode_rename") 620 | int BPF_PROG(inode_rename, struct inode *old_inode_dir, struct dentry *old_dentry, 621 | struct inode *new_inode_dir, struct dentry *new_dentry) 622 | { 623 | FILTER_CATHEGORY_INT(INODE_CATH) 624 | FILTER_OWN_PID_INT() 625 | DUMP_FUNC(inode_rename, struct inode *old_dir, struct dentry *old_dentry, 626 | struct inode *new_dir, struct dentry *new_dentry) 627 | 628 | DUMP_INODE_STRUCT(old_inode_dir) 629 | DUMP_DENTRY_STRUCT(old_dentry) 630 | DUMP_INODE_STRUCT(new_inode_dir) 631 | DUMP_DENTRY_STRUCT(new_dentry) 632 | 633 | bpf_printk("lsm_hook: inode: inode_rename\n"); 634 | return 0; 635 | } 636 | 637 | SEC("lsm/path_rename") 638 | int BPF_PROG(path_rename, const struct path *old_dir, 639 | struct dentry *old_dentry, const struct path *new_dir, 640 | struct dentry *new_dentry) 641 | { 642 | FILTER_CATHEGORY_INT(INODE_CATH) 643 | FILTER_OWN_PID_INT() 644 | DUMP_FUNC(path_rename, const struct path *old_dir, 645 | struct dentry *old_dentry, const struct path *new_dir, 646 | struct dentry *new_dentry) 647 | 648 | DUMP_DENTRY_STRUCT(old_dentry) 649 | DUMP_DENTRY_STRUCT(new_dentry) 650 | 651 | bpf_printk("lsm_hook: inode: path_rename\n"); 652 | return 0; 653 | } 654 | 655 | SEC("lsm/path_chmod") 656 | int BPF_PROG(path_chmod, const struct path *path, umode_t mode) 657 | { 658 | FILTER_CATHEGORY_INT(INODE_CATH) 659 | FILTER_OWN_PID_INT() 660 | DUMP_FUNC(path_chmod, const struct path *path, umode_t mode) 661 | 662 | bpf_printk("lsm_hook: inode: path_chmod\n"); 663 | return 0; 664 | } 665 | 666 | 667 | SEC("lsm/path_chroot") 668 | int BPF_PROG(path_chroot, const struct path *path) 669 | { 670 | FILTER_CATHEGORY_INT(INODE_CATH) 671 | FILTER_OWN_PID_INT() 672 | DUMP_FUNC(path_chroot, const struct path *path) 673 | 674 | bpf_printk("lsm_hook: inode: path_chroot\n"); 675 | return 0; 676 | } 677 | 678 | SEC("lsm/path_notify") 679 | int BPF_PROG(path_notify, const struct path *path, u64 mask, 680 | unsigned int obj_type) 681 | { 682 | FILTER_CATHEGORY_INT(INODE_CATH) 683 | FILTER_OWN_PID_INT() 684 | DUMP_FUNC(path_notify, const struct path *path, u64 mask, 685 | unsigned int obj_type) 686 | 687 | bpf_printk("lsm_hook: inode: path_notify\n"); 688 | return 0; 689 | } 690 | 691 | SEC("lsm/inode_readlink") 692 | int BPF_PROG(inode_readlink, struct dentry *dentry) 693 | { 694 | FILTER_CATHEGORY_INT(INODE_CATH) 695 | FILTER_OWN_PID_INT() 696 | DUMP_FUNC(inode_readlink, struct dentry *dentry) 697 | 698 | DUMP_DENTRY_STRUCT(dentry) 699 | 700 | bpf_printk("lsm_hook: inode: inode_readlink\n"); 701 | return 0; 702 | } 703 | 704 | SEC("lsm/inode_follow_link") 705 | int BPF_PROG(inode_follow_link, struct dentry *dentry, struct inode *inode, 706 | bool rcu) 707 | { 708 | FILTER_CATHEGORY_INT(INODE_CATH) 709 | FILTER_OWN_PID_INT() 710 | DUMP_FUNC(inode_follow_link, struct dentry *dentry, struct inode *inode, 711 | bool rcu) 712 | 713 | DUMP_DENTRY_STRUCT(dentry) 714 | DUMP_INODE_STRUCT(inode) 715 | 716 | bpf_printk("lsm_hook: inode: inode_follow_link\n"); 717 | return 0; 718 | } 719 | 720 | SEC("lsm/inode_permission") 721 | int BPF_PROG(inode_permission, struct inode *inode, int mask) 722 | { 723 | FILTER_CATHEGORY_INT(INODE_CATH) 724 | FILTER_OWN_PID_INT() 725 | DUMP_FUNC(inode_permission, struct inode *inode, int mask) 726 | 727 | DUMP_INODE_STRUCT(inode) 728 | 729 | bpf_printk("lsm_hook: inode: inode_permission\n"); 730 | return 0; 731 | } 732 | 733 | SEC("lsm/inode_setattr") 734 | int BPF_PROG(inode_setattr, struct dentry *dentry, struct iattr *attr) 735 | { 736 | FILTER_CATHEGORY_INT(INODE_CATH) 737 | FILTER_OWN_PID_INT() 738 | 739 | DUMP_DENTRY_STRUCT(dentry) 740 | 741 | bpf_printk("lsm_hook: inode: inode_setattr\n"); 742 | return 0; 743 | } 744 | 745 | SEC("lsm/path_truncate") 746 | int BPF_PROG(path_truncate, const struct path *path) 747 | { 748 | FILTER_CATHEGORY_INT(INODE_CATH) 749 | FILTER_OWN_PID_INT() 750 | 751 | bpf_printk("lsm_hook: inode: path_truncate\n"); 752 | return 0; 753 | } 754 | 755 | SEC("lsm/inode_getattr") 756 | int BPF_PROG(inode_getattr, const struct path *path) 757 | { 758 | FILTER_CATHEGORY_INT(INODE_CATH) 759 | FILTER_OWN_PID_INT() 760 | 761 | bpf_printk("lsm_hook: inode: inode_getattr\n"); 762 | return 0; 763 | } 764 | 765 | SEC("lsm/inode_setxattr") 766 | int BPF_PROG(inode_setxattr, struct dentry *dentry, const char *name, 767 | const void *value, size_t size, int flags) 768 | { 769 | FILTER_CATHEGORY_INT(INODE_CATH) 770 | FILTER_OWN_PID_INT() 771 | 772 | DUMP_DENTRY_STRUCT(dentry) 773 | 774 | bpf_printk("lsm_hook: inode: inode_setxattr\n"); 775 | return 0; 776 | } 777 | 778 | SEC("lsm/inode_post_setxattr") 779 | int BPF_PROG(inode_post_setxattr, struct dentry *dentry, 780 | const char *name, const void *value, size_t size, int flags) 781 | { 782 | FILTER_CATHEGORY_INT(INODE_CATH) 783 | FILTER_OWN_PID_INT() 784 | 785 | DUMP_DENTRY_STRUCT(dentry) 786 | 787 | bpf_printk("lsm_hook: inode: inode_post_setxattr\n"); 788 | return 0; 789 | } 790 | 791 | SEC("lsm/inode_getxattr") 792 | int BPF_PROG(inode_getxattr, struct dentry *dentry, const char *name) 793 | { 794 | FILTER_CATHEGORY_INT(INODE_CATH) 795 | FILTER_OWN_PID_INT() 796 | 797 | DUMP_DENTRY_STRUCT(dentry) 798 | 799 | bpf_printk("lsm_hook: inode: inode_getxattr\n"); 800 | return 0; 801 | } 802 | 803 | SEC("lsm/inode_listxattr") 804 | int BPF_PROG(inode_listxattr, struct dentry *dentry) 805 | { 806 | FILTER_CATHEGORY_INT(INODE_CATH) 807 | FILTER_OWN_PID_INT() 808 | 809 | DUMP_DENTRY_STRUCT(dentry) 810 | 811 | bpf_printk("lsm_hook: inode: inode_listxattr\n"); 812 | return 0; 813 | } 814 | 815 | SEC("lsm/inode_removexattr") 816 | int BPF_PROG(inode_removexattr, struct dentry *dentry, const char *name) 817 | { 818 | FILTER_CATHEGORY_INT(INODE_CATH) 819 | FILTER_OWN_PID_INT() 820 | 821 | DUMP_DENTRY_STRUCT(dentry) 822 | 823 | bpf_printk("lsm_hook: inode: inode_removexattr\n"); 824 | return 0; 825 | } 826 | 827 | SEC("lsm/inode_getsecurity") 828 | int BPF_PROG(inode_getsecurity, struct inode *inode, 829 | const char *name, void **buffer, bool alloc) 830 | { 831 | FILTER_CATHEGORY_INT(INODE_CATH) 832 | FILTER_OWN_PID_INT() 833 | 834 | DUMP_INODE_STRUCT(inode) 835 | 836 | bpf_printk("lsm_hook: inode: inode_getsecurity\n"); 837 | return 0; 838 | } 839 | 840 | SEC("lsm/inode_setsecurity") 841 | int BPF_PROG(inode_setsecurity, struct inode *inode, 842 | const char *name, const void *value, size_t size, int flags) 843 | { 844 | FILTER_CATHEGORY_INT(INODE_CATH) 845 | FILTER_OWN_PID_INT() 846 | 847 | DUMP_INODE_STRUCT(inode) 848 | 849 | bpf_printk("lsm_hook: inode: inode_setsecurity\n"); 850 | return 0; 851 | } 852 | 853 | 854 | SEC("lsm/inode_listsecurity") 855 | int BPF_PROG(inode_listsecurity, struct inode *inode, char *buffer, 856 | size_t buffer_size) 857 | { 858 | FILTER_CATHEGORY_INT(INODE_CATH) 859 | FILTER_OWN_PID_INT() 860 | 861 | DUMP_INODE_STRUCT(inode) 862 | 863 | bpf_printk("lsm_hook: inode: inode_listsecurity\n"); 864 | return 0; 865 | } 866 | 867 | SEC("lsm/inode_need_killpriv") 868 | int BPF_PROG(inode_need_killpriv, struct dentry *dentry) 869 | { 870 | FILTER_CATHEGORY_INT(INODE_CATH) 871 | FILTER_OWN_PID_INT() 872 | 873 | DUMP_DENTRY_STRUCT(dentry) 874 | 875 | bpf_printk("lsm_hook: inode: inode_need_killpriv\n"); 876 | return 0; 877 | } 878 | 879 | SEC("lsm/inode_killpriv") 880 | int BPF_PROG(inode_killpriv, struct dentry *dentry) 881 | { 882 | FILTER_CATHEGORY_INT(INODE_CATH) 883 | FILTER_OWN_PID_INT() 884 | 885 | DUMP_DENTRY_STRUCT(dentry) 886 | 887 | bpf_printk("lsm_hook: inode: inode_killpriv\n"); 888 | return 0; 889 | } 890 | 891 | SEC("lsm/inode_getsecid") 892 | void BPF_PROG(inode_getsecid, struct inode *inode, u32 *secid) 893 | { 894 | FILTER_CATHEGORY_VOID(INODE_CATH) 895 | FILTER_OWN_PID_VOID() 896 | 897 | DUMP_INODE_STRUCT(inode) 898 | 899 | bpf_printk("lsm_hook: inode: inode_getsecid\n"); 900 | } 901 | 902 | SEC("lsm/inode_copy_up") 903 | int BPF_PROG(inode_copy_up, struct dentry *dentry_src, struct cred **new) 904 | { 905 | FILTER_CATHEGORY_INT(INODE_CATH) 906 | FILTER_OWN_PID_INT() 907 | 908 | DUMP_DENTRY_STRUCT(dentry_src) 909 | 910 | bpf_printk("lsm_hook: inode: inode_copy_up\n"); 911 | return 0; 912 | } 913 | 914 | SEC("lsm/inode_copy_up_xattr") 915 | int BPF_PROG(inode_copy_up_xattr, const char *name) 916 | { 917 | FILTER_CATHEGORY_INT(INODE_CATH) 918 | FILTER_OWN_PID_INT() 919 | 920 | bpf_printk("lsm_hook: inode: inode_copy_up_xattr\n"); 921 | return 0; 922 | } 923 | 924 | SEC("lsm/d_instantiate") 925 | int BPF_PROG(d_instantiate, struct dentry *dentry, 926 | struct inode *inode) 927 | { 928 | FILTER_CATHEGORY_INT(INODE_CATH) 929 | FILTER_OWN_PID_INT() 930 | 931 | DUMP_DENTRY_STRUCT(dentry) 932 | 933 | bpf_printk("lsm_hook: inode: d_instantiate\n"); 934 | return 0; 935 | } 936 | 937 | SEC("lsm/getprocattr") 938 | int BPF_PROG(getprocattr, struct task_struct *p, char *name, 939 | char **value) 940 | { 941 | FILTER_OWN_PID_INT() 942 | 943 | bpf_printk("lsm_hook: inode: getprocattr\n"); 944 | return 0; 945 | } 946 | 947 | SEC("lsm/setprocattr") 948 | int BPF_PROG(setprocattr, const char *name, void *value, size_t size) 949 | { 950 | FILTER_OWN_PID_INT() 951 | 952 | bpf_printk("lsm_hook: inode: setprocattr\n"); 953 | return 0; 954 | } 955 | 956 | 957 | // Security hooks for kernfs node operations 958 | 959 | SEC("lsm/kernfs_init_security") 960 | int BPF_PROG(kernfs_init_security, struct kernfs_node *kn_dir, 961 | struct kernfs_node *kn) 962 | { 963 | FILTER_OWN_PID_INT() 964 | 965 | bpf_printk("lsm_hook: kernfs_node: kernfs_init_security\n"); 966 | return 0; 967 | } 968 | 969 | 970 | // Security hooks for file operations 971 | 972 | SEC("lsm/file_permission") 973 | int BPF_PROG(file_permission, struct file *file, int mask) 974 | { 975 | FILTER_CATHEGORY_INT(FILE_CATH) 976 | FILTER_OWN_PID_INT() 977 | DUMP_FUNC(file_permission, struct file *file, int mask) 978 | 979 | DUMP_FILE_STRUCT(file) 980 | bpf_printk("lsm_hook: file: file_permission\n"); 981 | return 0; 982 | } 983 | 984 | SEC("lsm/file_alloc_security") 985 | int BPF_PROG(file_alloc_security, struct file *file) 986 | { 987 | FILTER_CATHEGORY_INT(FILE_CATH) 988 | FILTER_OWN_PID_INT() 989 | DUMP_FUNC(file_alloc_security, struct file *file) 990 | 991 | DUMP_FILE_STRUCT(file) 992 | bpf_printk("lsm_hook: file: file_alloc_security\n"); 993 | return 0; 994 | } 995 | 996 | SEC("lsm/file_free_security") 997 | void BPF_PROG(file_free_security, struct file *file) 998 | { 999 | FILTER_CATHEGORY_VOID(FILE_CATH) 1000 | FILTER_OWN_PID_VOID() 1001 | DUMP_FUNC(file_free_security, struct file *file) 1002 | 1003 | DUMP_FILE_STRUCT(file) 1004 | bpf_printk("lsm_hook: file: file_free_security\n"); 1005 | } 1006 | 1007 | SEC("lsm/file_ioctl") 1008 | int BPF_PROG(file_ioctl, struct file *file, unsigned int cmd, 1009 | unsigned long arg) 1010 | { 1011 | FILTER_CATHEGORY_INT(FILE_CATH) 1012 | FILTER_OWN_PID_INT() 1013 | DUMP_FUNC(file_ioctl, struct file *file, unsigned int cmd, 1014 | unsigned long arg) 1015 | 1016 | DUMP_FILE_STRUCT(file) 