xref: /aosp_15_r20/external/bcc/libbpf-tools/filelife.bpf.c (revision 387f9dfdfa2baef462e92476d413c7bc2470293e) 
1*387f9dfdSAndroid Build Coastguard Worker // SPDX-License-Identifier: GPL-2.0
2*387f9dfdSAndroid Build Coastguard Worker // Copyright (c) 2020 Wenbo Zhang
3*387f9dfdSAndroid Build Coastguard Worker #include <vmlinux.h>
4*387f9dfdSAndroid Build Coastguard Worker #include <bpf/bpf_helpers.h>
5*387f9dfdSAndroid Build Coastguard Worker #include <bpf/bpf_core_read.h>
6*387f9dfdSAndroid Build Coastguard Worker #include <bpf/bpf_tracing.h>
7*387f9dfdSAndroid Build Coastguard Worker #include "filelife.h"
8*387f9dfdSAndroid Build Coastguard Worker #include "core_fixes.bpf.h"
9*387f9dfdSAndroid Build Coastguard Worker 
10*387f9dfdSAndroid Build Coastguard Worker /* linux: include/linux/fs.h */
11*387f9dfdSAndroid Build Coastguard Worker #define FMODE_CREATED	0x100000
12*387f9dfdSAndroid Build Coastguard Worker 
13*387f9dfdSAndroid Build Coastguard Worker const volatile pid_t targ_tgid = 0;
14*387f9dfdSAndroid Build Coastguard Worker 
15*387f9dfdSAndroid Build Coastguard Worker struct {
16*387f9dfdSAndroid Build Coastguard Worker 	__uint(type, BPF_MAP_TYPE_HASH);
17*387f9dfdSAndroid Build Coastguard Worker 	__uint(max_entries, 8192);
18*387f9dfdSAndroid Build Coastguard Worker 	__type(key, struct dentry *);
19*387f9dfdSAndroid Build Coastguard Worker 	__type(value, u64);
20*387f9dfdSAndroid Build Coastguard Worker } start SEC(".maps");
21*387f9dfdSAndroid Build Coastguard Worker 
22*387f9dfdSAndroid Build Coastguard Worker struct {
23*387f9dfdSAndroid Build Coastguard Worker 	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
24*387f9dfdSAndroid Build Coastguard Worker 	__uint(key_size, sizeof(u32));
25*387f9dfdSAndroid Build Coastguard Worker 	__uint(value_size, sizeof(u32));
26*387f9dfdSAndroid Build Coastguard Worker } events SEC(".maps");
27*387f9dfdSAndroid Build Coastguard Worker 
28*387f9dfdSAndroid Build Coastguard Worker static __always_inline int
probe_create(struct dentry * dentry)29*387f9dfdSAndroid Build Coastguard Worker probe_create(struct dentry *dentry)
30*387f9dfdSAndroid Build Coastguard Worker {
31*387f9dfdSAndroid Build Coastguard Worker 	u64 id = bpf_get_current_pid_tgid();
32*387f9dfdSAndroid Build Coastguard Worker 	u32 tgid = id >> 32;
33*387f9dfdSAndroid Build Coastguard Worker 	u64 ts;
34*387f9dfdSAndroid Build Coastguard Worker 
35*387f9dfdSAndroid Build Coastguard Worker 	if (targ_tgid && targ_tgid != tgid)
36*387f9dfdSAndroid Build Coastguard Worker 		return 0;
37*387f9dfdSAndroid Build Coastguard Worker 
38*387f9dfdSAndroid Build Coastguard Worker 	ts = bpf_ktime_get_ns();
39*387f9dfdSAndroid Build Coastguard Worker 	bpf_map_update_elem(&start, &dentry, &ts, 0);
40*387f9dfdSAndroid Build Coastguard Worker 	return 0;
41*387f9dfdSAndroid Build Coastguard Worker }
42*387f9dfdSAndroid Build Coastguard Worker 
43*387f9dfdSAndroid Build Coastguard Worker /**
44*387f9dfdSAndroid Build Coastguard Worker  * In different kernel versions, function vfs_create() has two declarations,
45*387f9dfdSAndroid Build Coastguard Worker  * and their parameter lists are as follows:
46*387f9dfdSAndroid Build Coastguard Worker  *
47*387f9dfdSAndroid Build Coastguard Worker  * int vfs_create(struct inode *dir, struct dentry *dentry, umode_t mode,
