PROG(__NR_read)(struct pt_regs *ctx) { struct seccomp_data sd; bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx)); if (sd.args[2] > 128 && sd.args[2] <= 1024) { char fmt[] = "read(fd=%d, buf=%p, size=%d)\n"; bpf_trace_printk(fmt, sizeof(fmt), sd.args[0], sd.args[1], sd.args[2]); } return 0; }
/* we jump here when syscall number == __NR_write */ PROG(SYS__NR_write)(struct pt_regs *ctx) { struct seccomp_data sd; bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM2(ctx)); if (sd.args[2] == 512) { char fmt[] = "write(fd=%d, buf=%p, size=%d)\n"; bpf_trace_printk(fmt, sizeof(fmt), sd.args[0], sd.args[1], sd.args[2]); } return 0; }
int bpf_prog1(struct pt_regs *ctx) { struct sockaddr_in new_addr, orig_addr = {}; struct sockaddr_in *mapped_addr; void *sockaddr_arg = (void *)PT_REGS_PARM2(ctx); int sockaddr_len = (int)PT_REGS_PARM3(ctx); if (sockaddr_len > sizeof(orig_addr)) return 0; if (bpf_probe_read(&orig_addr, sizeof(orig_addr), sockaddr_arg) != 0) return 0; mapped_addr = bpf_map_lookup_elem(&dnat_map, &orig_addr); if (mapped_addr != NULL) { memcpy(&new_addr, mapped_addr, sizeof(new_addr)); bpf_probe_write_user(sockaddr_arg, &new_addr, sizeof(new_addr)); } return 0; }
int trace_sys_connect(struct pt_regs *ctx) { struct sockaddr_in6 *in6; u16 test_case, port, dst6[8]; int addrlen, ret, inline_ret, ret_key = 0; u32 port_key; void *outer_map, *inner_map; bool inline_hash = false; in6 = (struct sockaddr_in6 *)PT_REGS_PARM2(ctx); addrlen = (int)PT_REGS_PARM3(ctx); if (addrlen != sizeof(*in6)) return 0; ret = bpf_probe_read(dst6, sizeof(dst6), &in6->sin6_addr); if (ret) { inline_ret = ret; goto done; } if (dst6[0] != 0xdead || dst6[1] != 0xbeef) return 0; test_case = dst6[7]; ret = bpf_probe_read(&port, sizeof(port), &in6->sin6_port); if (ret) { inline_ret = ret; goto done; } port_key = port; ret = -ENOENT; if (test_case == 0) { outer_map = &a_of_port_a; } else if (test_case == 1) { outer_map = &h_of_port_a; } else if (test_case == 2) { outer_map = &h_of_port_h; } else { ret = __LINE__; inline_ret = ret; goto done; } inner_map = bpf_map_lookup_elem(outer_map, &port_key); if (!inner_map) { ret = __LINE__; inline_ret = ret; goto done; } ret = do_reg_lookup(inner_map, port_key); if (test_case == 0 || test_case == 1) inline_ret = do_inline_array_lookup(inner_map, port_key); else inline_ret = do_inline_hash_lookup(inner_map, port_key); done: bpf_map_update_elem(®_result_h, &ret_key, &ret, BPF_ANY); bpf_map_update_elem(&inline_result_h, &ret_key, &inline_ret, BPF_ANY); return 0; }