1017 | bpf_printk("lsm_hook: file: file_ioctl\n"); 1018 | return 0; 1019 | } 1020 | 1021 | SEC("lsm/mmap_addr") 1022 | int BPF_PROG(mmap_addr, unsigned long addr) 1023 | { 1024 | FILTER_CATHEGORY_INT(FILE_CATH) 1025 | FILTER_OWN_PID_INT() 1026 | DUMP_FUNC(mmap_addr, unsigned long addr) 1027 | 1028 | bpf_printk("lsm_hook: file: mmap_addr\n"); 1029 | return 0; 1030 | } 1031 | 1032 | SEC("lsm/mmap_file") 1033 | int BPF_PROG(mmap_file, struct file *file, unsigned long reqprot, 1034 | unsigned long prot, unsigned long flags) 1035 | { 1036 | FILTER_CATHEGORY_INT(FILE_CATH) 1037 | FILTER_OWN_PID_INT() 1038 | DUMP_FUNC(mmap_file, struct file *file, unsigned long reqprot, 1039 | unsigned long prot, unsigned long flags) 1040 | 1041 | DUMP_FILE_STRUCT(file) 1042 | bpf_printk("lsm_hook: file: mmap_file\n"); 1043 | return 0; 1044 | } 1045 | 1046 | SEC("lsm/file_mprotect") 1047 | int BPF_PROG(file_mprotect, struct vm_area_struct *vma, 1048 | unsigned long reqprot, unsigned long prot) 1049 | { 1050 | FILTER_CATHEGORY_INT(FILE_CATH) 1051 | FILTER_OWN_PID_INT() 1052 | DUMP_FUNC(file_mprotect, struct vm_area_struct *vma, 1053 | unsigned long reqprot, unsigned long prot) 1054 | 1055 | bpf_printk("lsm_hook: file: file_mprotect\n"); 1056 | return 0; 1057 | } 1058 | 1059 | SEC("lsm/file_lock") 1060 | int BPF_PROG(file_lock, struct file *file, unsigned int cmd) 1061 | { 1062 | FILTER_CATHEGORY_INT(FILE_CATH) 1063 | FILTER_OWN_PID_INT() 1064 | DUMP_FUNC(file_lock, struct file *file, unsigned int cmd) 1065 | 1066 | DUMP_FILE_STRUCT(file) 1067 | bpf_printk("lsm_hook: file: file_mprotect\n"); 1068 | return 0; 1069 | } 1070 | 1071 | SEC("lsm/file_fcntl") 1072 | int BPF_PROG(file_fcntl, struct file *file, unsigned int cmd, 1073 | unsigned long arg) 1074 | { 1075 | FILTER_CATHEGORY_INT(FILE_CATH) 1076 | FILTER_OWN_PID_INT() 1077 | DUMP_FUNC(file_fcntl, struct file *file, unsigned int cmd, 1078 | unsigned long arg) 1079 | 1080 | DUMP_FILE_STRUCT(file) 1081 | bpf_printk("lsm_hook: file: file_fcntl\n"); 1082 | return 0; 1083 | } 1084 | 1085 | SEC("lsm/file_set_fowner") 1086 | int BPF_PROG(file_set_fowner, struct file *file) 1087 | { 1088 | FILTER_CATHEGORY_INT(FILE_CATH) 1089 | FILTER_OWN_PID_INT() 1090 | DUMP_FUNC(file_set_fowner, struct file *file) 1091 | 1092 | DUMP_FILE_STRUCT(file) 1093 | bpf_printk("lsm_hook: file: file_set_fowner\n"); 1094 | return 0; 1095 | } 1096 | 1097 | SEC("lsm/file_send_sigiotask") 1098 | int BPF_PROG(file_send_sigiotask, struct task_struct *tsk, 1099 | struct fown_struct *fown, int sig) 1100 | { 1101 | FILTER_CATHEGORY_INT(FILE_CATH) 1102 | FILTER_OWN_PID_INT() 1103 | DUMP_FUNC(file_send_sigiotask, struct task_struct *tsk, 1104 | struct fown_struct *fown, int sig) 1105 | 1106 | bpf_printk("lsm_hook: file: file_send_sigiotask\n"); 1107 | return 0; 1108 | } 1109 | 1110 | SEC("lsm/file_receive") 1111 | int BPF_PROG(file_receive, struct file *file) 1112 | { 1113 | FILTER_CATHEGORY_INT(FILE_CATH) 1114 | FILTER_OWN_PID_INT() 1115 | DUMP_FUNC(file_receive, struct file *file) 1116 | 1117 | DUMP_FILE_STRUCT(file) 1118 | 1119 | bpf_printk("lsm_hook: file: file_receive\n"); 1120 | return 0; 1121 | } 1122 | 1123 | 1124 | SEC("lsm/file_open") 1125 | int BPF_PROG(file_open, struct file *file) 1126 | { 1127 | 1128 | FILTER_CATHEGORY_INT(FILE_CATH) 1129 | FILTER_OWN_PID_INT() 1130 | DUMP_FUNC(file_open, struct file *file) 1131 | 1132 | DUMP_FILE_STRUCT(file) 1133 | 1134 | bpf_printk("lsm_hook: file: file_open\n"); 1135 | return 0; 1136 | } 1137 | 1138 | 1139 | 1140 | // Security hooks for task operations. 1141 | 1142 | SEC("lsm/task_alloc") 1143 | int BPF_PROG(task_alloc, struct task_struct *task, 1144 | unsigned long clone_flags) 1145 | { 1146 | FILTER_OWN_PID_INT() 1147 | DUMP_FUNC(task_alloc, struct task_struct *task, 1148 | unsigned long clone_flags) 1149 | 1150 | bpf_printk("lsm_hook: task: task_alloc\n"); 1151 | return 0; 1152 | } 1153 | 1154 | SEC("lsm/task_free") 1155 | void BPF_PROG(task_free, struct task_struct *task) 1156 | { 1157 | FILTER_OWN_PID_VOID() 1158 | DUMP_FUNC(task_free, struct task_struct *task) 1159 | 1160 | bpf_printk("lsm_hook: task: task_free\n"); 1161 | } 1162 | 1163 | SEC("lsm/cred_alloc_blank") 1164 | int BPF_PROG(cred_alloc_blank, struct cred *cred, gfp_t gfp) 1165 | { 1166 | FILTER_OWN_PID_INT() 1167 | DUMP_FUNC(cred_alloc_blank, struct cred *cred, gfp_t gfp) 1168 | 1169 | bpf_printk("lsm_hook: task: cred_alloc_blank\n"); 1170 | return 0; 1171 | } 1172 | 1173 | SEC("lsm/cred_free") 1174 | void BPF_PROG(cred_free, struct cred *cred) 1175 | { 1176 | FILTER_OWN_PID_VOID() 1177 | DUMP_FUNC(cred_free, struct cred *cred) 1178 | 1179 | bpf_printk("lsm_hook: task: cred_free\n"); 1180 | } 1181 | 1182 | SEC("lsm/cred_prepare") 1183 | int BPF_PROG(cred_prepare, struct cred *new, const struct cred *old, 1184 | gfp_t gfp) 1185 | { 1186 | FILTER_OWN_PID_INT() 1187 | DUMP_FUNC(cred_prepare, struct cred *new, const struct cred *old, 1188 | gfp_t gfp) 1189 | 1190 | 1191 | bpf_printk("lsm_hook: task: cred_prepare\n"); 1192 | return 0; 1193 | } 1194 | 1195 | SEC("lsm/cred_transfer") 1196 | void BPF_PROG(cred_transfer, struct cred *new, 1197 | const struct cred *old) 1198 | { 1199 | FILTER_OWN_PID_VOID() 1200 | DUMP_FUNC(cred_transfer, struct cred *new, 1201 | const struct cred *old) 1202 | 1203 | bpf_printk("lsm_hook: task: cred_transfer\n"); 1204 | } 1205 | 1206 | SEC("lsm/cred_getsecid") 1207 | void BPF_PROG(cred_getsecid, const struct cred *c, u32 *secid) 1208 | { 1209 | FILTER_OWN_PID_VOID() 1210 | DUMP_FUNC(cred_getsecid, const struct cred *c, u32 *secid) 1211 | 1212 | 1213 | bpf_printk("lsm_hook: task: cred_getsecid\n"); 1214 | } 1215 | 1216 | SEC("lsm/kernel_act_as") 1217 | int BPF_PROG(kernel_act_as, struct cred *new, u32 secid) 1218 | { 1219 | FILTER_OWN_PID_INT() 1220 | DUMP_FUNC(kernel_act_as, struct cred *new, u32 secid) 1221 | 1222 | bpf_printk("lsm_hook: task: kernel_act_as\n"); 1223 | return 0; 1224 | } 1225 | 1226 | SEC("lsm/kernel_create_files_as") 1227 | int BPF_PROG(kernel_create_files_as, struct cred *new, struct inode *inode) 1228 | { 1229 | FILTER_OWN_PID_INT() 1230 | DUMP_FUNC(kernel_create_files_as, struct cred *new, struct inode *inode) 1231 | 1232 | bpf_printk("lsm_hook: task: kernel_create_files_as\n"); 1233 | return 0; 1234 | } 1235 | 1236 | SEC("lsm/kernel_module_request") 1237 | int BPF_PROG(kernel_module_request, char *kmod_name) 1238 | { 1239 | FILTER_OWN_PID_INT() 1240 | DUMP_FUNC(kernel_module_request, char *kmod_name) 1241 | 1242 | bpf_printk("lsm_hook: task: kernel_module_request\n"); 1243 | return 0; 1244 | } 1245 | 1246 | SEC("lsm/kernel_load_data") 1247 | int BPF_PROG(kernel_load_data, enum kernel_load_data_id id, bool contents) 1248 | { 1249 | FILTER_OWN_PID_INT() 1250 | DUMP_FUNC(kernel_load_data, enum kernel_load_data_id id, bool contents) 1251 | 1252 | bpf_printk("lsm_hook: task: kernel_load_data\n"); 1253 | return 0; 1254 | } 1255 | 1256 | SEC("lsm/kernel_post_load_data") 1257 | int BPF_PROG(kernel_post_load_data, char *buf, loff_t size, 1258 | enum kernel_load_data_id id, char *description) 1259 | { 1260 | FILTER_OWN_PID_INT() 1261 | DUMP_FUNC(kernel_post_load_data, char *buf, loff_t size, 1262 | enum kernel_load_data_id id, char *description) 1263 | 1264 | bpf_printk("lsm_hook: task: kernel_post_load_data\n"); 1265 | return 0; 1266 | } 1267 | 1268 | SEC("lsm/kernel_read_file") 1269 | int BPF_PROG(kernel_read_file, struct file *file, 1270 | enum kernel_read_file_id id, bool contents) 1271 | { 1272 | FILTER_OWN_PID_INT() 1273 | DUMP_FUNC(kernel_read_file, struct file *file, 1274 | enum kernel_read_file_id id, bool contents) 1275 | 1276 | bpf_printk("lsm_hook: task: kernel_read_file\n"); 1277 | return 0; 1278 | } 1279 | 1280 | SEC("lsm/kernel_post_read_file") 1281 | int BPF_PROG(kernel_post_read_file, struct file *file, char *buf, 1282 | loff_t size, enum kernel_read_file_id id) 1283 | { 1284 | FILTER_OWN_PID_INT() 1285 | DUMP_FUNC(kernel_post_read_file, struct file *file, char *buf, 1286 | loff_t size, enum kernel_read_file_id id) 1287 | 1288 | bpf_printk("lsm_hook: task: kernel_post_read_file\n"); 1289 | return 0; 1290 | } 1291 | 1292 | SEC("lsm/task_fix_setuid") 1293 | int BPF_PROG(task_fix_setuid, struct cred *new, const struct cred *old, 1294 | int flags) 1295 | { 1296 | FILTER_OWN_PID_INT() 1297 | DUMP_FUNC(task_fix_setuid, struct cred *new, const struct cred *old, 1298 | int flags) 1299 | 1300 | bpf_printk("lsm_hook: task: task_fix_setuid\n"); 1301 | return 0; 1302 | } 1303 | 1304 | SEC("lsm/task_fix_setgid") 1305 | int BPF_PROG(task_fix_setgid, struct cred *new, const struct cred * old, 1306 | int flags) 1307 | { 1308 | FILTER_OWN_PID_INT() 1309 | DUMP_FUNC(task_fix_setgid, struct cred *new, const struct cred * old, 1310 | int flags) 1311 | 1312 | bpf_printk("lsm_hook: task: task_fix_setgid\n"); 1313 | return 0; 1314 | } 1315 | 1316 | SEC("lsm/task_setpgid") 1317 | int BPF_PROG(task_setpgid, struct task_struct *p, pid_t pgid) 1318 | { 1319 | FILTER_OWN_PID_INT() 1320 | DUMP_FUNC(task_setpgid, struct task_struct *p, pid_t pgid) 1321 | 1322 | bpf_printk("lsm_hook: task: task_setpgid\n"); 1323 | return 0; 1324 | } 1325 | 1326 | SEC("lsm/task_getpgid") 1327 | int BPF_PROG(task_getpgid, struct task_struct *p) 1328 | { 1329 | FILTER_OWN_PID_INT() 1330 | DUMP_FUNC(task_getpgid, struct task_struct *p) 1331 | 1332 | bpf_printk("lsm_hook: task: task_getpgid\n"); 1333 | return 0; 1334 | } 1335 | 1336 | SEC("lsm/task_getsid") 1337 | int BPF_PROG(task_getsid, struct task_struct *p) 1338 | { 1339 | FILTER_OWN_PID_INT() 1340 | DUMP_FUNC(task_getsid, struct task_struct *p) 1341 | 1342 | bpf_printk("lsm_hook: task: task_getsid\n"); 1343 | return 0; 1344 | } 1345 | 1346 | SEC("lsm/task_getsecid") 1347 | void BPF_PROG(task_getsecid, struct task_struct *p, u32 *secid) 1348 | { 1349 | FILTER_OWN_PID_VOID() 1350 | DUMP_FUNC(task_getsecid, struct task_struct *p, u32 *secid) 1351 | 1352 | bpf_printk("lsm_hook: task: task_getsecid\n"); 1353 | return; 1354 | } 1355 | 1356 | SEC("lsm/task_setnice") 1357 | int BPF_PROG(task_setnice, struct task_struct *p, int nice) 1358 | { 1359 | FILTER_OWN_PID_INT() 1360 | DUMP_FUNC(task_setnice, struct task_struct *p, int nice) 1361 | 1362 | bpf_printk("lsm_hook: task: task_setnice\n"); 1363 | return 0; 1364 | } 1365 | 1366 | SEC("lsm/task_setioprio") 1367 | int BPF_PROG(task_setioprio, struct task_struct *p, int ioprio) 1368 | { 1369 | FILTER_OWN_PID_INT() 1370 | DUMP_FUNC(task_setioprio, struct task_struct *p, int ioprio) 1371 | 1372 | bpf_printk("lsm_hook: task: task_setioprio\n"); 1373 | return 0; 1374 | } 1375 | 1376 | SEC("lsm/task_getioprio") 1377 | int BPF_PROG(task_getioprio, struct task_struct *p) 1378 | { 1379 | FILTER_OWN_PID_INT() 1380 | DUMP_FUNC(task_getioprio, struct task_struct *p) 1381 | 1382 | bpf_printk("lsm_hook: task: task_getioprio\n"); 1383 | return 0; 1384 | } 1385 | 1386 | SEC("lsm/task_prlimit") 1387 | int BPF_PROG(task_prlimit, const struct cred *cred, 1388 | const struct