/usr/src/file_protector-1.1-1507/ Current File: //usr/src/file_protector-1.1-1507/tracepoints.c
/**
@file
@brief    'exec', 'exit' and 'fork' tracepoints
@details  Copyright (c) 2017-2021 Acronis International GmbH
@author   Mikhail Krivtsov (mikhail.krivtsov@acronis.com)
@since    $Id: $
*/

#include "tracepoints.h"

#include "compat.h"
#include "debug.h"
#include "exit_event.h"
#include "fork_event.h"
#include "memory.h"
#include "message.h"

#include <linux/binfmts.h>
#include <linux/dcache.h>	// d_path
#include <linux/file.h>		// fput()
#include <linux/fs.h>		// struct file
#include <linux/limits.h>	// PATH_MAX
#include <linux/mm.h>		// get_task_exe_file()
#include <linux/mm_types.h>	// struct mm_struct
#include <linux/path.h>		// struct path
#include <linux/sched.h>	// struct task_struct
#include <linux/tracepoint.h>
#include <linux/version.h>	// LINUX_VERSION_CODE, KERNEL_VERSION()
#include <trace/events/sched.h>	// TRACE_EVENT(sched_*)

static TRACE_CB_PROTO(sched_process_exit,
		TP_PROTO(struct task_struct *p))
{
	DPRINTF("exit() p=%p { pid=%d tgid=%d }", p, p->pid, p->tgid);
	exit_event_nowait(p->tgid, p->pid);
}

// FIXME: 'fork' tracepoint merges new processes into single meta process
// which can be 'white-listed'. Without 'exec' tracepoint 'grey' processes
// produced on 'exec' event can stay in 'white' list. It breaks heuristics
// operation and prevents malware detection.
#if KERNEL_VERSION(3, 4, 0) <= LINUX_VERSION_CODE
/*
 * Here the caller only guarantees locking for struct file and struct inode.
 * Locking must therefore be done in the probe to use the dentry.
 */
static TRACE_CB_PROTO(sched_process_fork,
		TP_PROTO(struct task_struct *current_macro,
				struct task_struct *p))
{
	DPRINTF("fork() current=%p { pid=%d tgid=%d comm='%s' } "
		"p=%p { pid=%d tgid=%d comm='%s' }",
		current_macro, current_macro->pid, current_macro->tgid,
				current_macro->comm,
		p, p->pid, p->tgid, p->comm);
	fork_event_nowait(current_macro->tgid, current_macro->pid, p->tgid, p->pid);
}
#endif

int tracepoints_attach(void)
{
	int ret;

	ret = REGISTER_TRACE(sched_process_exit, TRACE_CB_NAME(sched_process_exit));
	if (ret) {
		EPRINTF("'register_trace_sched_process_exit()' failure %i", ret);
		goto unregister_exec;
	}

#if KERNEL_VERSION(3, 4, 0) <= LINUX_VERSION_CODE
	ret = REGISTER_TRACE(sched_process_fork, TRACE_CB_NAME(sched_process_fork));
	if (ret) {
		EPRINTF("'register_trace_sched_process_fork()' failure %i", ret);
		goto unregister_exit;
	}
#endif

	IPRINTF("tracepoints attached");
	//ret = 0;	// Note: 'ret' is already 0 here
	goto out;

#if KERNEL_VERSION(3, 4, 0) <= LINUX_VERSION_CODE
unregister_exit:
#endif
	UNREGISTER_TRACE(sched_process_exit, TRACE_CB_NAME(sched_process_exit));
unregister_exec:
	tracepoint_synchronize_unregister();
out:
	return ret;
}

void tracepoints_detach(void)
{
#if KERNEL_VERSION(3, 4, 0) <= LINUX_VERSION_CODE
	UNREGISTER_TRACE(sched_process_fork, TRACE_CB_NAME(sched_process_fork));
#endif
	UNREGISTER_TRACE(sched_process_exit, TRACE_CB_NAME(sched_process_exit));
	tracepoint_synchronize_unregister();
	IPRINTF("tracepoints detached");
}