#!/usr/bin/stap

# quick and ugly hack by cap@nsc.liu.se to block CVE-2013-2094
# must run in guru mode (-g)
# compile to .ko file: "stap -g -m perf_event_blocker perf_event_blocker.stp
# run on non build host using "staprun [-L] ./perf_event_blocker.ko"
# requires build host and staprun to have identical kernel

# screw up call by setting the attr_uptr pointer to null
probe kernel.function("sys_perf_event_open")
{
  printf("hit sys_perf_event_open, DENIED! %s\n", $$vars);
  $attr_uptr = 0
}

# print out return value to verify that the syscall was screwed up
probe kernel.function("sys_perf_event_open").return
{
  printf("returning from sys_perf_event_open with: %i\n", $return)
}

probe begin
{
  printf("Guru mode sys_perf_event_open blocker active\n");
}