cred *tcred, unsigned int flags) 1389 | { 1390 | FILTER_OWN_PID_INT() 1391 | DUMP_FUNC(task_prlimit, const struct cred *cred, 1392 | const struct cred *tcred, unsigned int flags) 1393 | 1394 | bpf_printk("lsm_hook: task: task_prlimit\n"); 1395 | return 0; 1396 | } 1397 | 1398 | SEC("lsm/task_setrlimit") 1399 | int BPF_PROG(task_setrlimit, struct task_struct *p, unsigned int resource, 1400 | struct rlimit *new_rlim) 1401 | { 1402 | FILTER_OWN_PID_INT() 1403 | DUMP_FUNC(task_setrlimit, struct task_struct *p, unsigned int resource, 1404 | struct rlimit *new_rlim) 1405 | 1406 | bpf_printk("lsm_hook: task: task_setrlimit\n"); 1407 | return 0; 1408 | } 1409 | 1410 | SEC("lsm/task_setscheduler") 1411 | int BPF_PROG(task_setscheduler, struct task_struct *p) 1412 | { 1413 | FILTER_OWN_PID_INT() 1414 | DUMP_FUNC(task_setscheduler, struct task_struct *p) 1415 | 1416 | bpf_printk("lsm_hook: task: task_setscheduler\n"); 1417 | return 0; 1418 | } 1419 | 1420 | SEC("lsm/task_getscheduler") 1421 | int BPF_PROG(task_getscheduler, struct task_struct *p) 1422 | { 1423 | FILTER_OWN_PID_INT() 1424 | DUMP_FUNC(task_getscheduler, struct task_struct *p) 1425 | 1426 | bpf_printk("lsm_hook: task: task_getscheduler\n"); 1427 | return 0; 1428 | } 1429 | 1430 | SEC("lsm/task_movememory") 1431 | int BPF_PROG(task_movememory, struct task_struct *p) 1432 | { 1433 | FILTER_OWN_PID_INT() 1434 | DUMP_FUNC(task_movememory, struct task_struct *p) 1435 | 1436 | bpf_printk("lsm_hook: task: task_movememory\n"); 1437 | return 0; 1438 | } 1439 | 1440 | SEC("lsm/task_kill") 1441 | int BPF_PROG(task_kill, struct task_struct *p, struct kernel_siginfo *info, 1442 | int sig, const struct cred *cred) 1443 | { 1444 | FILTER_OWN_PID_INT() 1445 | DUMP_FUNC(task_kill, struct task_struct *p, struct kernel_siginfo *info, 1446 | int sig, const struct cred *cred) 1447 | 1448 | bpf_printk("lsm_hook: task: task_kill\n"); 1449 | return 0; 1450 | } 1451 | 1452 | SEC("lsm/task_prctl") 1453 | int BPF_PROG(task_prctl, int option, unsigned long arg2, 1454 | unsigned long arg3, unsigned long arg4, unsigned long arg5) 1455 | { 1456 | FILTER_OWN_PID_INT() 1457 | DUMP_FUNC(task_prctl, int option, unsigned long arg2, 1458 | unsigned long arg3, unsigned long arg4, unsigned long arg5) 1459 | 1460 | bpf_printk("lsm_hook: task: task_prctl\n"); 1461 | return 0; 1462 | } 1463 | 1464 | SEC("lsm/task_to_inode") 1465 | void BPF_PROG(task_to_inode, struct task_struct *p, 1466 | struct inode *inode) 1467 | { 1468 | FILTER_OWN_PID_VOID() 1469 | DUMP_FUNC(task_to_inode, struct task_struct *p, 1470 | struct inode *inode) 1471 | 1472 | bpf_printk("lsm_hook: task: task_to_inode\n"); 1473 | return; 1474 | } 1475 | 1476 | 1477 | /* Security hooks for Netlink messaging. */ 1478 | 1479 | SEC("lsm/netlink_send") 1480 | int BPF_PROG(netlink_send, struct sock *sk, struct sk_buff *skb) 1481 | { 1482 | FILTER_OWN_PID_INT() 1483 | DUMP_FUNC(netlink_send, struct sock *sk, struct sk_buff *skb) 1484 | 1485 | bpf_printk("lsm_hook: netlink: netlink_send\n"); 1486 | return 0; 1487 | } 1488 | 1489 | 1490 | /* Security hooks for Unix domain networking. */ 1491 | 1492 | SEC("lsm/unix_stream_connect") 1493 | int BPF_PROG(unix_stream_connect, struct sock *sock, struct sock *other, 1494 | struct sock *newsk) 1495 | { 1496 | FILTER_OWN_PID_INT() 1497 | DUMP_FUNC(unix_stream_connect, struct sock *sock, struct sock *other, 1498 | struct sock *newsk) 1499 | 1500 | bpf_printk("lsm_hook: unix_domain: unix_stream_connect\n"); 1501 | return 0; 1502 | } 1503 | 1504 | SEC("lsm/unix_may_send") 1505 | int BPF_PROG(unix_may_send, struct socket *sock, struct socket *other) 1506 | { 1507 | FILTER_OWN_PID_INT() 1508 | DUMP_FUNC(unix_may_send, struct socket *sock, struct socket *other) 1509 | 1510 | bpf_printk("lsm_hook: unix_domain: unix_may_send\n"); 1511 | return 0; 1512 | } 1513 | 1514 | 1515 | /* Security hooks for socket operations. */ 1516 | 1517 | SEC("lsm/socket_create") 1518 | int BPF_PROG(socket_create, int family, int type, int protocol, int kern) 1519 | { 1520 | FILTER_OWN_PID_INT() 1521 | DUMP_FUNC(socket_create, int family, int type, int protocol, int kern) 1522 | 1523 | bpf_printk("lsm_hook: socket: socket_create\n"); 1524 | return 0; 1525 | } 1526 | 1527 | SEC("lsm/socket_post_create") 1528 | int BPF_PROG(socket_post_create, struct socket *sock, int family, int type, 1529 | int protocol, int kern) 1530 | { 1531 | FILTER_OWN_PID_INT() 1532 | DUMP_FUNC(socket_post_create, struct socket *sock, int family, int type, 1533 | int protocol, int kern) 1534 | 1535 | bpf_printk("lsm_hook: socket: socket_post_create\n"); 1536 | return 0; 1537 | } 1538 | 1539 | SEC("lsm/socket_socketpair") 1540 | int BPF_PROG(socket_socketpair, struct socket *socka, struct socket *sockb) 1541 | { 1542 | FILTER_OWN_PID_INT() 1543 | DUMP_FUNC(socket_socketpair, struct socket *socka, struct socket *sockb) 1544 | 1545 | bpf_printk("lsm_hook: socket: socket_socketpair\n"); 1546 | return 0; 1547 | } 1548 | 1549 | SEC("lsm/socket_bind") 1550 | int BPF_PROG(socket_bind, struct socket *sock, struct sockaddr *address, 1551 | int addrlen) 1552 | { 1553 | FILTER_OWN_PID_INT() 1554 | DUMP_FUNC(socket_bind, struct socket *sock, struct sockaddr *address, 1555 | int addrlen) 1556 | 1557 | bpf_printk("lsm_hook: socket: socket_bind\n"); 1558 | return 0; 1559 | } 1560 | 1561 | SEC("lsm/socket_connect") 1562 | int BPF_PROG(socket_connect, struct socket *sock, struct sockaddr *address, 1563 | int addrlen) 1564 | { 1565 | FILTER_OWN_PID_INT() 1566 | DUMP_FUNC(socket_connect, struct socket *sock, struct sockaddr *address, 1567 | int addrlen) 1568 | 1569 | bpf_printk("lsm_hook: socket: socket_connect\n"); 1570 | return 0; 1571 | } 1572 | 1573 | SEC("lsm/socket_listen") 1574 | int BPF_PROG(socket_listen, struct socket *sock, int backlog) 1575 | { 1576 | FILTER_OWN_PID_INT() 1577 | DUMP_FUNC(socket_listen, struct socket *sock, int backlog) 1578 | 1579 | bpf_printk("lsm_hook: socket: socket_listen\n"); 1580 | return 0; 1581 | } 1582 | 1583 | SEC("lsm/socket_accept") 1584 | int BPF_PROG(socket_accept, struct socket *sock, struct socket *newsock) 1585 | { 1586 | FILTER_OWN_PID_INT() 1587 | DUMP_FUNC(socket_accept, struct socket *sock, struct socket *newsock) 1588 | 1589 | bpf_printk("lsm_hook: socket: socket_accept\n"); 1590 | return 0; 1591 | } 1592 | 1593 | SEC("lsm/socket_sendmsg") 1594 | int BPF_PROG(socket_sendmsg, struct socket *sock, struct msghdr *msg, 1595 | int size) 1596 | { 1597 | FILTER_OWN_PID_INT() 1598 | DUMP_FUNC(socket_sendmsg, struct socket *sock, struct msghdr *msg, 1599 | int size) 1600 | 1601 | bpf_printk("lsm_hook: socket: socket_sendmsg\n"); 1602 | return 0; 1603 | } 1604 | 1605 | SEC("lsm/socket_recvmsg") 1606 | int BPF_PROG(socket_recvmsg, struct socket *sock, struct msghdr *msg, 1607 | int size, int flags) 1608 | { 1609 | FILTER_OWN_PID_INT() 1610 | DUMP_FUNC(socket_recvmsg, struct socket *sock, struct msghdr *msg, 1611 | int size, int flags) 1612 | 1613 | bpf_printk("lsm_hook: socket: socket_recvmsg\n"); 1614 | return 0; 1615 | } 1616 | 1617 | SEC("lsm/socket_getsockname") 1618 | int BPF_PROG(socket_getsockname, struct socket *sock) 1619 | { 1620 | FILTER_OWN_PID_INT() 1621 | DUMP_FUNC(socket_getsockname, struct socket *sock) 1622 | 1623 | bpf_printk("lsm_hook: socket: socket_getsockname\n"); 1624 | return 0; 1625 | } 1626 | 1627 | SEC("lsm/socket_getpeername") 1628 | int BPF_PROG(socket_getpeername, struct socket *sock) 1629 | { 1630 | FILTER_OWN_PID_INT() 1631 | DUMP_FUNC(socket_getpeername, struct socket *sock) 1632 | 1633 | bpf_printk("lsm_hook: socket: socket_getpeername\n"); 1634 | return 0; 1635 | } 1636 | 1637 | SEC("lsm/socket_getsockopt") 1638 | int BPF_PROG(socket_getsockopt, struct socket *sock, int level, int optname) 1639 | { 1640 | FILTER_OWN_PID_INT() 1641 | DUMP_FUNC(socket_getsockopt, struct socket *sock, int level, int optname) 1642 | 1643 | bpf_printk("lsm_hook: socket: socket_getsockopt\n"); 1644 | return 0; 1645 | } 1646 | 1647 | SEC("lsm/socket_setsockopt") 1648 | int BPF_PROG(socket_setsockopt, struct socket *sock, int level, int optname) 1649 | { 1650 | FILTER_OWN_PID_INT() 1651 | DUMP_FUNC(socket_setsockopt, struct socket *sock, int level, int optname) 1652 | 1653 | bpf_printk("lsm_hook: socket: socket_setsockopt\n"); 1654 | return 0; 1655 | } 1656 | 1657 | SEC("lsm/socket_shutdown") 1658 | int BPF_PROG(socket_shutdown, struct socket *sock, int how) 1659 | { 1660 | FILTER_OWN_PID_INT() 1661 | DUMP_FUNC(socket_shutdown, struct socket *sock, int how) 1662 | 1663 | bpf_printk("lsm_hook: socket: socket_shutdown\n"); 1664 | return 0; 1665 | } 1666 | 1667 | SEC("lsm/socket_sock_rcv_skb") 1668 | int BPF_PROG(socket_sock_rcv_skb, struct sock *sk, struct sk_buff *skb) 1669 | { 1670 | FILTER_OWN_PID_INT() 1671 | DUMP_FUNC(socket_sock_rcv_skb, struct sock *sk, struct sk_buff *skb) 1672 | 1673 | bpf_printk("lsm_hook: socket: socket_sock_rcv_skb\n"); 1674 | return 0; 1675 | } 1676 | 1677 | 1678 | SEC("lsm/socket_getpeersec_dgram") 1679 | int BPF_PROG(socket_getpeersec_dgram, struct socket *sock, 1680 | struct sk_buff *skb, u32 *secid) 1681 | { 1682 | FILTER_OWN_PID_INT() 1683 | DUMP_FUNC(socket_getpeersec_dgram, struct socket *sock, 1684 | struct sk_buff *skb, u32 *secid) 1685 | 1686 | bpf_printk("lsm_hook: socket: socket_getpeersec_dgram\n"); 1687 | return 0; 1688 | } 1689 | 1690 | SEC("lsm/sk_alloc_security") 1691 | int BPF_PROG(sk_alloc_security, struct sock *sk, int family, gfp_t priority) 1692 | { 1693 | FILTER_OWN_PID_INT() 1694 | DUMP_FUNC(sk_alloc_security, struct sock *sk, int family, gfp_t priority) 1695 | 1696 | bpf_printk("lsm_hook: socket: sk_alloc_security\n"); 1697 | return 0; 1698 | } 1699 | 1700 | SEC("lsm/sk_free_security") 1701 | void BPF_PROG(sk_free_security, struct sock *sk) 1702 | { 1703 | FILTER_OWN_PID_VOID() 1704 | DUMP_FUNC(sk_free_security, struct sock *sk) 1705 | 1706 | bpf_printk("lsm_hook: socket: sk_free_security\n"); 1707 | return; 1708 | } 1709 | 1710 | SEC("lsm/sk_clone_security") 1711 | void BPF_PROG(sk_clone_security, const struct sock *sk, 1712 | struct sock *newsk) 1713 | { 1714 | FILTER_OWN_PID_VOID() 1715 | DUMP_FUNC(sk_clone_security, const struct sock *sk, 1716 | struct sock *newsk) 1717 | 1718 | bpf_printk("lsm_hook: socket: sk_clone_security\n"); 1719 | return; 1720 | } 1721 | 1722 | SEC("lsm/sk_getsecid") 1723 | void BPF_PROG(sk_getsecid, struct sock *sk, u32 *secid) 1724 | { 1725 | FILTER_OWN_PID_VOID() 1726 | DUMP_FUNC(sk_getsecid, struct sock *sk, u32 *secid) 1727 | 1728 | bpf_printk("lsm_hook: socket: sk_getsecid\n"); 1729 | return; 1730 | } 1731 | 1732 | SEC("lsm/sock_graft") 1733 | void BPF_PROG(sock_graft, struct sock *sk, struct socket *parent) 1734 | { 1735 | FILTER_OWN_PID_VOID() 1736 | DUMP_FUNC(sock_graft, struct sock *sk, struct socket *parent) 1737 | 1738 | bpf_printk("lsm_hook: socket: sock_graft\n"); 1739 | return; 1740 | } 1741 | 1742 | SEC("lsm/inet_conn_request") 1743 | int BPF_PROG(inet_conn_request, struct sock *sk, struct sk_buff *skb, 1744 | struct request_sock *req) 1745 | { 1746 | FILTER_OWN_PID_INT() 1747 | DUMP_FUNC(inet_conn_request, struct sock *sk, struct sk_buff *skb, 1748 | struct request_sock *req) 1749 | 1750 | bpf_printk("lsm_hook: socket: inet_conn_request\n"); 1751 | return 0; 1752 | } 1753 | 1754 | SEC("lsm/inet_csk_clone") 1755 | void BPF_PROG(inet_csk_clone, struct sock *newsk, 1756 | const struct request_sock *req) 1757 | { 1758 | FILTER_OWN_PID_VOID() 1759 | DUMP_FUNC(inet_csk_clone, struct sock *newsk, 1760 | const struct request_sock *req) 1761 | 1762 | bpf_printk("lsm_hook: socket: inet_csk_clone\n"); 1763 | return; 1764 | } 1765 | 1766 | SEC("lsm/inet_conn_established") 1767 | void BPF_PROG(inet_conn_established, struct sock *sk, 1768 | struct sk_buff *skb) 1769 | { 1770 | FILTER_OWN_PID_VOID() 1771 | DUMP_FUNC(inet_conn_established, struct sock *sk, 1772 | struct sk_buff *skb) 1773 | 1774 | bpf_printk("lsm_hook: socket: inet_conn_established\n"); 1775 | return; 1776 | } 1777 | 1778 | SEC("lsm/secmark_relabel_packet") 1779 | int BPF_PROG(secmark_relabel_packet, u32 secid) 1780 | { 1781 | FILTER_OWN_PID_INT() 1782 | DUMP_FUNC(secmark_relabel_packet, u32 secid) 1783 | 1784 | bpf_printk("lsm_hook: socket: secmark_relabel_packet\n"); 1785 | return 0; 1786 | } 1787 | 1788 | SEC("lsm/secmark_refcount_inc") 1789 | void BPF_PROG(secmark_refcount_inc) 1790 | { 1791 | FILTER_OWN_PID_VOID() 1792 | DUMP_FUNC(secmark_refcount_inc) 1793 | 1794 | bpf_printk("lsm_hook: socket: secmark_relabel_packet\n"); 1795 | return; 1796 | } 1797 | 1798 | SEC("lsm/secmark_refcount_dec") 1799 | void BPF_PROG(secmark_refcount_dec) 1800 | { 1801 | FILTER_OWN_PID_VOID() 1802 | DUMP_FUNC(secmark_refcount_dec) 1803 | 1804 | bpf_printk("lsm_hook: socket: secmark_refcount_dec\n"); 1805 | return; 1806 | } 1807 | 1808 | SEC("lsm/req_classify_flow") 1809 | void BPF_PROG(req_classify_flow, const struct request_sock *req, 1810 | struct flowi *fl) 1811 | { 1812 | FILTER_OWN_PID_VOID() 1813 | DUMP_FUNC(req_classify_flow) 1814 | 1815 | bpf_printk("lsm_hook: socket: req_classify_flow\n"); 1816 | return; 1817 | } 1818 | 1819 | SEC("lsm/tun_dev_alloc_security") 1820 | int BPF_PROG(tun_dev_alloc_security, void **security) 1821 | { 1822 | FILTER_OWN_PID_INT() 1823 | DUMP_FUNC(tun_dev_alloc_security, void **security) 1824 | 1825 | bpf_printk("lsm_hook: socket: tun_dev_alloc_security\n"); 1826 | return 0; 1827 | } 1828 | 1829 | SEC("lsm/tun_dev_free_security") 1830 | void BPF_PROG(tun_dev_free_security, void *security) 1831 | { 1832 | FILTER_OWN_PID_VOID() 1833 | DUMP_FUNC(tun_dev_free_security, void *security) 1834 | 1835 | bpf_printk("lsm_hook: socket: tun_dev_free_security\n"); 1836 | return; 1837 | } 1838 | 1839 | SEC("lsm/tun_dev_create") 1840 | int BPF_PROG(tun_dev_create) 1841 | { 1842 | FILTER_OWN_PID_INT() 1843 | DUMP_FUNC(tun_dev_create) 1844 | 1845 | bpf_printk("lsm_hook: socket: tun_dev_create\n"); 1846 | return 0; 1847 | } 1848 | 1849 | SEC("lsm/tun_dev_attach_queue") 1850 | int BPF_PROG(tun_dev_attach_queue, void *security) 1851 | { 1852 | FILTER_OWN_PID_INT() 1853 | DUMP_FUNC(tun_dev_attach_queue, void *security) 1854 | 1855 | bpf_printk("lsm_hook: socket: tun_dev_attach_queue\n"); 1856 | return 0; 1857 | } 1858 | 1859 | SEC("lsm/tun_dev_attach") 1860 | int BPF_PROG(tun_dev_attach, struct sock *sk, void *security) 1861 | { 1862 | FILTER_OWN_PID_INT() 1863 | DUMP_FUNC(tun_dev_attach, struct sock *sk, void *security) 1864 | 1865 | bpf_printk("lsm_hook: socket: tun_dev_attach\n"); 1866 | return 0; 1867 | } 1868 | 1869 | SEC("lsm/tun_dev_open") 1870 | int BPF_PROG(tun_dev_open, void *security) 1871 | { 1872 | FILTER_OWN_PID_INT() 1873 | DUMP_FUNC(tun_dev_open, void *security) 1874 | 1875 | bpf_printk("lsm_hook: socket: tun_dev_open\n"); 1876 | return 0; 1877 | } 1878 | 1879 | 1880 | /* Security hooks for SCTP */ 1881 | 1882 | SEC("lsm/tun_dev_open") 1883 | int BPF_PROG(sctp_assoc_request, struct sctp_endpoint *ep, 1884 | struct sk_buff *skb) 1885 | { 1886 | FILTER_OWN_PID_INT() 1887 | DUMP_FUNC(sctp_assoc_request, struct sctp_endpoint *ep, 1888 | struct sk_buff *skb) 1889 | 1890 | bpf_printk("lsm_hook: sctp: sctp_assoc_request\n"); 1891 | return 0; 1892 | } 1893 | 1894 | SEC("lsm/sctp_bind_connect") 1895 | int BPF_PROG(sctp_bind_connect, struct sock *sk, int optname, 1896 | struct sockaddr *address, int addrlen) 1897 | { 1898 | FILTER_OWN_PID_INT() 1899 | DUMP_FUNC(sctp_bind_connect, struct sock *sk, int optname, 1900 | struct sockaddr *address, int addrlen) 1901 | 1902 | bpf_printk("lsm_hook: sctp: sctp_bind_connect\n"); 1903 | return 0; 1904 | } 1905 | 1906 | SEC("lsm/sctp_sk_clone") 1907 | void BPF_PROG(sctp_sk_clone, struct sctp_endpoint *ep, 1908 | struct sock *sk, struct sock *newsk) 1909 | { 1910 | FILTER_OWN_PID_VOID() 1911 | DUMP_FUNC(sctp_sk_clone, struct sctp_endpoint *ep, 1912 | struct sock *sk, struct sock *newsk) 1913 | 1914 | bpf_printk("lsm_hook: sctp: sctp_sk_clone\n"); 1915 | return; 1916 | } 1917 | 1918 | 1919 | 1920 | /* Security hooks for Infiniband */ 1921 | 1922 | 1923 | SEC("lsm/sctp_sk_clone") 1924 | int BPF_PROG(ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey) 1925 | { 1926 | FILTER_OWN_PID_INT() 1927 | DUMP_FUNC(ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey) 1928 | 1929 | bpf_printk("lsm_hook: infiniband: ib_pkey_access\n"); 1930 | return 0; 1931 | } 1932 | 1933 | SEC("lsm/ib_endport_manage_subnet") 1934 | int BPF_PROG(ib_endport_manage_subnet, void *sec, const char *dev_name, 1935 | u8 port_num) 1936 | { 1937 | FILTER_OWN_PID_INT() 1938 | DUMP_FUNC(ib_endport_manage_subnet, void *sec, const char *dev_name, 1939 | u8 port_num) 1940 | 1941 | bpf_printk("lsm_hook: infiniband: ib_endport_manage_subnet\n"); 1942 | return 0; 1943 | } 1944 | 1945 | SEC("lsm/ib_alloc_security") 1946 | int BPF_PROG(ib_alloc_security, void **sec) 1947 | { 1948 | FILTER_OWN_PID_INT() 1949 | DUMP_FUNC(ib_alloc_security, void **sec) 1950 | 1951 | bpf_printk("lsm_hook: infiniband: ib_alloc_security\n"); 1952 | return 0; 1953 | } 1954 | 1955 | SEC("lsm/ib_free_security") 1956 | void BPF_PROG(ib_free_security, void *sec) 1957 | { 1958 | FILTER_OWN_PID_VOID() 1959 | DUMP_FUNC(ib_free_security, void *sec) 1960 | 1961 | bpf_printk("lsm_hook: infiniband: ib_free_security\n"); 1962 | return; 1963 | } 1964 | 1965 | 1966 | 1967 | /* Security hooks for XFRM operations. */ 1968 | 1969 | SEC("lsm/xfrm_policy_alloc_security") 1970 | int BPF_PROG(xfrm_policy_alloc_security, struct xfrm_sec_ctx **ctxp, 1971 | struct xfrm_user_sec_ctx *sec_ctx, gfp_t gfp) 1972 | { 1973 | FILTER_OWN_PID_INT() 1974 | DUMP_FUNC(xfrm_policy_alloc_security, struct xfrm_sec_ctx **ctxp, 1975 | struct xfrm_user_sec_ctx *sec_ctx, gfp_t gfp) 1976 | 1977 | bpf_printk("lsm_hook: xfrm: xfrm_policy_alloc_security\n"); 1978 | return 0; 1979 | } 1980 | 1981 | SEC("lsm/xfrm_policy_clone_security") 1982 | int BPF_PROG(xfrm_policy_clone_security, struct xfrm_sec_ctx *old_ctx, 1983 | struct xfrm_sec_ctx **new_ctx) 1984 | { 1985 | FILTER_OWN_PID_INT() 1986 | DUMP_FUNC(xfrm_policy_clone_security, struct xfrm_sec_ctx *old_ctx, 1987 | struct xfrm_sec_ctx **new_ctx) 1988 | 1989 | bpf_printk("lsm_hook: xfrm: xfrm_policy_clone_security\n"); 1990 | return 0; 1991 | } 1992 | 1993 | SEC("lsm/xfrm_policy_free_security") 1994 | void BPF_PROG(xfrm_policy_free_security, struct xfrm_sec_ctx *xfrm_ctx) 1995 | { 1996 | FILTER_OWN_PID_VOID() 1997 | DUMP_FUNC(xfrm_policy_free_security, struct xfrm_sec_ctx *xfrm_ctx) 1998 | 1999 | bpf_printk("lsm_hook: xfrm: xfrm_policy_clone_security\n"); 2000 | return; 2001 | } 2002 | 2003 | SEC("lsm/xfrm_policy_delete_security") 2004 | int BPF_PROG(xfrm_policy_delete_security, struct xfrm_sec_ctx *xfrm_ctx) 2005 | { 2006 | FILTER_OWN_PID_INT() 2007 | DUMP_FUNC(xfrm_policy_delete_security, struct xfrm_sec_ctx *xfrm_ctx) 2008 | 2009 | bpf_printk("lsm_hook: xfrm: xfrm_policy_delete_security\n"); 2010 | return 0; 2011 | } 2012 | 2013 | SEC("lsm/xfrm_state_alloc") 2014 | int BPF_PROG(xfrm_state_alloc, struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 2015 | { 2016 | FILTER_OWN_PID_INT() 2017 | DUMP_FUNC(xfrm_state_alloc, struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 2018 | 2019 | bpf_printk("lsm_hook: xfrm: xfrm_state_alloc\n"); 2020 | return 0; 2021 | } 2022 | 2023 | SEC("lsm/xfrm_state_alloc_acquire") 2024 | int BPF_PROG(xfrm_state_alloc_acquire, struct xfrm_state *x, 2025 | struct xfrm_sec_ctx *polsec, u32 secid) 2026 | { 2027 | FILTER_OWN_PID_INT() 2028 | DUMP_FUNC(xfrm_state_alloc_acquire, struct xfrm_state *x, 2029 | struct xfrm_sec_ctx *polsec, u32 secid) 2030 | 2031 | bpf_printk("lsm_hook: xfrm: xfrm_state_alloc_acquire\n"); 2032 | return 0; 2033 | } 2034 | 2035 | SEC("lsm/xfrm_state_free_security") 2036 | void BPF_PROG(xfrm_state_free_security, struct xfrm_state *x) 2037 | { 2038 | FILTER_OWN_PID_VOID() 2039 | DUMP_FUNC(xfrm_state_free_security, struct xfrm_state *x) 2040 | 2041 | bpf_printk("lsm_hook: xfrm: xfrm_state_alloc_acquire\n"); 2042 | return; 2043 | } 2044 | 2045 | SEC("lsm/xfrm_state_delete_security") 2046 | int BPF_PROG(xfrm_state_delete_security, struct xfrm_state *x) 2047 | { 2048 | FILTER_OWN_PID_INT() 2049 | DUMP_FUNC(xfrm_state_delete_security, struct xfrm_state *x) 2050 | 2051 | bpf_printk("lsm_hook: xfrm: xfrm_state_delete_security\n"); 2052 | return 0; 2053 | } 2054 | 2055 | SEC("lsm/xfrm_policy_lookup") 2056 | int BPF_PROG(xfrm_policy_lookup, struct xfrm_sec_ctx *xfrm_ctx, u32 fl_secid, 2057 | u8 dir) 2058 | { 2059 | FILTER_OWN_PID_INT() 2060 | DUMP_FUNC(xfrm_policy_lookup, struct xfrm_sec_ctx *xfrm_ctx, u32 fl_secid, 2061 | u8 dir) 2062 | 2063 | bpf_printk("lsm_hook: xfrm: xfrm_policy_lookup\n"); 2064 | return 0; 2065 | } 2066 | 2067 | SEC("lsm/xfrm_state_pol_flow_match") 2068 | int BPF_PROG(xfrm_state_pol_flow_match, struct xfrm_state *x, 2069 | struct xfrm_policy *xp, const struct flowi *fl) 2070 | { 2071 | FILTER_OWN_PID_INT() 2072 | DUMP_FUNC(xfrm_state_pol_flow_match, struct xfrm_state *x, 2073 | struct xfrm_policy *xp, const struct flowi *fl) 2074 | 2075 | bpf_printk("lsm_hook: xfrm: xfrm_state_pol_flow_match\n"); 2076 | return 0; 2077 | } 2078 | 2079 | SEC("lsm/xfrm_state_pol_flow_match") 2080 | int BPF_PROG(xfrm_decode_session, struct sk_buff *skb, u32 *secid, 2081 | int ckall) 2082 | { 2083 | FILTER_OWN_PID_INT() 2084 | DUMP_FUNC(xfrm_decode_session, struct sk_buff *skb, u32 *secid, 2085 | int ckall) 2086 | 2087 | bpf_printk("lsm_hook: xfrm: xfrm_decode_session\n"); 2088 | return 0; 2089 | } 2090 | 2091 | 2092 | /* Security hooks affecting all Key Management operations */ 2093 | 2094 | 2095 | SEC("lsm/key_alloc") 2096 | int BPF_PROG(key_alloc, struct key *key, const struct cred *cred, 2097 | unsigned long flags) 2098 | { 2099 | FILTER_OWN_PID_INT() 2100 | DUMP_FUNC(key_alloc, struct key *key, const struct cred *cred, 2101 | unsigned long flags) 2102 | 2103 | bpf_printk("lsm_hook: key_management: key_alloc\n"); 2104 | return 0; 2105 | } 2106 | 2107 | SEC("lsm/key_free") 2108 | void BPF_PROG(key_free, struct key *key) 2109 | { 2110 | FILTER_OWN_PID_VOID() 2111 | DUMP_FUNC(key_free, struct key *key) 2112 | 2113 | bpf_printk("lsm_hook: key_management: key_free\n"); 2114 | return; 2115 | } 2116 | 2117 | SEC("lsm/key_permission") 2118 | int BPF_PROG(key_permission, key_ref_t key_ref, const struct cred *cred, 2119 | enum key_need_perm need_perm) 2120 | { 2121 | FILTER_OWN_PID_INT() 2122 | DUMP_FUNC(key_permission, key_ref_t key_ref, const struct cred *cred, 2123 | enum key_need_perm need_perm) 2124 | 2125 | bpf_printk("lsm_hook: key_management: key_permission\n"); 2126 | return 0; 2127 | } 2128 | 2129 | SEC("lsm/key_getsecurity") 2130 | int BPF_PROG(key_getsecurity, struct key *key, char **_buffer) 2131 | { 2132 | FILTER_OWN_PID_INT() 2133 | DUMP_FUNC(key_getsecurity, struct key *key, char **_buffer) 2134 | 2135 | bpf_printk("lsm_hook: key_management: key_getsecurity\n"); 2136 | return 0; 2137 | } 2138 | 2139 | 2140 | 2141 | /* Security hooks affecting all System V IPC operations. */ 2142 | 2143 | SEC("lsm/msg_msg_alloc_security") 2144 | int BPF_PROG(msg_msg_alloc_security, struct msg_msg *msg) 2145 | { 2146 | FILTER_OWN_PID_INT() 2147 | DUMP_FUNC(msg_msg_alloc_security, struct msg_msg *msg) 2148 | 2149 | bpf_printk("lsm_hook: systemv_ipc: msg_msg_alloc_security\n"); 2150 | return 0; 2151 | } 2152 | 2153 | SEC("lsm/msg_msg_free_security") 2154 | void BPF_PROG(msg_msg_free_security, struct msg_msg *msg) 2155 | { 2156 | FILTER_OWN_PID_VOID() 2157 | DUMP_FUNC(msg_msg_free_security, struct msg_msg *msg) 2158 | 2159 | bpf_printk("lsm_hook: systemv_ipc: msg_msg_free_security\n"); 2160 | return; 2161 | } 2162 | 2163 | 2164 | /* Security hooks for System V IPC Message Queues */ 2165 | 2166 | 2167 | SEC("lsm/msg_queue_alloc_security") 2168 | int BPF_PROG(msg_queue_alloc_security, struct kern_ipc_perm *perm) 2169 | { 2170 | FILTER_OWN_PID_INT() 2171 | DUMP_FUNC(msg_queue_alloc_security, struct msg_msg *msg) 2172 | 2173 | bpf_printk("lsm_hook: systemv_ipc_msgqueue: msg_queue_alloc_security\n"); 2174 | return 0; 2175 | } 2176 | 2177 | SEC("lsm/msg_queue_free_security") 2178 | void BPF_PROG(msg_queue_free_security, struct kern_ipc_perm *perm) 2179 | { 2180 | FILTER_OWN_PID_VOID() 2181 | DUMP_FUNC(msg_queue_free_security, struct kern_ipc_perm *perm) 2182 | 2183 | bpf_printk("lsm_hook: systemv_ipc_msgqueue: msg_queue_free_security\n"); 2184 | return; 2185 | } 2186 | 2187 | SEC("lsm/msg_queue_associate") 2188 | int BPF_PROG(msg_queue_associate, struct kern_ipc_perm *perm, int msqflg) 2189 | { 2190 | FILTER_OWN_PID_INT() 2191 | DUMP_FUNC(msg_queue_associate, struct kern_ipc_perm *perm, int msqflg) 2192 | 2193 | bpf_printk("lsm_hook: systemv_ipc_msgqueue: msg_queue_associate\n"); 2194 | return 0; 2195 | } 2196 | 2197 | SEC("lsm/msg_queue_msgctl") 2198 | int BPF_PROG(msg_queue_msgctl, struct kern_ipc_perm *perm, int cmd) 2199 | { 2200 | FILTER_OWN_PID_INT() 2201 | DUMP_FUNC(msg_queue_msgctl, struct kern_ipc_perm *perm, int cmd) 2202 | 2203 | bpf_printk("lsm_hook: systemv_ipc_msgqueue: msg_queue_msgctl\n"); 2204 | return 0; 2205 | } 2206 | 2207 | SEC("lsm/msg_queue_msgsnd") 2208 | int BPF_PROG(msg_queue_msgsnd, struct kern_ipc_perm *perm, 2209 | struct msg_msg *msg, int msqflg) 2210 | { 2211 | FILTER_OWN_PID_INT() 2212 | DUMP_FUNC(msg_queue_msgsnd, struct kern_ipc_perm *perm, 2213 | struct msg_msg *msg, int msqflg) 2214 | 2215 | bpf_printk("lsm_hook: systemv_ipc_msgqueue: msg_queue_msgsnd\n"); 2216 | return 0; 2217 | } 2218 | 2219 | SEC("lsm/msg_queue_msgrcv") 2220 | int BPF_PROG(msg_queue_msgrcv, struct kern_ipc_perm *perm, 2221 | struct msg_msg *msg, struct task_struct *target, long type, int mode) 2222 | { 2223 | FILTER_OWN_PID_INT() 2224 | DUMP_FUNC(msg_queue_msgrcv, struct kern_ipc_perm *perm, 2225 | struct msg_msg *msg, struct task_struct *target, long type, int mode) 2226 | 2227 | bpf_printk("lsm_hook: systemv_ipc_msgqueue: msg_queue_msgrcv\n"); 2228 | return 0; 2229 | } 2230 | 2231 | 2232 | /* Security hooks for System V Shared Memory Segments */ 2233 | 2234 | SEC("lsm/shm_alloc_security") 2235 | int BPF_PROG(shm_alloc_security, struct kern_ipc_perm *perm) 2236 | { 2237 | FILTER_OWN_PID_INT() 2238 | DUMP_FUNC(shm_alloc_security, struct kern_ipc_perm *perm) 2239 | 2240 | bpf_printk("lsm_hook: systemv_ipc_shmem: shm_alloc_security\n"); 2241 | return 0; 2242 | } 2243 | 2244 | SEC("lsm/shm_free_security") 2245 | void BPF_PROG(shm_free_security, struct kern_ipc_perm *perm) 2246 | { 2247 | FILTER_OWN_PID_VOID() 2248 | DUMP_FUNC(shm_free_security, struct kern_ipc_perm *perm) 2249 | 2250 | bpf_printk("lsm_hook: systemv_ipc_shmem: shm_free_security\n"); 2251 | return; 2252 | } 2253 | 2254 | SEC("lsm/shm_associate") 2255 | int BPF_PROG(shm_associate, struct kern_ipc_perm *perm, int shmflg) 2256 | { 2257 | FILTER_OWN_PID_INT() 2258 | DUMP_FUNC(shm_associate, struct kern_ipc_perm *perm, int shmflg) 2259 | 2260 | bpf_printk("lsm_hook: systemv_ipc_shmem: shm_associate\n"); 2261 | return 0; 2262 | } 2263 | 2264 | SEC("lsm/shm_shmctl") 2265 | int BPF_PROG(shm_shmctl, struct kern_ipc_perm *perm, int cmd) 2266 | { 2267 | FILTER_OWN_PID_INT() 2268 | DUMP_FUNC(shm_shmctl, struct kern_ipc_perm *perm, int cmd) 2269 | 2270 | bpf_printk("lsm_hook: systemv_ipc_shmem: shm_shmctl\n"); 2271 | return 0; 2272 | } 2273 | 2274 | 2275 | /* Security hooks for System V Semaphores */ 2276 | 2277 | SEC("lsm/sem_alloc_security") 2278 | int BPF_PROG(sem_alloc_security, struct kern_ipc_perm *perm) 2279 | { 2280 | FILTER_OWN_PID_INT() 2281 | DUMP_FUNC(sem_alloc_security, struct kern_ipc_perm *perm) 2282 | 2283 | bpf_printk("lsm_hook: systemv_ipc_shmem: sem_alloc_security\n"); 2284 | return 0; 2285 | } 2286 | 2287 | SEC("lsm/sem_free_security") 2288 | void BPF_PROG(sem_free_security, struct kern_ipc_perm *perm) 2289 | { 2290 | FILTER_OWN_PID_VOID() 2291 | DUMP_FUNC(sem_free_security, struct kern_ipc_perm *perm) 2292 | 2293 | bpf_printk("lsm_hook: systemv_ipc_shmem: sem_free_security\n"); 2294 | return; 2295 | } 2296 | 2297 | SEC("lsm/sem_associate") 2298 | int BPF_PROG(sem_associate, struct kern_ipc_perm *perm, int semflg) 2299 | { 2300 | FILTER_OWN_PID_INT() 2301 | DUMP_FUNC(sem_associate, struct kern_ipc_perm *perm, int semflg) 2302 | 2303 | bpf_printk("lsm_hook: systemv_ipc_shmem: sem_associate\n"); 2304 | return 0; 2305 | } 2306 | 2307 | SEC("lsm/sem_semctl") 2308 | int BPF_PROG(sem_semctl, struct kern_ipc_perm *perm, int cmd) 2309 | { 2310 | FILTER_OWN_PID_INT() 2311 | DUMP_FUNC(sem_semctl, struct kern_ipc_perm *perm, int cmd) 2312 | 2313 | bpf_printk("lsm_hook: systemv_ipc_shmem: sem_semctl\n"); 2314 | return 0; 2315 | } 2316 | 2317 | SEC("lsm/sem_semop") 2318 | int BPF_PROG(sem_semop, struct kern_ipc_perm *perm, struct sembuf *sops, 2319 | unsigned nsops, int alter) 2320 | { 2321 | FILTER_OWN_PID_INT() 2322 | DUMP_FUNC(sem_semop, struct kern_ipc_perm *perm, struct sembuf *sops, 2323 | unsigned nsops, int alter) 2324 | 2325 | bpf_printk("lsm_hook: systemv_ipc_shmem: sem_semop\n"); 2326 | return 0; 2327 | } 2328 | 2329 | SEC("lsm/binder_set_context_mgr") 2330 | int BPF_PROG(binder_set_context_mgr, struct task_struct *mgr) 2331 | { 2332 | FILTER_OWN_PID_INT() 2333 | DUMP_FUNC(binder_set_context_mgr, struct task_struct *mgr) 2334 | 2335 | bpf_printk("lsm_hook: systemv_ipc_shmem: binder_set_context_mgr\n"); 2336 | return 0; 2337 | } 2338 | 2339 | SEC("lsm/binder_transaction") 2340 | int BPF_PROG(binder_transaction, struct task_struct *from, 2341 | struct task_struct *to) 2342 | { 2343 | FILTER_OWN_PID_INT() 2344 | DUMP_FUNC(binder_transaction, struct task_struct *from, 2345 | struct task_struct *to) 2346 | 2347 | bpf_printk("lsm_hook: systemv_ipc_shmem: binder_transaction\n"); 2348 | return 0; 2349 | } 2350 | 2351 | SEC("lsm/binder_transfer_binder") 2352 | int BPF_PROG(binder_transfer_binder, struct task_struct *from, 2353 | struct task_struct *to) 2354 | { 2355 | FILTER_OWN_PID_INT() 2356 | DUMP_FUNC(binder_transfer_binder, struct task_struct *from, 2357 | struct task_struct *to) 2358 | 2359 | bpf_printk("lsm_hook: systemv_ipc_shmem: binder_transfer_binder\n"); 2360 | return 0; 2361 | } 2362 | 2363 | SEC("lsm/binder_transfer_file") 2364 | int BPF_PROG(binder_transfer_file, struct task_struct *from, 2365 | struct task_struct *to, struct file *file) 2366 | { 2367 | FILTER_OWN_PID_INT() 2368 | DUMP_FUNC(binder_transfer_file, struct task_struct *from, 2369 | struct task_struct *to, struct file *file) 2370 | 2371 | bpf_printk("lsm_hook: systemv_ipc_shmem: binder_transfer_file\n"); 2372 | return 0; 2373 | } 2374 | 2375 | SEC("lsm/ptrace_access_check") 2376 | int BPF_PROG(ptrace_access_check, struct task_struct *child, 2377 | unsigned int mode) 2378 | { 2379 | FILTER_OWN_PID_INT() 2380 | DUMP_FUNC(ptrace_access_check, struct task_struct *child, 2381 | unsigned int mode) 2382 | 2383 | bpf_printk("lsm_hook: systemv_ipc_shmem: ptrace_access_check\n"); 2384 | return 0; 2385 | } 2386 | 2387 | SEC("lsm/ptrace_traceme") 2388 | int BPF_PROG(ptrace_traceme, struct task_struct *parent) 2389 | { 2390 | FILTER_OWN_PID_INT() 2391 | DUMP_FUNC(ptrace_traceme, struct task_struct *parent) 2392 | 2393 | bpf_printk("lsm_hook: systemv_ipc_shmem: ptrace_traceme\n"); 2394 | return 0; 2395 | } 2396 | 2397 | SEC("lsm/capget") 2398 | int BPF_PROG(capget, struct task_struct *target, kernel_cap_t *effective, 2399 | kernel_cap_t *inheritable, kernel_cap_t *permitted) 2400 | { 2401 | FILTER_OWN_PID_INT() 2402 | DUMP_FUNC(capget, struct task_struct *target, kernel_cap_t *effective, 2403 | kernel_cap_t *inheritable, kernel_cap_t *permitted) 2404 | 2405 | bpf_printk("lsm_hook: systemv_ipc_shmem: capget\n"); 2406 | return 0; 2407 | } 2408 | 2409 | SEC("lsm/capset") 2410 | int BPF_PROG(capset, struct cred *new, const struct cred *old, 2411 | const kernel_cap_t *effective, const kernel_cap_t *inheritable, 2412 | const kernel_cap_t *permitted) 2413 | { 2414 | FILTER_OWN_PID_INT() 2415 | DUMP_FUNC(capset, struct cred *new, const struct cred *old, 2416 | const kernel_cap_t *effective, const kernel_cap_t *inheritable, 2417 | const kernel_cap_t *permitted) 2418 | 2419 | bpf_printk("lsm_hook: systemv_ipc_shmem: capset\n"); 2420 | return 0; 2421 | } 2422 | 2423 | SEC("lsm/capable") 2424 | int BPF_PROG(capable, const struct cred *cred, struct user_namespace *ns, 2425 | int cap, unsigned int opts) 2426 | { 2427 | FILTER_OWN_PID_INT() 2428 | DUMP_FUNC(capable, const struct cred *cred, struct user_namespace *ns, 2429 | int cap, unsigned int opts) 2430 | 2431 | bpf_printk("lsm_hook: systemv_ipc_shmem: capable\n"); 2432 | return 0; 2433 | } 2434 | 2435 | SEC("lsm/quotactl") 2436 | int BPF_PROG(quotactl, int cmds, int type, int id, struct super_block *sb) 2437 | { 2438 | FILTER_OWN_PID_INT() 2439 | DUMP_FUNC(quotactl, int cmds, int type, int id, struct super_block *sb) 2440 | 2441 | bpf_printk("lsm_hook: systemv_ipc_shmem: quotactl\n"); 2442 | return 0; 2443 | } 2444 | 2445 | SEC("lsm/quota_on") 2446 | int