-
Notifications
You must be signed in to change notification settings - Fork 2
/
kprobe_defs.h
221 lines (204 loc) · 11.5 KB
/
kprobe_defs.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
/* SPDX-License-Identifier: Apache-2.0 */
/* Copyright (c) 2024 Elastic NV */
#ifndef _KPROBE_DEFS_H
#define _KPROBE_DEFS_H
#define RPT0(_x)
#define RPT1(_x) _x
#define RPT2(_x) RPT1(_x) _x
#define RPT3(_x) RPT2(_x) _x
#define RPT4(_x) RPT3(_x) _x
#define RPT5(_x) RPT4(_x) _x
#define RPT6(_x) RPT5(_x) _x
#define RPT7(_x) RPT6(_x) _x
#define RPT8(_x) RPT7(_x) _x
#define RPT9(_x) RPT8(_x) _x
#define RPT10(_x) RPT9(_x) _x
#define RPT(TENS,ONES,X) RPT##TENS(RPT10(X)) RPT##ONES(X)
#if defined(__amd64__)
#define ARG_0 di
#elif defined(__aarch64__)
#define ARG_0 x0
#else
#error unknown architecture
#endif /* ARG_* */
#define S(_a) #_a
#define XS(_a) S(_a)
#define PWD_K(_t, _o) "task_struct.fs fs_struct.pwd.dentry " XS(RPT(_t, _o, dentry.d_parent))
#define PWD_S(_t, _o) "task_struct.fs fs_struct.pwd.dentry " XS(RPT(_t, _o, dentry.d_parent)) " dentry.d_name.name +0"
/*
* 16 is sizeof(struct hlist_node), which is in the beginning of struct
* pid_link. sizeof(struct pid_link) is 24, 16 for hlist_node + pid pointer.
* PIDTYPE_PGID is `1`, this puts us on 16 + (24 * 1) = 40 bytes.
*/
struct kprobe_arg ka_task_old_pgid = {
"pgid", XS(ARG_0), "u32", "task_struct.group_leader ((task_struct.pids+16)+(24*pid_type.PIDTYPE_PGID)) (pid.numbers+0).upid.nr"
};
/* 16 + 2*24 = 64 */
struct kprobe_arg ka_task_old_sid = {
"sid", XS(ARG_0), "u32", "task_struct.group_leader ((task_struct.pids+16)+(24*pid_type.PIDTYPE_SID)) (pid.numbers+0).upid.nr"
};
/*
* New structure is just an array of pointers, not a pid_link array like above.
* RHEL8 uses the new scheme in task_struct.signal, but has the old value for
* PIDTYPE_PGID=1, newer kernels have a PIDTYPE_TGID=1 and PIDTYPE_PGID=2.
