读取 eBPF tracepoint 参数
Read eBPF tracepoint argument
假设我有一个挂接到 chown 函数的跟踪点 eBPF 探测器。
SEC("tracepoint/syscalls/sys_enter_chown")
int bpf_prog(void *ctx) {
// someone changed ownership of a file
char msg[] = "Ownership change of file!";
bpf_trace_printk(msg, sizeof(msg));
}
如何访问通话的上下文?例如,如果我想打印出更改所有权或新所有者的文件怎么办?
TL;DR. 在 sys_enter_chown
的情况下,您的 ctx
参数将具有结构:
struct syscalls_enter_chown_args {
unsigned long long unused;
long syscall_nr;
long filename_ptr;
long user;
long group;
};
正如 所指出的,内核中记录了跟踪点挂钩。您可以在 /sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format
:
找到 sys_enter_chown
参数的完整描述
# cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format
name: sys_enter_chown
ID: 625
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
field:unsigned char common_flags; offset:2; size:1; signed:0;
field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
field:int common_pid; offset:4; size:4; signed:1;
field:int __syscall_nr; offset:8; size:4; signed:1;
field:const char * filename; offset:16; size:8; signed:0;
field:uid_t user; offset:24; size:8; signed:0;
field:gid_t group; offset:32; size:8; signed:0;
print fmt: "filename: 0x%08lx, user: 0x%08lx, group: 0x%08lx", ((unsigned long)(REC->filename)), ((unsigned long)(REC->user)), ((unsigned long)(REC->group))
您还可以在内核示例中查看 the sample BPF tracepoint program。它实现了您正在寻找的东西,但 sys_enter_open
.
假设我有一个挂接到 chown 函数的跟踪点 eBPF 探测器。
SEC("tracepoint/syscalls/sys_enter_chown")
int bpf_prog(void *ctx) {
// someone changed ownership of a file
char msg[] = "Ownership change of file!";
bpf_trace_printk(msg, sizeof(msg));
}
如何访问通话的上下文?例如,如果我想打印出更改所有权或新所有者的文件怎么办?
TL;DR. 在 sys_enter_chown
的情况下,您的 ctx
参数将具有结构:
struct syscalls_enter_chown_args {
unsigned long long unused;
long syscall_nr;
long filename_ptr;
long user;
long group;
};
正如 /sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format
:
sys_enter_chown
参数的完整描述
# cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format
name: sys_enter_chown
ID: 625
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
field:unsigned char common_flags; offset:2; size:1; signed:0;
field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
field:int common_pid; offset:4; size:4; signed:1;
field:int __syscall_nr; offset:8; size:4; signed:1;
field:const char * filename; offset:16; size:8; signed:0;
field:uid_t user; offset:24; size:8; signed:0;
field:gid_t group; offset:32; size:8; signed:0;
print fmt: "filename: 0x%08lx, user: 0x%08lx, group: 0x%08lx", ((unsigned long)(REC->filename)), ((unsigned long)(REC->user)), ((unsigned long)(REC->group))
您还可以在内核示例中查看 the sample BPF tracepoint program。它实现了您正在寻找的东西,但 sys_enter_open
.