diff --git a/bpf/headers/common.h b/bpf/headers/common.h new file mode 100644 index 00000000..75e72415 --- /dev/null +++ b/bpf/headers/common.h @@ -0,0 +1,148 @@ +// This is a compact version of `vmlinux.h` to be used in the examples using C code. + +#pragma once + +typedef unsigned char __u8; +typedef short int __s16; +typedef short unsigned int __u16; +typedef int __s32; +typedef unsigned int __u32; +typedef long long int __s64; +typedef long long unsigned int __u64; +typedef __u8 u8; +typedef __s16 s16; +typedef __u16 u16; +typedef __s32 s32; +typedef __u32 u32; +typedef __s64 s64; +typedef __u64 u64; +typedef __u16 __le16; +typedef __u16 __be16; +typedef __u32 __be32; +typedef __u64 __be64; +typedef __u32 __wsum; + +#include "bpf_helpers.h" + +enum bpf_map_type { + BPF_MAP_TYPE_UNSPEC = 0, + BPF_MAP_TYPE_HASH = 1, + BPF_MAP_TYPE_ARRAY = 2, + BPF_MAP_TYPE_PROG_ARRAY = 3, + BPF_MAP_TYPE_PERF_EVENT_ARRAY = 4, + BPF_MAP_TYPE_PERCPU_HASH = 5, + BPF_MAP_TYPE_PERCPU_ARRAY = 6, + BPF_MAP_TYPE_STACK_TRACE = 7, + BPF_MAP_TYPE_CGROUP_ARRAY = 8, + BPF_MAP_TYPE_LRU_HASH = 9, + BPF_MAP_TYPE_LRU_PERCPU_HASH = 10, + BPF_MAP_TYPE_LPM_TRIE = 11, + BPF_MAP_TYPE_ARRAY_OF_MAPS = 12, + BPF_MAP_TYPE_HASH_OF_MAPS = 13, + BPF_MAP_TYPE_DEVMAP = 14, + BPF_MAP_TYPE_SOCKMAP = 15, + BPF_MAP_TYPE_CPUMAP = 16, + BPF_MAP_TYPE_XSKMAP = 17, + BPF_MAP_TYPE_SOCKHASH = 18, + BPF_MAP_TYPE_CGROUP_STORAGE = 19, + BPF_MAP_TYPE_REUSEPORT_SOCKARRAY = 20, + BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE = 21, + BPF_MAP_TYPE_QUEUE = 22, + BPF_MAP_TYPE_STACK = 23, + BPF_MAP_TYPE_SK_STORAGE = 24, + BPF_MAP_TYPE_DEVMAP_HASH = 25, + BPF_MAP_TYPE_STRUCT_OPS = 26, + BPF_MAP_TYPE_RINGBUF = 27, + BPF_MAP_TYPE_INODE_STORAGE = 28, +}; + +enum xdp_action { + XDP_ABORTED = 0, + XDP_DROP = 1, + XDP_PASS = 2, + XDP_TX = 3, + XDP_REDIRECT = 4, +}; + +struct xdp_md { + __u32 data; + __u32 data_end; + __u32 data_meta; + __u32 ingress_ifindex; + __u32 rx_queue_index; + __u32 egress_ifindex; +}; + +typedef __u16 __sum16; + +#define ETH_P_IP 0x0800 + +struct ethhdr { + unsigned char h_dest[6]; + unsigned char h_source[6]; + __be16 h_proto; +}; + +struct iphdr { + __u8 ihl: 4; + __u8 version: 4; + __u8 tos; + __be16 tot_len; + __be16 id; + __be16 frag_off; + __u8 ttl; + __u8 protocol; + __sum16 check; + __be32 saddr; + __be32 daddr; +}; + +enum { + BPF_ANY = 0, + BPF_NOEXIST = 1, + BPF_EXIST = 2, + BPF_F_LOCK = 4, +}; + +/* BPF_FUNC_perf_event_output, BPF_FUNC_perf_event_read and + * BPF_FUNC_perf_event_read_value flags. + */ +#define BPF_F_INDEX_MASK 0xffffffffULL +#define BPF_F_CURRENT_CPU BPF_F_INDEX_MASK + +#if defined(__TARGET_ARCH_x86) +struct pt_regs { + /* + * C ABI says these regs are callee-preserved. They aren't saved on kernel entry + * unless syscall needs a complete, fully filled "struct pt_regs". + */ + unsigned long r15; + unsigned long r14; + unsigned long r13; + unsigned long r12; + unsigned long rbp; + unsigned long rbx; + /* These regs are callee-clobbered. Always saved on kernel entry. */ + unsigned long r11; + unsigned long r10; + unsigned long r9; + unsigned long r8; + unsigned long rax; + unsigned long rcx; + unsigned long rdx; + unsigned long rsi; + unsigned long rdi; + /* + * On syscall entry, this is syscall#. On CPU exception, this is