*/
struct kprobe_arg ka_task_new_pgid = {
"pgid", XS(ARG_0), "u32", "task_struct.group_leader task_struct.signal (signal_struct.pids+(8*pid_type.PIDTYPE_PGID)) (pid.numbers+0).upid.nr"
};
struct kprobe_arg ka_task_new_sid = {
"sid", XS(ARG_0), "u32", "task_struct.group_leader task_struct.signal (signal_struct.pids+(8*pid_type.PIDTYPE_SID)) (pid.numbers+0).upid.nr"
};
#define TASK_SAMPLE(_r) \
{ "cap_inheritable", XS(_r), "u64", "task_struct.cred cred.cap_inheritable" }, \
{ "cap_permitted", XS(_r), "u64", "task_struct.cred cred.cap_permitted", }, \
{ "cap_effective", XS(_r), "u64", "task_struct.cred cred.cap_effective" }, \
{ "cap_bset", XS(_r), "u64", "task_struct.cred cred.cap_bset" }, \
{ "cap_ambient", XS(_r), "u64", "task_struct.cred cred.cap_ambient" }, \
{ "start_boottime", XS(_r), "u64", "task_struct.start_boottime" }, \
{ "tty_addr", XS(_r), "u64", "task_struct.signal signal_struct.tty" }, \
{ "root_k", XS(_r), "u64", "task_struct.fs fs_struct.root.dentry" }, \
{ "mnt_root_k", XS(_r), "u64", "task_struct.fs fs_struct.pwd.mnt vfsmount.mnt_root" }, \
{ "mnt_mountpoint_k", XS(_r), "u64", "task_struct.fs fs_struct.pwd.mnt (mount.mnt_mountpoint-mount.mnt)" }, \
{ "pwd_k0", XS(_r), "u64", PWD_K(0, 0) }, \
{ "pwd_k1", XS(_r), "u64", PWD_K(0, 1) }, \
{ "pwd_k2", XS(_r), "u64", PWD_K(0, 2) }, \
{ "pwd_k3", XS(_r), "u64", PWD_K(0, 3) }, \
{ "pwd_k4", XS(_r), "u64", PWD_K(0, 4) }, \
{ "pwd_k5", XS(_r), "u64", PWD_K(0, 5) }, \
{ "pwd_k6", XS(_r), "u64", PWD_K(0, 6) }, \
{ "root_s", XS(_r), "string", "task_struct.fs fs_struct.root.dentry dentry.d_name.name +0" }, \
{ "mnt_root_s", XS(_r), "string", "task_struct.fs fs_struct.pwd.mnt vfsmount.mnt_root dentry.d_name.name +0" }, \
{ "mnt_mountpoint_s", XS(_r), "string", "task_struct.fs fs_struct.pwd.mnt (mount.mnt_mountpoint-mount.mnt) dentry.d_name.name +0" }, \
{ "pwd_s0", XS(_r), "string", PWD_S(0, 0) }, \
{ "pwd_s1", XS(_r), "string", PWD_S(0, 1) }, \
{ "pwd_s2", XS(_r), "string", PWD_S(0, 2) }, \
{ "pwd_s3", XS(_r), "string", PWD_S(0, 3) }, \
{ "pwd_s4", XS(_r), "string", PWD_S(0, 4) }, \
{ "pwd_s5", XS(_r), "string", PWD_S(0, 5) }, \
{ "pwd_s6", XS(_r), "string", PWD_S(0, 6) }, \
{ "comm", XS(_r), "string", "task_struct.comm" }, \
{ "uid", XS(_r), "u32", "task_struct.cred cred.uid" }, \
{ "gid", XS(_r), "u32", "task_struct.cred cred.gid" }, \
{ "suid", XS(_r), "u32", "task_struct.cred cred.suid" }, \
{ "sgid", XS(_r), "u32", "task_struct.cred cred.sgid" }, \
{ "euid", XS(_r), "u32", "task_struct.cred cred.euid" }, \
{ "egid", XS(_r), "u32", "task_struct.cred cred.egid" }, \
{ "pgid", XS(_r), "u32", "KLUDGE - see kprobe_kludge_arg()" }, \
{ "sid", XS(_r), "u32", "KLUDGE - see kprobe_kludge_arg()" }, \
{ "pid", XS(_r), "u32", "task_struct.tgid" }, \
{ "tid", XS(_r), "u32", "task_struct.pid" }, \
{ "ppid", XS(_r), "u32", "task_struct.group_leader task_struct.real_parent task_struct.tgid" }, \
{ "exit_code", XS(_r), "s32", "task_struct.exit_code" }, \
{ "tty_major", XS(_r), "u32", "task_struct.signal signal_struct.tty tty_struct.driver tty_driver.major" }, \
{ "tty_minor_start", XS(_r), "u32", "task_struct.signal signal_struct.tty tty_struct.driver tty_driver.minor_start" }, \
{ "tty_minor_index", XS(_r), "u32", "task_struct.signal signal_struct.tty tty_struct.index" }, \
{ "uts_inonum", XS(_r), "u32", "task_struct.nsproxy nsproxy.uts_ns uts_namespace.proc_inum" }, \
{ "ipc_inonum", XS(_r), "u32", "task_struct.nsproxy nsproxy.ipc_ns ipc_namespace.proc_inum" }, \
{ "mnt_inonum", XS(_r), "u32", "task_struct.nsproxy nsproxy.mnt_ns mnt_namespace.proc_inum" }, \
{ "net_inonum", XS(_r), "u32", "task_struct.nsproxy nsproxy.net_ns net_namespace.proc_inum" }
struct kprobe kp_wake_up_new_task = {
"wake_up_new_task",
WAKE_UP_NEW_TASK_SAMPLE,
0,
{
TASK_SAMPLE(ARG_0),
{ NULL, NULL, NULL, NULL },
}
};
struct kprobe kp_exit = {
"taskstats_exit",
EXIT_THREAD_SAMPLE,
0,
{
TASK_SAMPLE(ARG_0),
{ NULL, NULL, NULL, NULL },
}
};
struct kprobe kp_exec_connector = {
"proc_exec_connector",
EXEC_CONNECTOR_SAMPLE,
0,
{
TASK_SAMPLE(ARG_0),
{ "argc", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +0" },
{ "stack_0", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +0" },
{ "stack_1", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +8" },
{ "stack_2", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +16" },
