search

iovisor / bcc

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Apache License 2.0
20.58k stars 3.88k forks source link

seccomp vs bcc #3416

Open mstfsrmd opened 3 years ago

mstfsrmd commented 3 years ago

Hi there. how can I use seccomp and prctl syscall vs bcc to interception syscalls? Is there another way to achieve this goal with bcc ??

ljluestc commented 16 hours ago 

from bcc import BPF

# BPF program
bpf_program = """
#include <uapi/linux/ptrace.h>
#include <linux/sched.h>

BPF_HASH(counts, u64, u64);

int trace_sys_open(struct pt_regs *ctx, const char __user *filename, int flags, umode_t mode) {
    u64 pid = bpf_get_current_pid_tgid();
    u64 *count = counts.lookup(&pid);
    if (count) {
        (*count)++;
    } else {
        u64 initial = 1;
        counts.update(&pid, &initial);
    }
    return 0;
}
"""

# Initialize BPF
b = BPF(text=bpf_program)

# Attach BPF program to the open syscall
b.attach_kprobe(event="sys_open", fn_name="trace_sys_open")

print("Tracing 'open' syscalls... Press Ctrl+C to end.")

try:
    while True:
        pass
except KeyboardInterrupt:
    pass

# Display results
print("\n%-10s %-10s" % ("PID", "Count"))
for k, v in b["counts"].items():
    print("%-10d %-10d" % (k.value >> 32, v.value))