From 17d4f47bee3a7955f994a99605513e2ac0790f9c Mon Sep 17 00:00:00 2001
From: Gzx1999 <guozhengxin@kylinos.cn>
Date: Wed, 21 Jun 2023 11:34:25 +0800
Subject: [PATCH] add readline uprobe monitor implement

---
 .../src/bashreadline/bashreadline.bpf.c       | 25 ++++++++++++++++++-
 1 file changed, 24 insertions(+), 1 deletion(-)

diff --git a/observation/src/bashreadline/bashreadline.bpf.c b/observation/src/bashreadline/bashreadline.bpf.c
index 1b1c4814..c476d8c9 100644
--- a/observation/src/bashreadline/bashreadline.bpf.c
+++ b/observation/src/bashreadline/bashreadline.bpf.c
@@ -12,4 +12,27 @@ struct {
 	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
 	__uint(key_size, sizeof(__u32));
 	__uint(value_size, sizeof(__u32));
-} events SEC(".maps");
\ No newline at end of file
+} events SEC(".maps");
+
+SEC("uretprobe/readline")
+int BPF_KRETPROBE(printret, const void *ret)
+{
+	readline_str_t data;
+	char comm[TASK_COMM_LEN];
+	u32 pid;
+
+	if (!ret)
+		return 0;
+
+	bpf_get_current_comm(&comm, sizeof(comm));
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	data.pid = pid;
+	bpf_core_read_user_str(&data.str, sizeof(data.str), ret);
+
+	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
+
+	return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";
-- 
Gitee