{ "stack_3", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +24" },
{ "stack_4", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +32" },
{ "stack_5", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +40" },
{ "stack_6", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +48" },
{ "stack_7", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +56" },
{ "stack_8", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +64" },
{ "stack_9", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +72" },
{ "stack_10", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +80" },
{ "stack_11", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +88" },
{ "stack_12", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +96" },
{ "stack_13", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +104" },
{ "stack_14", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +112" },
{ "stack_15", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +120" },
{ "stack_16", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +128" },
{ "stack_17", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +136" },
{ "stack_18", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +144" },
{ "stack_19", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +152" },
{ "stack_20", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +160" },
{ "stack_21", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +168" },
{ "stack_22", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +176" },
{ "stack_23", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +184" },
{ "stack_24", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +192" },
{ "stack_25", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +200" },
{ "stack_26", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +208" },
{ "stack_27", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +216" },
{ "stack_28", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +224" },
{ "stack_29", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +232" },
{ "stack_30", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +240" },
{ "stack_31", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +248" },
{ "stack_32", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +256" },
{ "stack_33", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +264" },
{ "stack_34", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +272" },
{ "stack_35", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +280" },
{ "stack_36", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +288" },
{ "stack_37", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +296" },
{ "stack_38", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +304" },
{ "stack_39", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +312" },
{ "stack_40", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +320" },
{ "stack_41", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +328" },
{ "stack_42", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +336" },
{ "stack_43", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +344" },
{ "stack_44", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +352" },
{ "stack_45", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +360" },
{ "stack_46", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +368" },
{ "stack_47", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +376" },
{ "stack_48", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +384" },
{ "stack_49", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +400" },
{ "stack_50", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +408" },
{ "stack_51", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +416" },
{ "stack_52", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +424" },
{ "stack_53", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +432" },
{ "stack_54", XS(ARG_0), "u64", "task_struct.mm mm_struct.(anon).start_stack +8 +440" },
{ NULL, NULL, NULL, NULL },
}};
#undef PWD_S
#undef PWD_K
#undef XS
#undef S
#undef ARG_0
#undef RPT
#undef RPT10
#undef RPT9
#undef RPT8
#undef RPT7
#undef RPT6
#undef RPT5
#undef RPT4
#undef RPT3
#undef RPT2
#undef RPT1
#undef RPT0
struct kprobe *all_kprobes[] = {
&kp_wake_up_new_task,
&kp_exit,
&kp_exec_connector,
NULL
};
#endif /* _KPROBE_DEFS_H */