BPF_PROG(quota_on, struct dentry *dentry) 2447 | { 2448 | FILTER_OWN_PID_INT() 2449 | DUMP_FUNC(quota_on, struct dentry *dentry) 2450 | 2451 | bpf_printk("lsm_hook: systemv_ipc_shmem: quota_on\n"); 2452 | return 0; 2453 | } 2454 | 2455 | SEC("lsm/syslog") 2456 | int BPF_PROG(syslog, int type) 2457 | { 2458 | FILTER_OWN_PID_INT() 2459 | DUMP_FUNC(syslog, int type) 2460 | 2461 | bpf_printk("lsm_hook: systemv_ipc_shmem: syslog\n"); 2462 | return 0; 2463 | } 2464 | 2465 | SEC("lsm/settime") 2466 | int BPF_PROG(settime, const struct timespec64 *ts, 2467 | const struct timezone *tz) 2468 | { 2469 | FILTER_OWN_PID_INT() 2470 | DUMP_FUNC(settime, const struct timespec64 *ts, 2471 | const struct timezone *tz) 2472 | 2473 | bpf_printk("lsm_hook: systemv_ipc_shmem: settime\n"); 2474 | return 0; 2475 | } 2476 | 2477 | SEC("lsm/vm_enough_memory") 2478 | int BPF_PROG(vm_enough_memory, struct mm_struct *mm, long pages) 2479 | { 2480 | FILTER_OWN_PID_INT() 2481 | DUMP_FUNC(vm_enough_memory, struct mm_struct *mm, long pages) 2482 | 2483 | bpf_printk("lsm_hook: systemv_ipc_shmem: vm_enough_memory\n"); 2484 | return 0; 2485 | } 2486 | 2487 | SEC("lsm/ismaclabel") 2488 | int BPF_PROG(ismaclabel, const char *name) 2489 | { 2490 | FILTER_OWN_PID_INT() 2491 | DUMP_FUNC(ismaclabel, const char *name) 2492 | 2493 | bpf_printk("lsm_hook: systemv_ipc_shmem: ismaclabel\n"); 2494 | return 0; 2495 | } 2496 | 2497 | SEC("lsm/secid_to_secctx") 2498 | int BPF_PROG(secid_to_secctx, u32 secid, char **secdata, 2499 | u32 *seclen) 2500 | { 2501 | FILTER_OWN_PID_INT() 2502 | DUMP_FUNC(secid_to_secctx, u32 secid, char **secdata, 2503 | u32 *seclen) 2504 | 2505 | bpf_printk("lsm_hook: systemv_ipc_shmem: secid_to_secctx\n"); 2506 | return 0; 2507 | } 2508 | 2509 | SEC("lsm/secctx_to_secid") 2510 | int BPF_PROG(secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) 2511 | { 2512 | FILTER_OWN_PID_INT() 2513 | DUMP_FUNC(secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) 2514 | 2515 | bpf_printk("lsm_hook: systemv_ipc_shmem: secctx_to_secid\n"); 2516 | return 0; 2517 | } 2518 | 2519 | SEC("lsm/release_secctx") 2520 | void BPF_PROG(release_secctx, char *secdata, u32 seclen) 2521 | { 2522 | FILTER_OWN_PID_VOID() 2523 | DUMP_FUNC(release_secctx, char *secdata, u32 seclen) 2524 | 2525 | bpf_printk("lsm_hook: systemv_ipc_shmem: release_secctx\n"); 2526 | return; 2527 | } 2528 | 2529 | 2530 | /* Security hooks for Audit */ 2531 | 2532 | SEC("lsm/audit_rule_init") 2533 | int BPF_PROG(audit_rule_init, u32 field, u32 op, char *rulestr, 2534 | void **lsmrule) 2535 | { 2536 | FILTER_OWN_PID_INT() 2537 | DUMP_FUNC(audit_rule_init, u32 field, u32 op, char *rulestr, 2538 | void **lsmrule) 2539 | 2540 | bpf_printk("lsm_hook: audit: audit_rule_init\n"); 2541 | return 0; 2542 | } 2543 | 2544 | SEC("lsm/audit_rule_known") 2545 | int BPF_PROG(audit_rule_known, struct audit_krule *krule) 2546 | { 2547 | FILTER_OWN_PID_INT() 2548 | DUMP_FUNC(audit_rule_known, struct audit_krule *krule) 2549 | 2550 | bpf_printk("lsm_hook: audit: audit_rule_known\n"); 2551 | return 0; 2552 | } 2553 | 2554 | SEC("lsm/audit_rule_match") 2555 | int BPF_PROG(audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) 2556 | { 2557 | FILTER_OWN_PID_INT() 2558 | DUMP_FUNC(audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) 2559 | 2560 | bpf_printk("lsm_hook: audit: audit_rule_match\n"); 2561 | return 0; 2562 | } 2563 | 2564 | SEC("lsm/audit_rule_free") 2565 | void BPF_PROG(audit_rule_free, void *lsmrule) 2566 | { 2567 | FILTER_OWN_PID_VOID() 2568 | DUMP_FUNC(audit_rule_free, void *lsmrule) 2569 | 2570 | bpf_printk("lsm_hook: audit: audit_rule_free\n"); 2571 | return; 2572 | } 2573 | 2574 | SEC("lsm/inode_invalidate_secctx") 2575 | void BPF_PROG(inode_invalidate_secctx, struct inode *inode) 2576 | { 2577 | FILTER_OWN_PID_VOID() 2578 | DUMP_FUNC(inode_invalidate_secctx, struct inode *inode) 2579 | 2580 | bpf_printk("lsm_hook: audit: inode_invalidate_secctx\n"); 2581 | return; 2582 | } 2583 | 2584 | SEC("lsm/inode_notifysecctx") 2585 | int BPF_PROG(inode_notifysecctx, struct inode *inode, void *void_ctx, u32 ctxlen) 2586 | { 2587 | FILTER_OWN_PID_INT() 2588 | DUMP_FUNC(inode_notifysecctx, struct inode *inode, void *void_ctx, u32 ctxlen) 2589 | 2590 | bpf_printk("lsm_hook: audit: inode_notifysecctx\n"); 2591 | return 0; 2592 | } 2593 | 2594 | SEC("lsm/inode_setsecctx") 2595 | int BPF_PROG(inode_setsecctx, struct dentry *dentry, void *void_ctx, u32 ctxlen) 2596 | { 2597 | FILTER_OWN_PID_INT() 2598 | DUMP_FUNC(inode_setsecctx, struct dentry *dentry, void *void_ctx, u32 ctxlen) 2599 | 2600 | bpf_printk("lsm_hook: audit: inode_setsecctx\n"); 2601 | return 0; 2602 | } 2603 | 2604 | SEC("lsm/inode_getsecctx") 2605 | int BPF_PROG(inode_getsecctx, struct inode *inode, void **void_ctx, 2606 | u32 *ctxlen) 2607 | { 2608 | FILTER_OWN_PID_INT() 2609 | DUMP_FUNC(inode_getsecctx, struct inode *inode, void **void_ctx, 2610 | u32 *ctxlen) 2611 | 2612 | bpf_printk("lsm_hook: audit: inode_getsecctx\n"); 2613 | return 0; 2614 | } 2615 | 2616 | 2617 | 2618 | char _license[] SEC("license") = "GPL"; 2619 | 2620 | 2621 | 2622 | -------------------------------------------------------------------------------- /src/lsmtrace.c: -------------------------------------------------------------------------------- 1 | 2 | #include 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | #include 9 | #include "string.h" 10 | #include 11 | #include "lsmtrace.skel.h" 12 | #include "statedump.h" 13 | #include "logger.h" 14 | #include "syscall_helpers.h" 15 | #include 16 | #include 17 | 18 | 19 | /* Argp info */ 20 | const char *argp_program_version = "lsmtrace version 0.1"; 21 | const char *argp_program_bug_address = ""; 22 | const char argp_program_doc[] = 23 | "\nLinux Security Modules tracer\n" 24 | "\n" 25 | "Trace lsm hook calls triggered by process\n" 26 | "BPF_LSM config option must be enabled on this kernel\n" 27 | "\n" 28 | "Options:\n"; 29 | const char argp_program_args[] = "my_exec -a 'my_exec_arg1' .."; 30 | 31 | /* Argp options */ 32 | static const struct argp_option opts[] = { 33 | { "verbose", 'v', NULL, 0, "Verbose debug output" }, 34 | { "filter", 'f', "", 0, "Filter lsm hook cathegory, available {all|file|inode}" }, 35 | { "arg", 'a', "", 0, "Executable command argument" }, 36 | {}, 37 | }; 38 | 39 | /* Argp arguments */ 40 | static struct argp_args { 41 | bool verbose; 42 | int cathegory; 43 | } argp_args; 44 | 45 | 46 | static int argcnt = 1; 47 | const char *my_exec_argv[63] = {}; 48 | const char *my_exec_path = ""; 49 | const char *output_path = ""; 50 | 51 | 52 | /* Argp parse */ 53 | static error_t parse_arg(int key, char *arg, struct argp_state *state) 54 | { 55 | switch (key) { 56 | case 'v': 57 | argp_args.verbose = true; 58 | setLoggerVerbose(true); 59 | break; 60 | case 'f': 61 | if (strcmp(arg, "file") == 0) 62 | { 63 | argp_args.cathegory = FILE_CATH; 64 | break; 65 | } 66 | if (strcmp(arg, "inode") == 0) 67 | { 68 | argp_args.cathegory = INODE_CATH; 69 | break; 70 | } 71 | if (strcmp(arg, "all") == 0) 72 | { 73 | argp_args.cathegory = ALL_CATH; 74 | break; 75 | } 76 | argp_usage (state); 77 | //log_err("no option found: %s\n", arg); 78 | break; 79 | case 'a': 80 | my_exec_argv[argcnt] = arg; 81 | my_exec_argv[argcnt+1] = NULL; // Set next to NULL 82 | argcnt += 1; 83 | break; 84 | case ARGP_KEY_ARG: 85 | my_exec_path = arg; // Set next to NULL 86 | break; 87 | case ARGP_KEY_NO_ARGS: 88 | log_err("no executable name supplied"); 89 | argp_usage (state); 90 | break; 91 | default: 92 | return ARGP_ERR_UNKNOWN; 93 | } 94 | return 0; 95 | } 96 | 97 | /* Argp config */ 98 | static const struct argp argp = { 99 | .options = opts, 100 | .parser = parse_arg, 101 | .args_doc = argp_program_args, 102 | .doc = argp_program_doc, 103 | }; 104 | 105 | 106 | /* Libbpf callback handlers */ 107 | 108 | static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args) 109 | { 110 | if ( ( level == LIBBPF_DEBUG || level == LIBBPF_INFO ) && !argp_args.verbose ) 111 | return 0; 112 | return vfprintf(stderr, format, args); 113 | } 114 | 115 | static void bump_memlock_rlimit(void) 116 | { 117 | struct rlimit rlim_new = { 118 | .rlim_cur = RLIM_INFINITY, 119 | .rlim_max = RLIM_INFINITY, 120 | }; 121 | 122 | if (setrlimit(RLIMIT_MEMLOCK, &rlim_new)) { 123 | log_err("Failed to increase RLIMIT_MEMLOCK limit!\n"); 124 | exit(1); 125 | } 126 | } 127 | 128 | static int handle_event(void *ctx, void *data, size_t len) 129 | { 130 | dumpEvent(data, len); 131 | return 0; 132 | } 133 | 134 | 135 | /* Signal handlers */ 136 | 137 | static volatile bool exiting = false; 138 | 139 | static void sig_parentHandler(int sig) 140 | { 141 | 142 | if (exiting) return; 143 | 144 | if (SIGINT == sig) 145 | log_info("\nReceived signal SIGINT\n"); 146 | 147 | if (SIGTERM == sig) 148 | log_info("\nReceived signal SIGTERM\n"); 149 | 150 | exiting = true; 151 | } 152 | 153 | static void sig_childHandler(int sig) 154 | { 155 | if (SIGCONT == sig) 156 | log_verb("\nReceived signal SIGCONT\n"); 157 | } 158 | 159 | 160 | /* forks waiting for SIGCONT and returns pid */ 161 | static int exec_prog_and_wait(const char *path, const char **argv) 162 | { 163 | int my_pid; 164 | argv[0] = path; 165 | 166 | my_pid = fork(); 167 | if (my_pid < 0) 168 | { 169 | log_err("Could not execute fork\n"); 170 | exit(1); 171 | } 172 | 173 | log_verb("Launching child process: %s ", path); 174 | for (int i=1; argv[i] !=NULL; i++){ 175 | log_verb(" %s", argv[i]); 176 | }; 177 | log_verb("\nPaused waiting for SIGCONT ..\n"); 178 | 179 | /* child process */ 180 | if (my_pid == 0) 181 | { 182 | signal(SIGCONT, sig_childHandler); 183 | pause(); 184 | if (-1 == execve(path, (char **)argv , NULL)) { 185 | perror("child process execve failed"); 186 | exit(1); 187 | } 188 | exit(0); 189 | } 190 | 191 | 192 | return my_pid; 193 | } 194 | 195 | 196 | int main(int argc, char **argv) 197 | { 198 | 199 | struct ring_buffer *ringbuffer = NULL; 200 | struct lsmtrace_bpf *skel; 201 | int err; 202 | 203 | init_syscall_names(); 204 | 205 | /* Parse command line arguments */ 206 | err = argp_parse(&argp, argc, argv, 0, NULL, NULL); 207 | if (err) 208 | return err; 209 | 210 | /* Set up libbpf errors and debug info callback */ 211 | libbpf_set_print(libbpf_print_fn); 212 | 213 | /* Bump RLIMIT_MEMLOCK to create BPF maps */ 214 | bump_memlock_rlimit(); 215 | 216 | /* Cleaner handling of Ctrl-C */ 217 | signal(SIGINT, sig_parentHandler); 218 | signal(SIGTERM, sig_parentHandler); 219 | 220 | int child_pid = exec_prog_and_wait(my_exec_path, my_exec_argv); 221 | 222 | log_verb("Parent pid: %d\n", getpid()); 223 | log_verb("Child pid: %d\n", child_pid); 224 | 225 | /* Load and verify BPF application */ 226 | skel = lsmtrace_bpf__open(); 227 | if (!skel) { 228 | fprintf(stderr, "Failed to open and load BPF skeleton\n"); 229 | return 1; 230 | } 231 | 232 | /* Configure bpf probe with init values */ 233 | skel->bss->my_pid = child_pid; 234 | skel->rodata->cathegory = argp_args.cathegory; 235 | 236 | /* Load & verify BPF programs */ 237 | err = lsmtrace_bpf__load(skel); 238 | if (err) { 239 | fprintf(stderr, "Failed to load and verify BPF skeleton\n"); 240 | goto cleanup; 241 | } 242 | 243 | log_info("Attaching hooks, don`t rush..