bpf_core_read() The most basic helper to read a field in a CO-RE-relocatable manner isbpf_core_read(dst, sz, src), which will readszbytes from the field referenced bysrcinto the memory pointed to bydst: structtask_struct*task=(void*)bpf_get_current_task();structtask_struct*parent_...
获取第一个参数和第二个参数值 PT_REGS_PARM1 和PT_REGS_PARM2 是获取openat2的前两个参数 bpf_probe_read_user_str(msg, sizeof(msg), pathname); bpf的辅助函数,从用户空间读取字符串,这里面不复制下面也可以打印,只是通过这个调用后,就可以把用户空间的路径名复制到eBPF程序中。 bpf_trace_printk 即向...
2.1.1 BPF内核运行的代码 #include<linux/bpf.h>#include<bpf/bpf_helpers.h>#include<bpf/bpf_tracing.h>#include<bpf/bpf_core_read.h>#include<linux/ptrace.h>// 内核的动态插桩位置:do_sys_openat2 即打开文件函数SEC("kprobe/do_sys_openat2")inthello(structpt_regs*ctx){constintdirfd=PT_REGS_...
*/ #define bpf_core_read_user_str(dst, sz, src) \ bpf_probe_read_user_str(dst, sz, (const void *)__builtin_preserve_access_index(src)) #define ___concat(a, b) a ## b #define ___apply(fn, n) ___concat(fn, n) #define ___nth(_1, _2, _3, _4, _5, _6, _...
(); int pid = pid_tgid >> 32; // if target_ppid is 0 then we target all pids if (target_ppid != 0) { struct task_struct *task = (struct task_struct *)bpf_get_current_task(); int ppid = BPF_CORE_READ(task, real_parent, tgid); if (ppid != target_ppid) { return 0; ...
#include"vmlinux.h"#include<bpf/bpf_helpers.h>#include<bpf/bpf_tracing.h>#include<bpf/bpf_core_read.h>#include"bpf_helpers.h"charLICENSE[]SEC("license") ="Dual BSD/GPL";struct{ __uint(type, BPF_MAP_TYPE_PROG_ARRAY); __uint(max_entries,1024); ...
下面是个例子,如何用 BPF CO-RE 来提取线程的 CPU user time: extern u32 LINUX_KERNEL_VERSION __kconfig; extern u32 CONFIG_HZ __kconfig; u64 utime_ns; if (LINUX_KERNEL_VERSION >= KERNEL_VERSION(4, 11, 0)) utime_ns = BPF_CORE_READ(task, utime); ...
e->ppid = BPF_CORE_READ(task, real_parent, tgid); bpf_get_current_comm(&e->comm,sizeof(e->comm));/* successfully submit it to user-space for post-processing */bpf_ringbuf_submit(e,0);return0; } eunomia-bpf 会自动去源代码中找到对应的 ring buffer map,并且把 ring buffer 和类型信...
SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size){union bpf_attr attr = {};int err; if (!capable(CAP_SYS_ADMIN) && sysctl_unprivileged_bpf_disabled)return -EPERM; if (!access_ok(VERIFY_READ, uattr, 1))return -EFAULT; ...
下面是个例子,如何用 BPF CO-RE 来提取线程的 CPU user time: 代码语言:javascript 复制 extern u32LINUX_KERNEL_VERSION__kconfig;extern u32CONFIG_HZ__kconfig;u64 utime_ns;if(LINUX_KERNEL_VERSION>=KERNEL_VERSION(4,11,0))utime_ns=BPF_CORE_READ(task,utime);else/* convert jiffies to nanosecon...