From d0be8893eba6649a6489cc9908cfe6fc6af1f239 Mon Sep 17 00:00:00 2001
From: Pragyansh Chaturvedi <pragyansh.chaturvedi@canonical.com>
Date: Wed, 24 Sep 2025 23:48:42 +0530
Subject: [PATCH] Add setuid C example

---
 examples/c-form/ex7.bpf.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)
 create mode 100644 examples/c-form/ex7.bpf.c

diff --git a/examples/c-form/ex7.bpf.c b/examples/c-form/ex7.bpf.c
new file mode 100644
index 0000000..016e31d
--- /dev/null
+++ b/examples/c-form/ex7.bpf.c
@@ -0,0 +1,34 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+
+struct event {
+    __u32 pid;
+    __u32 uid;
+    __u64 ts;
+};
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(int));
+    __uint(value_size, sizeof(int));
+} events SEC(".maps");
+
+SEC("tp/syscalls/sys_enter_setuid")
+int handle_setuid_entry(struct trace_event_raw_sys_enter *ctx)
+{
+    struct event data = {};
+    
+    // Extract UID from the syscall arguments
+    data.uid = (unsigned int)ctx->args[0];
+    data.ts = bpf_ktime_get_ns();
+    data.pid = bpf_get_current_pid_tgid() >> 32;
+    
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
+    
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";