48*387f9dfdSAndroid Build Coastguard Worker  *            bool want_excl);
49*387f9dfdSAndroid Build Coastguard Worker  * int vfs_create(struct user_namespace *mnt_userns, struct inode *dir,
50*387f9dfdSAndroid Build Coastguard Worker  *            struct dentry *dentry, umode_t mode, bool want_excl);
51*387f9dfdSAndroid Build Coastguard Worker  * int vfs_create(struct mnt_idmap *idmap, struct inode *dir,
52*387f9dfdSAndroid Build Coastguard Worker  *            struct dentry *dentry, umode_t mode, bool want_excl);
53*387f9dfdSAndroid Build Coastguard Worker  */
54*387f9dfdSAndroid Build Coastguard Worker SEC("kprobe/vfs_create")
BPF_KPROBE(vfs_create,void * arg0,void * arg1,void * arg2)55*387f9dfdSAndroid Build Coastguard Worker int BPF_KPROBE(vfs_create, void *arg0, void *arg1, void *arg2)
56*387f9dfdSAndroid Build Coastguard Worker {
57*387f9dfdSAndroid Build Coastguard Worker 	if (renamedata_has_old_mnt_userns_field()
58*387f9dfdSAndroid Build Coastguard Worker 		|| renamedata_has_new_mnt_idmap_field())
59*387f9dfdSAndroid Build Coastguard Worker 		return probe_create(arg2);
60*387f9dfdSAndroid Build Coastguard Worker 	else
61*387f9dfdSAndroid Build Coastguard Worker 		return probe_create(arg1);
62*387f9dfdSAndroid Build Coastguard Worker }
63*387f9dfdSAndroid Build Coastguard Worker 
64*387f9dfdSAndroid Build Coastguard Worker SEC("kprobe/vfs_open")
BPF_KPROBE(vfs_open,struct path * path,struct file * file)65*387f9dfdSAndroid Build Coastguard Worker int BPF_KPROBE(vfs_open, struct path *path, struct file *file)
66*387f9dfdSAndroid Build Coastguard Worker {
67*387f9dfdSAndroid Build Coastguard Worker 	struct dentry *dentry = BPF_CORE_READ(path, dentry);
68*387f9dfdSAndroid Build Coastguard Worker 	int fmode = BPF_CORE_READ(file, f_mode);
69*387f9dfdSAndroid Build Coastguard Worker 
70*387f9dfdSAndroid Build Coastguard Worker 	if (!(fmode & FMODE_CREATED))
71*387f9dfdSAndroid Build Coastguard Worker 		return 0;
72*387f9dfdSAndroid Build Coastguard Worker 
73*387f9dfdSAndroid Build Coastguard Worker 	return probe_create(dentry);
74*387f9dfdSAndroid Build Coastguard Worker }
75*387f9dfdSAndroid Build Coastguard Worker 
76*387f9dfdSAndroid Build Coastguard Worker SEC("kprobe/security_inode_create")
BPF_KPROBE(security_inode_create,struct inode * dir,struct dentry * dentry)77*387f9dfdSAndroid Build Coastguard Worker int BPF_KPROBE(security_inode_create, struct inode *dir,
78*387f9dfdSAndroid Build Coastguard Worker 	     struct dentry *dentry)
79*387f9dfdSAndroid Build Coastguard Worker {
80*387f9dfdSAndroid Build Coastguard Worker 	return probe_create(dentry);
81*387f9dfdSAndroid Build Coastguard Worker }
82*387f9dfdSAndroid Build Coastguard Worker 
83*387f9dfdSAndroid Build Coastguard Worker /**
84*387f9dfdSAndroid Build Coastguard Worker  * In different kernel versions, function vfs_unlink() has two declarations,
85*387f9dfdSAndroid Build Coastguard Worker  * and their parameter lists are as follows:
86*387f9dfdSAndroid Build Coastguard Worker  *
87*387f9dfdSAndroid Build Coastguard Worker  * int vfs_unlink(struct inode *dir, struct dentry *dentry,
88*387f9dfdSAndroid Build Coastguard Worker  *        struct inode **delegated_inode);
89*387f9dfdSAndroid Build Coastguard Worker  * int vfs_unlink(struct user_namespace *mnt_userns, struct inode *dir,
