use execsnoop-kernel which btf is not requested

2026-02-09 21:14:57 +08:00 · 2020-07-04 12:59:04 +08:00
parent 3b5378a79d
commit e4437071c9
8 changed files with 118 additions and 11 deletions
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -16,6 +16,7 @@ option(build_tools OFF)
 option(build_test  OFF)

 add_subdirectory(src)
+add_subdirectory(execsnoop-kernel)
 add_subdirectory(pack)
 if (build_tools)
    add_subdirectory(tools)
--- a/execsnoop-kernel/CMakeLists.txt
+++ b/execsnoop-kernel/CMakeLists.txt
@@ -0,0 +1,3 @@
+add_library(execsnoop MODULE execsnoop_share.cpp)
+target_link_libraries(execsnoop PRIVATE bpf)
+install(TARGETS execsnoop DESTINATION ${CMAKE_INSTALL_LIBDIR}/cgproxy/)
--- a/execsnoop-kernel/execsnoop
+++ b/execsnoop-kernel/execsnoop
--- a/execsnoop-kernel/execsnoop_kern.o
+++ b/execsnoop-kernel/execsnoop_kern.o
--- a/execsnoop-kernel/execsnoop_share.cpp
+++ b/execsnoop-kernel/execsnoop_share.cpp
@@ -0,0 +1,83 @@
+
+#include <signal.h>
+#include <bpf/libbpf.h>
+#include <sys/resource.h>
+#include "execsnoop_kern_skel.h"
+#include "execsnoop_share.h"
+
+namespace CGPROXY::EXECSNOOP {
+
+#define PERF_BUFFER_PAGES 64
+#define TASK_COMM_LEN 16
+struct event {
+	char comm[TASK_COMM_LEN];
+	pid_t pid;
+	pid_t tgid;
+	pid_t ppid;
+	uid_t uid;
+};
+
+function<int(int)> callback = NULL;
+promise<void> status;
+
+static void handle_event(void *ctx, int cpu, void *data, __u32 size) {
+  	auto e = static_cast<event*>(data);
+  	if (callback) callback(e->pid);
+}
+
+void handle_lost_events(void *ctx, int cpu, __u64 lost_cnt) {
+	fprintf(stderr, "Lost %llu events on CPU #%d!\n", lost_cnt, cpu);
+}
+
+int bump_memlock_rlimit(void) {
+	struct rlimit rlim_new = { RLIM_INFINITY, RLIM_INFINITY };
+	return setrlimit(RLIMIT_MEMLOCK, &rlim_new);
+}
+
+int execsnoop() {
+	struct perf_buffer_opts pb_opts = {};
+	struct perf_buffer *pb;
+	int err;
+	
+	err = bump_memlock_rlimit();
+	if (err) {
+		fprintf(stderr, "failed to increase rlimit: %d\n", err);
+		return 1;
+	}
+	
+	struct execsnoop_kern *obj=execsnoop_kern__open_and_load();
+	if (!obj) {
+		fprintf(stderr, "failed to open and/or load BPF object\n");
+		return 1;
+	}
+
+	err = execsnoop_kern__attach(obj);
+	if (err) {
+		fprintf(stderr, "failed to attach BPF programs\n");
+		return err;
+	}
+
+	pb_opts.sample_cb = handle_event;
+	pb_opts.lost_cb = handle_lost_events;
+	pb = perf_buffer__new(bpf_map__fd(obj->maps.perf_events), PERF_BUFFER_PAGES, &pb_opts);
+	err = libbpf_get_error(pb);
+	if (err) {
+		printf("failed to setup perf_buffer: %d\n", err);
+		return 1;
+	}
+
+	// notify
+  	status.set_value();
+
+	while ((err = perf_buffer__poll(pb, -1)) >= 0) {}
+	kill(0, SIGINT);
+	return err;
+}
+
+void startThread(function<int(int)> c, promise<void> _status) {
+  status = move(_status);
+  callback = c;
+  execsnoop();
+}
+
+}
--- a/execsnoop-kernel/execsnoop_share.h
+++ b/execsnoop-kernel/execsnoop_share.h
@@ -0,0 +1,18 @@
+#ifndef EXECSNOOP_SHARE_HPP
+#define EXECSNOOP_SHARE_HPP 1
+
+#include <functional>
+#include <future>
+#include <string>
+using namespace std;
+
+namespace CGPROXY::EXECSNOOP {
+
+extern "C" void startThread(function<int(int)> c, promise<void> _status);
+
+// only for dlsym()
+using startThread_t=decltype(startThread);
+startThread_t *_startThread;
+
+} // namespace CGPROXY::EXECSNOOP
+#endif
--- a/execsnoop-kernel/readme.md
+++ b/execsnoop-kernel/readme.md
@@ -41,6 +41,8 @@ using `make V=1 M=samples/bpf | tee -a log.txt` to get and filter following comm

