读取 eBPF tracepoint 参数

Read eBPF tracepoint argument

假设我有一个挂接到 chown 函数的跟踪点 eBPF 探测器。

SEC("tracepoint/syscalls/sys_enter_chown")
int bpf_prog(void *ctx) {
  // someone changed ownership of a file
  char msg[] = "Ownership change of file!";
  bpf_trace_printk(msg, sizeof(msg));
}

如何访问通话的上下文?例如,如果我想打印出更改所有权或新所有者的文件怎么办?

TL;DR.sys_enter_chown 的情况下,您的 ctx 参数将具有结构:

struct syscalls_enter_chown_args {
    unsigned long long unused;
    long syscall_nr;
    long filename_ptr;
    long user;
    long group;
};

正如 所指出的,内核中记录了跟踪点挂钩。您可以在 /sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format:

找到 sys_enter_chown 参数的完整描述
# cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format 
name: sys_enter_chown
ID: 625
format:
    field:unsigned short common_type;   offset:0;   size:2; signed:0;
    field:unsigned char common_flags;   offset:2;   size:1; signed:0;
    field:unsigned char common_preempt_count;   offset:3;   size:1; signed:0;
    field:int common_pid;   offset:4;   size:4; signed:1;

    field:int __syscall_nr; offset:8;   size:4; signed:1;
    field:const char * filename;    offset:16;  size:8; signed:0;
    field:uid_t user;   offset:24;  size:8; signed:0;
    field:gid_t group;  offset:32;  size:8; signed:0;

print fmt: "filename: 0x%08lx, user: 0x%08lx, group: 0x%08lx", ((unsigned long)(REC->filename)), ((unsigned long)(REC->user)), ((unsigned long)(REC->group))

您还可以在内核示例中查看 the sample BPF tracepoint program。它实现了您正在寻找的东西,但 sys_enter_open.