Initial Commit

c-lang/loader.c

@@ -0,0 +1,77 @@
+#include <stdio.h>
+#include <bpf/libbpf.h>
+#include <unistd.h>
+#include <string.h>
+
+int main() {
+    struct bpf_object *obj;
+    struct bpf_program *prog;
+    struct bpf_link *link;
+    struct bpf_map *target_map;
+    int err;
+    const char *target_filename = "/tmp/testfile";
+    int key = 0;
+    char value[256] = {0};
+    
+    strncpy(value, target_filename, sizeof(value) - 1);
+    
+    obj = bpf_object__open_file("tracepoint.o", NULL);
+    if (!obj) {
+        fprintf(stderr, "Error opening BPF object\n");
+        return 1;
+    }
+    
+    // Clean up any existing maps first
+    bpf_object__unpin_maps(obj, "/sys/fs/bpf");
+    
+    err = bpf_object__load(obj);
+    if (err) {
+        fprintf(stderr, "Error loading BPF object\n");
+        return 1;
+    }
+    
+    target_map = bpf_object__find_map_by_name(obj, "target_filename_map");
+    if (!target_map) {
+        fprintf(stderr, "Error finding target_filename_map\n");
+        bpf_object__close(obj);
+        return 1;
+    }
+    
+    err = bpf_map__update_elem(target_map, &key, sizeof(key), value, sizeof(value), BPF_ANY);
+    if (err) {
+        fprintf(stderr, "Error populating target_filename_map\n");
+        bpf_object__close(obj);
+        return 1;
+    }
+
+    prog = bpf_object__find_program_by_name(obj, "trace_openat");
+    if (!prog) {
+        fprintf(stderr, "Error finding BPF program\n");
+        bpf_object__close(obj);
+        return 1;
+    }
+
+    link = bpf_program__attach(prog);
+    if (!link) {
+        fprintf(stderr, "Error attaching BPF program\n");
+        bpf_object__close(obj);
+        return 1;
+    }
+
+    err = bpf_object__pin_maps(obj, "/sys/fs/bpf");
+    if (err) {
+        fprintf(stderr, "Error pinning BPF maps\n");
+        bpf_link__destroy(link);
+        bpf_object__close(obj);
+        return 1;
+    }
+    
+    printf("BPF program loaded and maps pinned. Press Ctrl+C to exit.\n");
+    
+    pause(); 
+    
+    bpf_object__unpin_maps(obj, "/sys/fs/bpf");
+    bpf_link__destroy(link);
+    bpf_object__close(obj);
+    return 0;
+}

c-lang/monitor.c

@@ -0,0 +1,45 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <bpf/libbpf.h>
+#include <bpf/bpf.h>
+
+struct event {
+    __u32 pid;
+    __u32 uid;
+    char comm[16];
+    char filename[256];
+};
+
+// Simplified callback that actually works
+static void handle_event(void *ctx, int cpu, void *data, unsigned int size)
+{
+    struct event *e = data;
+    printf("PID: %d, UID: %d, CMD: %s, FILE: %s\n", 
+           e->pid, e->uid, e->comm, e->filename);
+}
+
+int main()
+{
+    struct perf_buffer *pb;
+    int map_fd;
+
+    map_fd = bpf_obj_get("/sys/fs/bpf/events");
+    if (map_fd < 0) {
+        fprintf(stderr, "Failed to get BPF map\n");
+        return 1;
+    }
+
+    // This is the ONLY working syntax across all libbpf versions
+    pb = perf_buffer__new(map_fd, 8, handle_event, NULL, NULL, NULL);
+    if (!pb) {
+        fprintf(stderr, "Failed to create perf buffer\n");
+        close(map_fd);
+        return 1;
+    }
+
+    printf("Monitoring started. Ctrl+C to exit.\n");
+    while (perf_buffer__poll(pb, 1000) >= 0);
+
+    close(map_fd);
+    return 0;
+}

c-lang/tracepoint.c

@@ -0,0 +1,66 @@
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+struct sys_enter_args {
+    unsigned long long unused;
+    long syscall_nr;
+    unsigned long args[6];
+};
+
+struct event {
+    __u32 pid;
+    __u32 uid;
+    char comm[16];
+    char filename[256];
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(int));
+    __uint(value_size, sizeof(__u32));
+} events SEC(".maps");
+
+struct {
+    __uint(type, BPF_MAP_TYPE_ARRAY);
+    __uint(key_size, sizeof(int));
+    __uint(value_size, 256);
+    __uint(max_entries, 1);
+    __uint(map_flags, BPF_F_RDONLY_PROG);  // Critical: Makes map read-only for BPF programs
+} target_filename_map SEC(".maps");
+
+SEC("tracepoint/syscalls/sys_enter_openat")
+int trace_openat(struct sys_enter_args *ctx)
+{
+    struct event e = {};
+    char *target_filename;
+    int key = 0;
+    
+    // Read filename from syscall arguments
+    bpf_probe_read_user_str(e.filename, sizeof(e.filename), (void *)ctx->args[1]);
+
+    // Get target filename from map
+    target_filename = bpf_map_lookup_elem(&target_filename_map, &key);
+    if (!target_filename) {
+        return 0;
+    }
+    
+    // Compare filenames - now safe because map is read-only
+    for (int i = 0; i < sizeof(e.filename); i++) {
+        if (e.filename[i] != target_filename[i]) {
+            return 0;  // No match
+        }
+        if (e.filename[i] == 0 || target_filename[i] == 0) {
+            break;  // End of string
+        }
+    }
+
+    // If we get here, filenames match
+    e.pid = bpf_get_current_pid_tgid() >> 32;
+    e.uid = bpf_get_current_uid_gid();
+    bpf_get_current_comm(&e.comm, sizeof(e.comm));
+    
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &e, sizeof(e));
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";