\n"); 244 | 245 | /* Attach tracepoints */ 246 | err = lsmtrace_bpf__attach(skel); 247 | if (err) { 248 | log_err("Failed to attach BPF skeleton\n"); 249 | goto cleanup; 250 | } 251 | 252 | /* Send child cont signal */ 253 | log_verb("Attached, starting execution\n"); 254 | kill(child_pid, SIGCONT); 255 | 256 | /* Set up ring buffer polling */ 257 | ringbuffer = ring_buffer__new(bpf_map__fd(skel->maps.ringbuf), handle_event, NULL, NULL); 258 | if (!ringbuffer) { 259 | err = -1; 260 | log_err("Failed to create ring buffer\n"); 261 | goto cleanup; 262 | } 263 | 264 | 265 | int childStatus; 266 | pid_t pidret; 267 | 268 | while (!exiting) { 269 | 270 | pidret = waitpid(-1, &childStatus, WNOHANG); 271 | 272 | if (pidret > 0) { 273 | break; 274 | } 275 | 276 | err = ring_buffer__poll(ringbuffer, 100 /* timeout, ms */); 277 | 278 | /* Ctrl-C will cause -EINTR */ 279 | if (err == -EINTR) { 280 | err = 0; 281 | break; 282 | } 283 | if (err < 0) { 284 | log_err("Error polling perf buffer: %d\n", err); 285 | break; 286 | } 287 | } 288 | 289 | cleanup: 290 | /* Clean up */ 291 | ring_buffer__free(ringbuffer); 292 | lsmtrace_bpf__destroy(skel); 293 | free_syscall_names(); 294 | 295 | return err < 0 ? -err : 0; 296 | } 297 | -------------------------------------------------------------------------------- /src/statedump.c: -------------------------------------------------------------------------------- 1 | // Copyright 2020 (C) Luca Montechiesi 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #include "statedump.h" 16 | #include "events.h" 17 | #include "logger.h" 18 | #include 19 | #include "syscall_helpers.h" 20 | 21 | 22 | /* Dump file struct event */ 23 | int dumpFileStruct(struct file fl, size_t len); 24 | 25 | 26 | int printFunCallEvt(const struct Event *evt) { 27 | const func_call_Event* tevt = (func_call_Event*) evt; 28 | log_info("-> %s: ", evt->label); 29 | log_info("-> %s", tevt->name); 30 | log_info("( %s", tevt->args); 31 | log_info(" )\n"); 32 | return 0; 33 | } 34 | 35 | int printSysCallEnterEvt(const struct Event *evt) { 36 | const sys_enter_Event* tevt = (sys_enter_Event*) evt; 37 | log_info("-> %s: ", evt->label); 38 | char buf[MAX_LABEL_SIZE]; 39 | syscall_name(tevt->id, buf, sizeof(buf)); 40 | log_info(" %s\n", buf); 41 | return 0; 42 | } 43 | 44 | int printSysCallExitEvt(const struct Event *evt) { 45 | const sys_exit_Event* tevt = (sys_exit_Event*) evt; 46 | log_info("-> %s: ", evt->label); 47 | char buf[MAX_LABEL_SIZE]; 48 | syscall_name(tevt->id, buf, sizeof(buf)); 49 | log_info(" %s\n", buf); 50 | log_info(" ret: %ld\n", tevt->ret); 51 | return 0; 52 | } 53 | 54 | int printSuintMemberEvt(const struct Event *evt) { 55 | const suint_member_Event* tevt = (suint_member_Event*) evt; 56 | log_info(" %s = ", tevt->msg); 57 | log_info("%hu\n", tevt->member); 58 | return 0; 59 | } 60 | 61 | int printUintMemberEvt(const struct Event *evt) { 62 | const uint_member_Event* tevt = (uint_member_Event*) evt; 63 | log_info(" %s = ", tevt->msg); 64 | log_info("%hu\n", tevt->member); 65 | return 0; 66 | } 67 | 68 | int printLuintMemberEvt(const struct Event *evt) { 69 | const luint_member_Event* tevt = (luint_member_Event*) evt; 70 | log_info(" %s = ", tevt->msg); 71 | log_info("%ld\n", tevt->member); 72 | return 0; 73 | } 74 | 75 | 76 | int printLlintMemberEvt(const struct Event *evt) { 77 | const llint_member_Event* tevt = (llint_member_Event*) evt; 78 | log_info(" %s = ", tevt->msg); 79 | log_info("%lld\n", tevt->member); 80 | return 0; 81 | } 82 | 83 | int printStrMemberEvt(const struct Event *evt) { 84 | const str_member_Event* tevt = (str_member_Event*) evt; 85 | log_info(" %s = ", tevt->msg); 86 | log_info("%s\n", tevt->member); 87 | return 0; 88 | } 89 | 90 | 91 | 92 | /* Dump typed event */ 93 | int dumpEvent(void* data, size_t len) { 94 | 95 | const struct Event *evt = data; 96 | 97 | 98 | switch (evt->etype) 99 | { 100 | case FUNCTION_CALL: { 101 | return printFunCallEvt(evt); 102 | } 103 | case SYS_CALL_ENTER: { 104 | return printSysCallEnterEvt(evt); 105 | } 106 | case SYS_CALL_EXIT: { 107 | return printSysCallExitEvt(evt); 108 | } 109 | case MEMBER_SUINT: { 110 | return printSuintMemberEvt(evt); 111 | } 112 | case MEMBER_UINT: { 113 | return printUintMemberEvt(evt); 114 | } 115 | case MEMBER_LUINT: { 116 | return printLuintMemberEvt(evt); 117 | } 118 | case MEMBER_LLINT: { 119 | return printLlintMemberEvt(evt); 120 | } 121 | case MEMBER_STR: { 122 | return printStrMemberEvt(evt); 123 | } 124 | case STRUCT_FILE: { 125 | const file_struct_Event* tevt = (file_struct_Event*) evt; 126 | log_info(" ->Message: %s\n", tevt->msg); 127 | __builtin_dump_struct(tevt, &log_info); 128 | break; 129 | } 130 | case STRUCT_DENTRY: { 131 | const dentry_struct_Event* tevt = (dentry_struct_Event*) evt; 132 | log_info(" -> Message: %s\n", tevt->msg); 133 | __builtin_dump_struct(tevt, &log_info); 134 | break; 135 | } 136 | case STRUCT_QSTR: { 137 | const qstr_struct_Event* tevt = (qstr_struct_Event*) evt; 138 | log_info(" -> Message: %s\n", tevt->msg); 139 | __builtin_dump_struct(tevt, &log_info); 140 | break; 141 | } 142 | default: { 143 | log_err("Event not found !\n"); 144 | break; 145 | } 146 | } 147 | 148 | return 0; 149 | } 150 | 151 | 152 | 153 | 154 | /* Test print test */ 155 | int printTest() { 156 | log_info("test\n"); 157 | return 0; 158 | } 159 | 160 | -------------------------------------------------------------------------------- /src/statedump.h: -------------------------------------------------------------------------------- 1 | // Copyright 2020 (C) Luca Montechiesi 2 | // 3 | // Licensed under the Apache License, Version 2.0 (the "License"); 4 | // you may not use this file except in compliance with the License. 5 | // You may obtain a copy of the License at 6 | // 7 | // http://www.apache.org/licenses/LICENSE-2.0 8 | // 9 | // Unless required by applicable law or agreed to in writing, software 10 | // distributed under the License is distributed on an "AS IS" BASIS, 11 | // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 | // See the License for the specific language governing permissions and 13 | // limitations under the License. 14 | 15 | #ifndef __SDUMP_H 16 | #define __SDUMP_H 17 | 18 | #include 19 | 20 | /* Dump typed event */ 21 | int dumpEvent( void*, size_t); 22 | 23 | #endif /* __SDUMP_H */ 24 | 25 | 26 | -------------------------------------------------------------------------------- /src/syscall_helpers.c: -------------------------------------------------------------------------------- 1 | // SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) 2 | // Copyright (c) 2020 Anton Protopopov 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include 8 | 9 | static const char **syscall_names; 10 | static size_t syscall_names_size; 11 | 12 | #define warn(...) fprintf(stderr, __VA_ARGS__) 13 | #define MAX(x, y) (((x) > (y)) ? (x) : (y)) 14 | 15 | static const char *parse_syscall(const char *buf, int *number) 16 | { 17 | char *end; 18 | long x; 19 | 20 | errno = 0; 21 | x = strtol(buf, &end, 10); 22 | if (errno) { 23 | warn("strtol(%s): %s\n", buf, strerror(errno)); 24 | return NULL; 25 | } else if (end == buf) { 26 | warn("strtol(%s): no digits found\n", buf); 27 | return NULL; 28 | } else if (x < 0 || x > INT_MAX) { 29 | warn("strtol(%s): bad syscall number: %ld\n", buf, x); 30 | return NULL; 31 | } 32 | if (*end != '\t') { 33 | warn("bad input: %s (expected \t)\n", buf); 34 | return NULL; 35 | } 36 | 37 | *number = x; 38 | return ++end; 39 | } 40 | 41 | void init_syscall_names(void) 42 | { 43 | size_t old_size, size = 1024; 44 | const char *name; 45 | char buf[64]; 46 | int number; 47 | int err; 48 | FILE *f; 49 | 50 | f = popen("ausyscall --dump 2>/dev/null", "r"); 51 | if (!f) { 52 | warn("popen: ausyscall --dump: %s\n", strerror(errno)); 53 | return; 54 | } 55 | 56 | syscall_names = calloc(size, sizeof(char *)); 57 | if (!syscall_names) { 58 | warn("calloc: %s\n", strerror(errno)); 59 | goto close; 60 | } 61 | 62 | /* skip the header, ignore the result of fgets, outwit the comiler */ 63 | (void) !!fgets(buf, sizeof(buf), f); 64 | 65 | while (fgets(buf, sizeof(buf), f)) { 66 | if (buf[strlen(buf) - 1] == '\n') 67 | buf[strlen(buf) - 1] = '\0'; 68 | 69 | name = parse_syscall(buf, &number); 70 | if (!name || !name[0]) 71 | goto close; 72 | 73 | /* In a rare case when syscall number is > than initial 1024 */ 74 | if (number >= size) { 75 | old_size = size; 76 | size = 1024 * (1 + number / 1024); 77 | syscall_names = realloc(syscall_names, 78 | size * sizeof(char *)); 79 | if (!syscall_names) { 80 | warn("realloc: %s\n", strerror(errno)); 81 | goto close; 82 | } 83 | memset(syscall_names+old_size, 0, 84 | (size - old_size) * sizeof(char *)); 85 | } 86 | 87 | if (syscall_names[number]) { 88 | warn("duplicate number: %d (stored: %s)", 89 | number, syscall_names[number]); 90 | goto close; 91 | } 92 | 93 | syscall_names[number] = strdup(name); 94 | if (!syscall_names[number]) { 95 | warn("strdup: %s\n", strerror(errno)); 96 | goto close; 97 | } 98 | syscall_names_size = MAX(number+1, syscall_names_size); 99 | } 100 | 101 | if (ferror(f)) 102 | warn("fgets: %s\n", strerror(errno)); 103 | close: 104 | err = pclose(f); 105 | if (err < 0) 106 | warn("pclose: %s\n", strerror(errno)); 107 | #ifndef __x86_64__ 108 | /* Ignore the error for x86_64 where we have a table compiled in */ 109 | else if (err && WEXITSTATUS(err) == 127) { 110 | warn("ausyscall required for syscalls number/name mapping\n"); 111 | } else if (err) { 112 | warn("ausyscall exit status (see wait(2)): 0x%x\n", err); 113 | } 114 | #endif 115 | } 116 | 117 | void free_syscall_names(void) 118 | { 119 | for (size_t i = 0; i < syscall_names_size; i++) 120 | free((void *) syscall_names[i]); 121 | free(syscall_names); 122 | } 123 | 124 | /* 125 | * Syscall table for Linux x86_64. 