Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pylcc不支持BPF全局变量 #8

Open
lawrencezx opened this issue Feb 28, 2022 · 0 comments
Open

pylcc不支持BPF全局变量 #8

lawrencezx opened this issue Feb 28, 2022 · 0 comments

Comments

@lawrencezx
Copy link

lawrencezx commented Feb 28, 2022
edited
Loading

样例:
bpfPog = r"""
#include "lbc.h"

#define S_IFMT 00170000
#define S_IFSOCK 0140000
#define S_IFREG 0100000

#define S_ISREG(m) (((m) & S_IFMT) == S_IFREG)
#define S_ISSOCK(m) (((m) & S_IFMT) == S_IFSOCK)

#define PATH_MAX 4096
#define TASK_COMM_LEN 16

enum op {
READ,
WRITE,
};

struct file_id {
__u64 inode;
__u32 dev;
__u32 rdev;
__u32 pid;
__u32 tid;
};

struct file_stat {
__u64 reads;
__u64 read_bytes;
__u64 writes;
__u64 write_bytes;
__u32 pid;
__u32 tid;
char filename[PATH_MAX];
char comm[TASK_COMM_LEN];
char type;
};

#define MAX_ENTRIES 10240
const volatile pid_t target_pid = 0;
const volatile bool regular_file_only = true;
static struct file_stat zero_value = {};

LBC_HASH(entries, struct file_id, struct file_stat, MAX_ENTRIES);

static void get_file_path(struct file *file, char *buf, size_t size)
{
struct qstr dname;

dname = BPF_CORE_READ(file, f_path.dentry, d_name);
bpf_probe_read_kernel(buf, size, dname.name);

}

static int probe_entry(struct pt_regs *ctx, struct file *file, size_t count, enum op op)
{
__u64 pid_tgid = bpf_get_current_pid_tgid();
__u32 pid = pid_tgid >> 32;
__u32 tid = (__u32)pid_tgid;
int mode;
struct file_id key = {};
struct file_stat *valuep;

if (target_pid && target_pid != pid)
	return 0;

mode = BPF_CORE_READ(file, f_inode, i_mode);
if (regular_file_only && !S_ISREG(mode))
	return 0;

key.dev = BPF_CORE_READ(file, f_inode, i_sb, s_dev);
key.rdev = BPF_CORE_READ(file, f_inode, i_rdev);
key.inode = BPF_CORE_READ(file, f_inode, i_ino);
key.pid = pid;
key.tid = tid;
valuep = bpf_map_lookup_elem(&entries, &key);
if (!valuep) {
	bpf_map_update_elem(&entries, &key, &zero_value, BPF_ANY);
	valuep = bpf_map_lookup_elem(&entries, &key);
	if (!valuep)
		return 0;
	valuep->pid = pid;
	valuep->tid = tid;
	bpf_get_current_comm(&valuep->comm, sizeof(valuep->comm));
	get_file_path(file, valuep->filename, sizeof(valuep->filename));
	if (S_ISREG(mode)) {
		valuep->type = 'R';
	} else if (S_ISSOCK(mode)) {
		valuep->type = 'S';
	} else {
		valuep->type = 'O';
	}
}
if (op == READ) {
	valuep->reads++;
	valuep->read_bytes += count;
} else {	/* op == WRITE */
	valuep->writes++;
	valuep->write_bytes += count;
}
return 0;

};

SEC("kprobe/vfs_read")
int BPF_KPROBE(vfs_read_entry, struct file *file, char *buf, size_t count, loff_t *pos)
{
return probe_entry(ctx, file, count, READ);
}

SEC("kprobe/vfs_write")
int BPF_KPROBE(vfs_write_entry, struct file *file, const char *buf, size_t count, loff_t *pos)
{
return probe_entry(ctx, file, count, WRITE);
}

char LICENSE[] SEC("license") = "Dual BSD/GPL";

报错:
截屏2022-02-28 下午7 51 33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@lawrencezx