error code. + * On hw interrupt, it's IRQ number: + */ + unsigned long orig_rax; + /* Return frame for iretq */ + unsigned long rip; + unsigned long cs; + unsigned long eflags; + unsigned long rsp; + unsigned long ss; + /* top of stack page */ +}; +#endif /* __TARGET_ARCH_x86 */ diff --git a/bpf/kprobe.c b/bpf/kprobe.c new file mode 100644 index 00000000..c1d49c5f --- /dev/null +++ b/bpf/kprobe.c @@ -0,0 +1,27 @@ +// +build ignore + +#include "common.h" + +char __license[] SEC("license") = "Dual MIT/GPL"; + +struct bpf_map_def SEC("maps") kprobe_map = { + .type = BPF_MAP_TYPE_ARRAY, + .key_size = sizeof(u32), + .value_size = sizeof(u64), + .max_entries = 1, +}; + +SEC("kprobe/sys_execve") +int kprobe_execve() { + u32 key = 0; + u64 initval = 1, *valp; + + valp = bpf_map_lookup_elem(&kprobe_map, &key); + if (!valp) { + bpf_map_update_elem(&kprobe_map, &key, &initval, BPF_ANY); + return 0; + } + __sync_fetch_and_add(valp, 1); + + return 0; +} diff --git a/pkg/exporter/testbtf/bpf_bpfeb.go b/pkg/exporter/testbtf/bpf_bpfeb.go index df197592..27deb824 100644 --- a/pkg/exporter/testbtf/bpf_bpfeb.go +++ b/pkg/exporter/testbtf/bpf_bpfeb.go @@ -28,9 +28,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) { // // The following types are suitable as obj argument: // -// *bpfObjects -// *bpfPrograms -// *bpfMaps +// *bpfObjects +// *bpfPrograms +// *bpfMaps // // See ebpf.CollectionSpec.LoadAndAssign documentation for details. func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error { @@ -115,5 +115,6 @@ func _BpfClose(closers ...io.Closer) error { } // Do not access this directly. +// //go:embed bpf_bpfeb.o var _BpfBytes []byte diff --git a/pkg/exporter/testbtf/bpf_bpfeb.o b/pkg/exporter/testbtf/bpf_bpfeb.o index 58fd2128..061ede59 100644 Binary files a/pkg/exporter/testbtf/bpf_bpfeb.o and b/pkg/exporter/testbtf/bpf_bpfeb.o differ diff --git a/pkg/exporter/testbtf/bpf_bpfel.go b/pkg/exporter/testbtf/bpf_bpfel.go index d5fa572c..61c2becc 100644 --- a/pkg/exporter/testbtf/bpf_bpfel.go +++ b/pkg/exporter/testbtf/bpf_bpfel.go @@ -28,9 +28,9 @@ func loadBpf() (*ebpf.CollectionSpec, error) { // // The following types are suitable as obj argument: // -// *bpfObjects -// *bpfPrograms -// *bpfMaps +// *bpfObjects +// *bpfPrograms +// *bpfMaps // // See ebpf.CollectionSpec.LoadAndAssign documentation for details. func loadBpfObjects(obj interface{}, opts *ebpf.CollectionOptions) error { @@ -115,5 +115,6 @@ func _BpfClose(closers ...io.Closer) error { } // Do not access this directly. +// //go:embed bpf_bpfel.o var _BpfBytes []byte diff --git a/pkg/exporter/testbtf/bpf_bpfel.o b/pkg/exporter/testbtf/bpf_bpfel.o index 862c3277..27cee82f 100644 Binary files a/pkg/exporter/testbtf/bpf_bpfel.o and b/pkg/exporter/testbtf/bpf_bpfel.o differ diff --git a/pkg/exporter/testbtf/btf.go b/pkg/exporter/testbtf/btf.go index 561c9988..0a5ba5f5 100644 --- a/pkg/exporter/testbtf/btf.go +++ b/pkg/exporter/testbtf/btf.go @@ -11,7 +11,7 @@ import ( const mapKey uint32 = 0 -//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang bpf ../../bpf/kprobe.c -- -I../../bpf/headers +//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang-16 bpf ../../../bpf/kprobe.c -- -I../../../bpf/headers func btfTest(btf *btf.Spec) error { fn := "sys_execve"