126 | * 127 | * Semi-automatically generated from strace/linux/x86_64/syscallent.h and 128 | * linux/syscallent-common.h using the following commands: 129 | * 130 | * awk -F\" '/SEN/{printf("%d %s\n", substr($0,2,3), $(NF-1));}' syscallent.h 131 | * awk '/SEN/ { printf("%d %s\n", $3, $9); }' syscallent-common.h 132 | * 133 | * (The idea is taken from src/python/bcc/syscall.py.) 134 | */ 135 | #ifdef __x86_64__ 136 | static const char *syscall_names_x86_64[] = { 137 | [0] = "read", 138 | [1] = "write", 139 | [2] = "open", 140 | [3] = "close", 141 | [4] = "stat", 142 | [5] = "fstat", 143 | [6] = "lstat", 144 | [7] = "poll", 145 | [8] = "lseek", 146 | [9] = "mmap", 147 | [10] = "mprotect", 148 | [11] = "munmap", 149 | [12] = "brk", 150 | [13] = "rt_sigaction", 151 | [14] = "rt_sigprocmask", 152 | [15] = "rt_sigreturn", 153 | [16] = "ioctl", 154 | [17] = "pread64", 155 | [18] = "pwrite64", 156 | [19] = "readv", 157 | [20] = "writev", 158 | [21] = "access", 159 | [22] = "pipe", 160 | [23] = "select", 161 | [24] = "sched_yield", 162 | [25] = "mremap", 163 | [26] = "msync", 164 | [27] = "mincore", 165 | [28] = "madvise", 166 | [29] = "shmget", 167 | [30] = "shmat", 168 | [31] = "shmctl", 169 | [32] = "dup", 170 | [33] = "dup2", 171 | [34] = "pause", 172 | [35] = "nanosleep", 173 | [36] = "getitimer", 174 | [37] = "alarm", 175 | [38] = "setitimer", 176 | [39] = "getpid", 177 | [40] = "sendfile", 178 | [41] = "socket", 179 | [42] = "connect", 180 | [43] = "accept", 181 | [44] = "sendto", 182 | [45] = "recvfrom", 183 | [46] = "sendmsg", 184 | [47] = "recvmsg", 185 | [48] = "shutdown", 186 | [49] = "bind", 187 | [50] = "listen", 188 | [51] = "getsockname", 189 | [52] = "getpeername", 190 | [53] = "socketpair", 191 | [54] = "setsockopt", 192 | [55] = "getsockopt", 193 | [56] = "clone", 194 | [57] = "fork", 195 | [58] = "vfork", 196 | [59] = "execve", 197 | [60] = "exit", 198 | [61] = "wait4", 199 | [62] = "kill", 200 | [63] = "uname", 201 | [64] = "semget", 202 | [65] = "semop", 203 | [66] = "semctl", 204 | [67] = "shmdt", 205 | [68] = "msgget", 206 | [69] = "msgsnd", 207 | [70] = "msgrcv", 208 | [71] = "msgctl", 209 | [72] = "fcntl", 210 | [73] = "flock", 211 | [74] = "fsync", 212 | [75] = "fdatasync", 213 | [76] = "truncate", 214 | [77] = "ftruncate", 215 | [78] = "getdents", 216 | [79] = "getcwd", 217 | [80] = "chdir", 218 | [81] = "fchdir", 219 | [82] = "rename", 220 | [83] = "mkdir", 221 | [84] = "rmdir", 222 | [85] = "creat", 223 | [86] = "link", 224 | [87] = "unlink", 225 | [88] = "symlink", 226 | [89] = "readlink", 227 | [90] = "chmod", 228 | [91] = "fchmod", 229 | [92] = "chown", 230 | [93] = "fchown", 231 | [94] = "lchown", 232 | [95] = "umask", 233 | [96] = "gettimeofday", 234 | [97] = "getrlimit", 235 | [98] = "getrusage", 236 | [99] = "sysinfo", 237 | [100] = "times", 238 | [101] = "ptrace", 239 | [102] = "getuid", 240 | [103] = "syslog", 241 | [104] = "getgid", 242 | [105] = "setuid", 243 | [106] = "setgid", 244 | [107] = "geteuid", 245 | [108] = "getegid", 246 | [109] = "setpgid", 247 | [110] = "getppid", 248 | [111] = "getpgrp", 249 | [112] = "setsid", 250 | [113] = "setreuid", 251 | [114] = "setregid", 252 | [115] = "getgroups", 253 | [116] = "setgroups", 254 | [117] = "setresuid", 255 | [118] = "getresuid", 256 | [119] = "setresgid", 257 | [120] = "getresgid", 258 | [121] = "getpgid", 259 | [122] = "setfsuid", 260 | [123] = "setfsgid", 261 | [124] = "getsid", 262 | [125] = "capget", 263 | [126] = "capset", 264 | [127] = "rt_sigpending", 265 | [128] = "rt_sigtimedwait", 266 | [129] = "rt_sigqueueinfo", 267 | [130] = "rt_sigsuspend", 268 | [131] = "sigaltstack", 269 | [132] = "utime", 270 | [133] = "mknod", 271 | [134] = "uselib", 272 | [135] = "personality", 273 | [136] = "ustat", 274 | [137] = "statfs", 275 | [138] = "fstatfs", 276 | [139] = "sysfs", 277 | [140] = "getpriority", 278 | [141] = "setpriority", 279 | [142] = "sched_setparam", 280 | [143] = "sched_getparam", 281 | [144] = "sched_setscheduler", 282 | [145] = "sched_getscheduler", 283 | [146] = "sched_get_priority_max", 284 | [147] = "sched_get_priority_min", 285 | [148] = "sched_rr_get_interval", 286 | [149] = "mlock", 287 | [150] = "munlock", 288 | [151] = "mlockall", 289 | [152] = "munlockall", 290 | [153] = "vhangup", 291 | [154] = "modify_ldt", 292 | [155] = "pivot_root", 293 | [156] = "_sysctl", 294 | [157] = "prctl", 295 | [158] = "arch_prctl", 296 | [159] = "adjtimex", 297 | [160] = "setrlimit", 298 | [161] = "chroot", 299 | [162] = "sync", 300 | [163] = "acct", 301 | [164] = "settimeofday", 302 | [165] = "mount", 303 | [166] = "umount2", 304 | [167] = "swapon", 305 | [168] = "swapoff", 306 | [169] = "reboot", 307 | [170] = "sethostname", 308 | [171] = "setdomainname", 309 | [172] = "iopl", 310 | [173] = "ioperm", 311 | [174] = "create_module", 312 | [175] = "init_module", 313 | [176] = "delete_module", 314 | [177] = "get_kernel_syms", 315 | [178] = "query_module", 316 | [179] = "quotactl", 317 | [180] = "nfsservctl", 318 | [181] = "getpmsg", 319 | [182] = "putpmsg", 320 | [183] = "afs_syscall", 321 | [184] = "tuxcall", 322 | [185] = "security", 323 | [186] = "gettid", 324 | [187] = "readahead", 325 | [188] = "setxattr", 326 | [189] = "lsetxattr", 327 | [190] = "fsetxattr", 328 | [191] = "getxattr", 329 | [192] = "lgetxattr", 330 | [193] = "fgetxattr", 331 | [194] = "listxattr", 332 | [195] = "llistxattr", 333 | [196] = "flistxattr", 334 | [197] = "removexattr", 335 | [198] = "lremovexattr", 336 | [199] = "fremovexattr", 337 | [200] = "tkill", 338 | [201] = "time", 339 | [202] = "futex", 340 | [203] = "sched_setaffinity", 341 | [204] = "sched_getaffinity", 342 | [205] = "set_thread_area", 343 | [206] = "io_setup", 344 | [207] = "io_destroy", 345 | [208] = "io_getevents", 346 | [209] = "io_submit", 347 | [210] = "io_cancel", 348 | [211] = "get_thread_area", 349 | [212] = "lookup_dcookie", 350 | [213] = "epoll_create", 351 | [214] = "epoll_ctl_old", 352 | [215] = "epoll_wait_old", 353 | [216] = "remap_file_pages", 354 | [217] = "getdents64", 355 | [218] = "set_tid_address", 356 | [219] = "restart_syscall", 357 | [220] = "semtimedop", 358 | [221] = "fadvise64", 359 | [222] = "timer_create", 360 | [223] = "timer_settime", 361 | [224] = "timer_gettime", 362 | [225] = "timer_getoverrun", 363 | [226] = "timer_delete", 364 | [227] = "clock_settime", 365 | [228] = "clock_gettime", 366 | [229] = "clock_getres", 367 | [230] = "clock_nanosleep", 368 | [231] = "exit_group", 369 | [232] = "epoll_wait", 370 | [233] = "epoll_ctl", 371 | [234] = "tgkill", 372 | [235] = "utimes", 373 | [236] = "vserver", 374 | [237] = "mbind", 375 | [238] = "set_mempolicy", 376 | [239] = "get_mempolicy", 377 | [240] = "mq_open", 378 | [241] = "mq_unlink", 379 | [242] = "mq_timedsend", 380 | [243] = "mq_timedreceive", 381 | [244] = "mq_notify", 382 | [245] = "mq_getsetattr", 383 | [246] = "kexec_load", 384 | [247] = "waitid", 385 | [248] = "add_key", 386 | [249] = "request_key", 387 | [250] = "keyctl", 388 | [251] = "ioprio_set", 389 | [252] = "ioprio_get", 390 | [253] = "inotify_init", 391 | [254] = "inotify_add_watch", 392 | [255] = "inotify_rm_watch", 393 | [256] = "migrate_pages", 394 | [257] = "openat", 395 | [258] = "mkdirat", 396 | [259] = "mknodat", 397 | [260] = "fchownat", 398 | [261] = "futimesat", 399 | [262] = "newfstatat", 400 | [263] = "unlinkat", 401 | [264] = "renameat", 402 | [265] = "linkat", 403 | [266] = "symlinkat", 404 | [267] = "readlinkat", 405 | [268] = "fchmodat", 406 | [269] = "faccessat", 407 | [270] = "pselect6", 408 | [271] = "ppoll", 409 | [272] = "unshare", 410 | [273] = "set_robust_list", 411 | [274] = "get_robust_list", 412 | [275] = "splice", 413 | [276] = "tee", 414 | [277] = "sync_file_range", 415 | [278] = "vmsplice", 416 | [279] = "move_pages", 417 | [280] = "utimensat", 418 | [281] = "epoll_pwait", 419 | [282] = "signalfd", 420 | [283] = "timerfd_create", 421 | [284] = "eventfd", 422 | [285] = "fallocate", 423 | [286] = "timerfd_settime", 424 | [287] = "timerfd_gettime", 425 | [288] = "accept4", 426 | [289] = "signalfd4", 427 | [290] = "eventfd2", 428 | [291] = "epoll_create1", 429 | [292] = "dup3", 430 | [293] = "pipe2", 431 | [294] = "inotify_init1", 432 | [295] = "preadv", 433 | [296] = "pwritev", 434 | [297] = "rt_tgsigqueueinfo", 435 | [298] = "perf_event_open", 436 | [299] = "recvmmsg", 437 | [300] = "fanotify_init", 438 | [301] = "fanotify_mark", 439 | [302] = "prlimit64", 440 | [303] = "name_to_handle_at", 441 | [304] = "open_by_handle_at", 442 | [305] = "clock_adjtime", 443 | [306] = "syncfs", 444 | [307] = "sendmmsg", 445 | [308] = "setns", 446 | [309] = "getcpu", 447 | [310] = "process_vm_readv", 448 | [311] = "process_vm_writev", 449 | [312] = "kcmp", 450 | [313] = "finit_module", 451 | [314] = "sched_setattr", 452 | [315] = "sched_getattr", 453 | [316] = "renameat2", 454 | [317] = "seccomp", 455 | [318] = "getrandom", 456 | [319] = "memfd_create", 457 | [320] = "kexec_file_load", 458 | [321] = "bpf", 459 | [322] = "execveat", 460 | [323] = "userfaultfd", 461 | [324] = "membarrier", 462 | [325] = "mlock2", 463 | [326] = "copy_file_range", 464 | [327] = "preadv2", 465 | [328] = "pwritev2", 466 | [329] = "pkey_mprotect", 467 | [330] = "pkey_alloc", 468 | [331] = "pkey_free", 469 | [332] = "statx", 470 | [333] = "io_pgetevents", 471 | [334] = "rseq", 472 | [424] = "pidfd_send_signal", 473 | [425] = "io_uring_setup", 474 | [426] = "io_uring_enter", 475 | [427] = "io_uring_register", 476 | [428] = "open_tree", 477 | [429] = "move_mount", 478 | [430] = "fsopen", 479 | [431] = "fsconfig", 480 | [432] = "fsmount", 481 | [433] = "fspick", 482 | [434] = "pidfd_open", 483 | [435] = "clone3", 484 | [437] = "openat2", 485 | [438] = "pidfd_getfd", 486 | }; 487 | size_t syscall_names_x86_64_size = sizeof(syscall_names_x86_64)/sizeof(char*); 488 | #endif 489 | 490 | void syscall_name(unsigned n, char *buf, size_t size) 491 | { 492 | const char *name = NULL; 493 | 494 | if (n < syscall_names_size) 495 | name = syscall_names[n]; 496 | #ifdef __x86_64__ 497 | else if (n < syscall_names_x86_64_size) 498 | name = syscall_names_x86_64[n]; 499 | #endif 500 | 501 | if (name) 502 | strncpy(buf, name, size-1); 503 | else 504 | snprintf(buf, size, "[unknown: %u]", n); 505 | } 506 | 507 | int list_syscalls(void) 508 | { 509 | const char **list = syscall_names; 510 | size_t size = syscall_names_size; 511 | 512 | #ifdef __x86_64__ 513 | if (!size) { 514 | size = syscall_names_x86_64_size; 515 | list = syscall_names_x86_64; 516 | } 517 | #endif 518 | 519 | for (size_t i = 0; i < size; i++) { 520 | if (list[i]) 521 | printf("%3zd: %s\n", i, list[i]); 522 | } 523 | 524 | return (!list || !size); 525 | } 526 | 527 | -------------------------------------------------------------------------------- /src/syscall_helpers.h: -------------------------------------------------------------------------------- 1 | /* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */ 2 | #ifndef __SYSCALL_HELPERS_H 3 | #define __SYSCALL_HELPERS_H 4 | 5 | //#include 6 | #include 7 | 8 | void init_syscall_names(void); 9 | void free_syscall_names(void); 10 | void list_syscalls(void); 11 | void syscall_name(unsigned n, char *buf, size_t size); 12 | 13 | #endif /* __SYSCALL_HELPERS_H */ 14 | -------------------------------------------------------------------------------- /tools/bpftool: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lumontec/lsmtrace/5a97f332504817223dae212c0c66c8a75006fe6a/tools/bpftool -------------------------------------------------------------------------------- /tools/gen_vmlinux_h.sh: -------------------------------------------------------------------------------- 1 | #/bin/sh 2 | 3 | $(dirname "$0")/bpftool btf dump file ${1:=/sys/kernel/btf/vmlinux} format c 4 | --------------------------------------------------------------------------------