 - build `execsnoop_kern.o`

+  note `-g` is needed if with BPF CO-RE
+
 ```bash
 clang -nostdinc \
 	-isystem /usr/lib/gcc/x86_64-pc-linux-gnu/10.1.0/include \
@@ -108,7 +110,7 @@ bpftool gen skeleton execsnoop_kern.o > execsnoop_kern_skel.h
 - build

 ```
-gcc -Wall -O2 execsnoop_user_1.c -o execsnoop -Wl,-lbpf
+gcc -Wall -O2 execsnoop_user_1.c -o execsnoop -lbpf
 ```

 ## Some resources
--- a/src/CMakeLists.txt
+++ b/src/CMakeLists.txt
@@ -1,7 +1,7 @@
 find_package(Threads REQUIRED)
 find_package(nlohmann_json REQUIRED)
 include_directories(${PROJECT_SOURCE_DIR})
-include_directories(${PROJECT_SOURCE_DIR}/execsnoop-libbpf/)
+include_directories(${PROJECT_SOURCE_DIR}/execsnoop-kernel/)
 include_directories(${CMAKE_CURRENT_SOURCE_DIR})

 add_executable(main main.cpp
@@ -12,12 +12,12 @@ set_target_properties(main PROPERTIES LINKER_LANGUAGE CXX)
 set_target_properties(main PROPERTIES OUTPUT_NAME cgproxy)
 install(TARGETS main RUNTIME)

-# execsnoop related
-set(execsnoop ${PROJECT_SOURCE_DIR}/execsnoop-libbpf/libexecsnoop.so)
-add_custom_command(OUTPUT ${execsnoop}
-COMMAND make CFLAGS=\"-O2 -Wall -s -DNDEBUG\" libexecsnoop.so
-WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}/execsnoop-libbpf
-BYPRODUCTS ${PROJECT_SOURCE_DIR}/execsnoop-libbpf/build
-)
-add_custom_target(execsnoop ALL DEPENDS ${execsnoop})
-install(PROGRAMS ${execsnoop} DESTINATION ${CMAKE_INSTALL_LIBDIR}/cgproxy/)
+# # execsnoop related
+# set(execsnoop ${PROJECT_SOURCE_DIR}/execsnoop-libbpf/libexecsnoop.so)
+# add_custom_command(OUTPUT ${execsnoop}
+#     COMMAND make CFLAGS=\"-O2 -Wall -s -DNDEBUG\" libexecsnoop.so
+#     WORKING_DIRECTORY ${PROJECT_SOURCE_DIR}/execsnoop-libbpf
+#     BYPRODUCTS ${PROJECT_SOURCE_DIR}/execsnoop-libbpf/build
+# )
+# add_custom_target(execsnoop ALL DEPENDS ${execsnoop})
+# install(PROGRAMS ${execsnoop} DESTINATION ${CMAKE_INSTALL_LIBDIR}/cgproxy/)