implement opensnoop and uprobe

2-kprobe-unlink/.gitignore

@@ -0,0 +1,6 @@
+.vscode
+package.json
+*.o
+*.skel.json
+*.skel.yaml
+package.yaml

2-kprobe-unlink/README.md

@@ -0,0 +1,66 @@
+# eBPF 入门开发实践指南二：在 eBPF 中使用 kprobe 捕获 unlink 系统调用
+
+eBPF (Extended Berkeley Packet Filter) 是 Linux 内核上的一个强大的网络和性能分析工具。它允许开发者在内核运行时动态加载、更新和运行用户定义的代码。
+
+本文是 eBPF 入门开发实践指南的第二篇，在 eBPF 中使用 kprobe 捕获 unlink 系统调用。
+
+## kprobe
+
+```c
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
+
+SEC("kprobe/do_unlinkat")
+int BPF_KPROBE(do_unlinkat, int dfd, struct filename *name)
+{
+	pid_t pid;
+	const char *filename;
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	filename = BPF_CORE_READ(name, name);
+	bpf_printk("KPROBE ENTRY pid = %d, filename = %s\n", pid, filename);
+	return 0;
+}
+
+SEC("kretprobe/do_unlinkat")
+int BPF_KRETPROBE(do_unlinkat_exit, long ret)
+{
+	pid_t pid;
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	bpf_printk("KPROBE EXIT: pid = %d, ret = %ld\n", pid, ret);
+	return 0;
+}
+```
+
+
+kprobe 是 eBPF 用于处理内核空间入口和出口（返回）探针（kprobe 和 kretprobe）的一个例子。它将 kprobe 和 kretprobe BPF 程序附加到 do_unlinkat() 函数上，并使用 bpf_printk() 宏分别记录 PID、文件名和返回值。
+
+要编译这个程序，请使用 ecc 工具：
+
+```console
+$ ecc kprobe-link.bpf.c
+Compiling bpf object...
+Packing ebpf object and config into package.json...
+```
+
+然后运行：
+
+```console
+sudo ecli package.json
+```
+
+在 /sys/kernel/debug/tracing/trace_pipe 文件中，应该能看到类似下面的 kprobe 演示输出：
+
+```shell
+$ sudo cat /sys/kernel/debug/tracing/trace_pipe
+              rm-9346    [005] d..3  4710.951696: bpf_trace_printk: KPROBE ENTRY pid = 9346, filename = test1
+              rm-9346    [005] d..4  4710.951819: bpf_trace_printk: KPROBE EXIT: ret = 0
+              rm-9346    [005] d..3  4710.951852: bpf_trace_printk: KPROBE ENTRY pid = 9346, filename = test2
+              rm-9346    [005] d..4  4710.951895: bpf_trace_printk: KPROBE EXIT: ret = 0
+```
+

2-kprobe-unlink/kprobe-link.bpf.c

@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+/* Copyright (c) 2021 Sartura */
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
+
+SEC("kprobe/do_unlinkat")
+int BPF_KPROBE(do_unlinkat, int dfd, struct filename *name)
+{
+	pid_t pid;
+	const char *filename;
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	filename = BPF_CORE_READ(name, name);
+	bpf_printk("KPROBE ENTRY pid = %d, filename = %s\n", pid, filename);
+	return 0;
+}
+
+SEC("kretprobe/do_unlinkat")
+int BPF_KRETPROBE(do_unlinkat_exit, long ret)
+{
+	pid_t pid;
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	bpf_printk("KPROBE EXIT: pid = %d, ret = %ld\n", pid, ret);
+	return 0;
+}