kernel/bpf-developer-tutorial
1
0
Fork 0
mirror of https://github.com/eunomia-bpf/bpf-developer-tutorial.git synced 2026-02-03 18:24:27 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix(execsnoop): get the correct process name (#58)

Browse Source 
* fix(execsnoop): get the correct process name

* docs(execsnoop): format the code in the document

* docs(execsnoop): fix the title
This commit is contained in:
Ruidong-X
2023-08-12 18:24:06 +08:00
committed by GitHub
parent 96d4ce04c4
commit 74fa2eb706
3 changed files with 53 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

49
src/7-execsnoop/README.md
View File

@@ -1,4 +1,4 @@
# eBPF 入门实践教程七:捕获进程执行/退出时间,通过 perf event array 向用户态打印输出 # eBPF 入门实践教程七:捕获进程执行事件,通过 perf event array 向用户态打印输出
eBPF (Extended Berkeley Packet Filter) 是 Linux 内核上的一个强大的网络和性能分析工具,它允许开发者在内核运行时动态加载、更新和运行用户定义的代码。 eBPF (Extended Berkeley Packet Filter) 是 Linux 内核上的一个强大的网络和性能分析工具,它允许开发者在内核运行时动态加载、更新和运行用户定义的代码。
@@ -21,12 +21,12 @@ eBPF 提供了两个环形缓冲区,可以用来将信息从 eBPF 程序传输
#define TASK_COMM_LEN 16 #define TASK_COMM_LEN 16
struct event { struct event {
int pid; int pid;
int ppid; int ppid;
int uid; int uid;
int retval; int retval;
bool is_exit; bool is_exit;
char comm[TASK_COMM_LEN]; char comm[TASK_COMM_LEN];
}; };
#endif /* __EXECSNOOP_H */ #endif /* __EXECSNOOP_H */
@@ -42,30 +42,31 @@ struct event {
#include "execsnoop.h" #include "execsnoop.h"
struct { struct {
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
__uint(key_size, sizeof(u32)); __uint(key_size, sizeof(u32));
__uint(value_size, sizeof(u32)); __uint(value_size, sizeof(u32));
} events SEC(".maps"); } events SEC(".maps");
SEC("tracepoint/syscalls/sys_enter_execve") SEC("tracepoint/syscalls/sys_enter_execve")
int tracepoint__syscalls__sys_enter_execve(struct trace_event_raw_sys_enter* ctx) int tracepoint__syscalls__sys_enter_execve(struct trace_event_raw_sys_enter* ctx)
{ {
u64 id; u64 id;
pid_t pid, tgid; pid_t pid, tgid;
struct event event={0}; struct event event={0};
struct task_struct *task; struct task_struct *task;
uid_t uid = (u32)bpf_get_current_uid_gid(); uid_t uid = (u32)bpf_get_current_uid_gid();
id = bpf_get_current_pid_tgid(); id = bpf_get_current_pid_tgid();
tgid = id >> 32; tgid = id >> 32;
event.pid = tgid; event.pid = tgid;
event.uid = uid; event.uid = uid;
task = (struct task_struct*)bpf_get_current_task(); task = (struct task_struct*)bpf_get_current_task();
event.ppid = BPF_CORE_READ(task, real_parent, tgid); event.ppid = BPF_CORE_READ(task, real_parent, tgid);
bpf_get_current_comm(&event.comm, sizeof(event.comm)); char *cmd_ptr = (char *) BPF_CORE_READ(ctx, args[0]);
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event)); bpf_probe_read_str(&event.comm, sizeof(event.comm), cmd_ptr);
return 0; bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
return 0;
} }
char LICENSE[] SEC("license") = "GPL"; char LICENSE[] SEC("license") = "GPL";