90*387f9dfdSAndroid Build Coastguard Worker  *        struct dentry *dentry, struct inode **delegated_inode);
91*387f9dfdSAndroid Build Coastguard Worker  * int vfs_unlink(struct mnt_idmap *idmap, struct inode *dir,
92*387f9dfdSAndroid Build Coastguard Worker  *        struct dentry *dentry, struct inode **delegated_inode);
93*387f9dfdSAndroid Build Coastguard Worker  */
94*387f9dfdSAndroid Build Coastguard Worker SEC("kprobe/vfs_unlink")
BPF_KPROBE(vfs_unlink,void * arg0,void * arg1,void * arg2)95*387f9dfdSAndroid Build Coastguard Worker int BPF_KPROBE(vfs_unlink, void *arg0, void *arg1, void *arg2)
96*387f9dfdSAndroid Build Coastguard Worker {
97*387f9dfdSAndroid Build Coastguard Worker 	u64 id = bpf_get_current_pid_tgid();
98*387f9dfdSAndroid Build Coastguard Worker 	struct event event = {};
99*387f9dfdSAndroid Build Coastguard Worker 	const u8 *qs_name_ptr;
100*387f9dfdSAndroid Build Coastguard Worker 	u32 tgid = id >> 32;
101*387f9dfdSAndroid Build Coastguard Worker 	u64 *tsp, delta_ns;
102*387f9dfdSAndroid Build Coastguard Worker 	bool has_arg = renamedata_has_old_mnt_userns_field()
103*387f9dfdSAndroid Build Coastguard Worker 				|| renamedata_has_new_mnt_idmap_field();
104*387f9dfdSAndroid Build Coastguard Worker 
105*387f9dfdSAndroid Build Coastguard Worker 	tsp = has_arg
106*387f9dfdSAndroid Build Coastguard Worker 		? bpf_map_lookup_elem(&start, &arg2)
107*387f9dfdSAndroid Build Coastguard Worker 		: bpf_map_lookup_elem(&start, &arg1);
108*387f9dfdSAndroid Build Coastguard Worker 	if (!tsp)
109*387f9dfdSAndroid Build Coastguard Worker 		return 0;   // missed entry
110*387f9dfdSAndroid Build Coastguard Worker 
111*387f9dfdSAndroid Build Coastguard Worker 	delta_ns = bpf_ktime_get_ns() - *tsp;
112*387f9dfdSAndroid Build Coastguard Worker 
113*387f9dfdSAndroid Build Coastguard Worker 	if (has_arg)
114*387f9dfdSAndroid Build Coastguard Worker 		bpf_map_delete_elem(&start, &arg2);
115*387f9dfdSAndroid Build Coastguard Worker 	else
116*387f9dfdSAndroid Build Coastguard Worker 		bpf_map_delete_elem(&start, &arg1);
117*387f9dfdSAndroid Build Coastguard Worker 
118*387f9dfdSAndroid Build Coastguard Worker 	qs_name_ptr = has_arg
119*387f9dfdSAndroid Build Coastguard Worker 		? BPF_CORE_READ((struct dentry *)arg2, d_name.name)
120*387f9dfdSAndroid Build Coastguard Worker 		: BPF_CORE_READ((struct dentry *)arg1, d_name.name);
121*387f9dfdSAndroid Build Coastguard Worker 
122*387f9dfdSAndroid Build Coastguard Worker 	bpf_probe_read_kernel_str(&event.file, sizeof(event.file), qs_name_ptr);
123*387f9dfdSAndroid Build Coastguard Worker 	bpf_get_current_comm(&event.task, sizeof(event.task));
124*387f9dfdSAndroid Build Coastguard Worker 	event.delta_ns = delta_ns;
125*387f9dfdSAndroid Build Coastguard Worker 	event.tgid = tgid;
126*387f9dfdSAndroid Build Coastguard Worker 
127*387f9dfdSAndroid Build Coastguard Worker 	/* output */
128*387f9dfdSAndroid Build Coastguard Worker 	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU,
129*387f9dfdSAndroid Build Coastguard Worker 			      &event, sizeof(event));
130*387f9dfdSAndroid Build Coastguard Worker 	return 0;
131*387f9dfdSAndroid Build Coastguard Worker }
132*387f9dfdSAndroid Build Coastguard Worker 
133*387f9dfdSAndroid Build Coastguard Worker char LICENSE[] SEC("license") = "GPL";
134