1// SPDX-License-Identifier: GPL-2.0 2 3/* 4 * Copyright 2020 Google LLC. 5 */ 6 7#include "vmlinux.h" 8#include <errno.h> 9#include <bpf/bpf_helpers.h> 10#include <bpf/bpf_tracing.h> 11 12u32 monitored_pid = 0; 13 14struct { 15 __uint(type, BPF_MAP_TYPE_RINGBUF); 16 __uint(max_entries, 1 << 12); 17} ringbuf SEC(".maps"); 18 19char _license[] SEC("license") = "GPL"; 20 21SEC("lsm.s/bprm_committed_creds") 22void BPF_PROG(ima, struct linux_binprm *bprm) 23{ 24 u64 ima_hash = 0; 25 u64 *sample; 26 int ret; 27 u32 pid; 28 29 pid = bpf_get_current_pid_tgid() >> 32; 30 if (pid == monitored_pid) { 31 ret = bpf_ima_inode_hash(bprm->file->f_inode, &ima_hash, 32 sizeof(ima_hash)); 33 if (ret < 0 || ima_hash == 0) 34 return; 35 36 sample = bpf_ringbuf_reserve(&ringbuf, sizeof(u64), 0); 37 if (!sample) 38 return; 39 40 *sample = ima_hash; 41 bpf_ringbuf_submit(sample, 0); 42 } 43 44 return; 45} 46