51
src/7-execsnoop/README_en.md
View File

@@ -1,4 +1,4 @@
# eBPF Beginner's Practical Tutorial Seven: Capturing Process Execution/Exit Time, Printing Output to User Space via perf event array # eBPF Beginner's Practical Tutorial Seven: Capturing Process Execution Event, Printing Output to User Space via perf event array
eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool on the Linux kernel that allows developers to dynamically load, update, and run user-defined code at runtime. eBPF (Extended Berkeley Packet Filter) is a powerful network and performance analysis tool on the Linux kernel that allows developers to dynamically load, update, and run user-defined code at runtime.
@@ -21,12 +21,12 @@ Header file: execsnoop.h
#define TASK_COMM_LEN 16 #define TASK_COMM_LEN 16
struct event { struct event {
int pid; int pid;
int ppid; int ppid;
int uid; int uid;
int retval; int retval;
bool is_exit; bool is_exit;
char comm[TASK_COMM_LEN]; char comm[TASK_COMM_LEN];
}; };
#endif /* __EXECSNOOP_H */ #endif /* __EXECSNOOP_H */
@@ -42,30 +42,31 @@ Source file: execsnoop.bpf.c
#include "execsnoop.h" #include "execsnoop.h"
struct { struct {
__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
__uint(key_size, sizeof(u32)); __uint(key_size, sizeof(u32));
__uint(value_size, sizeof(u32)); __uint(value_size, sizeof(u32));
} events SEC(".maps"); } events SEC(".maps");
SEC("tracepoint/syscalls/sys_enter_execve") SEC("tracepoint/syscalls/sys_enter_execve")
int tracepoint_syscalls_sys_enter_execve(struct trace_event_raw_sys_enter* ctx) int tracepoint_syscalls_sys_enter_execve(struct trace_event_raw_sys_enter* ctx)
{ {
u64 id; u64 id;
pid_t pid, tgid; pid_t pid, tgid;
struct event event={0}; struct event event={0};
struct task_struct *task; struct task_struct *task;
uid_t uid = (u32)bpf_get_current_uid_gid(); uid_t uid = (u32)bpf_get_current_uid_gid();
id = bpf_get_current_pid_tgid(); id = bpf_get_current_pid_tgid();
tgid = id >> 32; tgid = id >> 32;
event.pid = tgid; event.pid = tgid;
event.uid = uid; event.uid = uid;
task = (struct task_struct*)bpf_get_current_task(); task = (struct task_struct*)bpf_get_current_task();
event.ppid = BPF_CORE_READ(task, real_parent, tgid); event.ppid = BPF_CORE_READ(task, real_parent, tgid);
bpf_get_current_comm(&event.comm, sizeof(event.comm)); char *cmd_ptr = (char *) BPF_CORE_READ(ctx, args[0]);
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event)); bpf_probe_read_str(&event.comm, sizeof(event.comm), cmd_ptr);
return 0; bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
return 0;
} }
char LICENSE[] SEC("license") = "GPL"; char LICENSE[] SEC("license") = "GPL";
@@ -73,7 +74,7 @@ char LICENSE[] SEC("license") = "GPL";
This code defines an eBPF program for capturing the entry of the `execve` system call. This code defines an eBPF program for capturing the entry of the `execve` system call.
In the entry program, we first obtain the process ID and user ID of the current process, then use the `bpf_get_current_task` function to obtain the `task_struct` structure of the current process, and use the `bpf_get_current_comm` function to read the process name. Finally, we use the `bpf_perf_event_output` function to output the process execution event to the perf buffer. In the entry program, we first obtain the process ID and user ID of the current process, then use the `bpf_get_current_task` function to obtain the `task_struct` structure of the current process, and use the `bpf_probe_read_str` function to read the process name. Finally, we use the `bpf_perf_event_output` function to output the process execution event to the perf buffer.
With this code, we can capture process execution events in the Linux kernel and analyze the process execution conditions.Instructions: Translate the following Chinese text to English while maintaining the original formatting: With this code, we can capture process execution events in the Linux kernel and analyze the process execution conditions.Instructions: Translate the following Chinese text to English while maintaining the original formatting:

3
src/7-execsnoop/execsnoop.bpf.c Normal file → Executable file
View File

@@ -26,7 +26,8 @@ int tracepoint__syscalls__sys_enter_execve(struct trace_event_raw_sys_enter* ctx
event.uid = uid; event.uid = uid;
task = (struct task_struct*)bpf_get_current_task(); task = (struct task_struct*)bpf_get_current_task();
event.ppid = BPF_CORE_READ(task, real_parent, tgid); event.ppid = BPF_CORE_READ(task, real_parent, tgid);
bpf_get_current_comm(&event.comm, sizeof(event.comm)); char *cmd_ptr = (char *) BPF_CORE_READ(ctx, args[0]);
bpf_probe_read_str(&event.comm, sizeof(event.comm), cmd_ptr);
bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event)); bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
return 0; return 0;
} }