init with documents from eunomia-bpf

2026-04-10 06:08:59 +08:00 · 2022-12-02 19:18:03 +08:00
parent 1179ec171e
commit 81d749a9cc
85 changed files with 11876 additions and 0 deletions
--- a/3-kprobe-unlink/.gitignore
+++ b/3-kprobe-unlink/.gitignore
@@ -0,0 +1,6 @@
+.vscode
+package.json
+*.o
+*.skel.json
+*.skel.yaml
+package.yaml
--- a/3-kprobe-unlink/README.md
+++ b/3-kprobe-unlink/README.md
@@ -0,0 +1,55 @@
+---
+layout: post
+title: kprobe-link
+date: 2022-10-10 16:18
+category: bpftools
+author: yunwei37
+tags: [bpftools, examples, kprobe, no-output]
+summary: an example of dealing with kernel-space entry and exit (return) probes, `kprobe` and `kretprobe` in libbpf lingo
+---
+
+
+`kprobe` is an example of dealing with kernel-space entry and exit (return)
+probes, `kprobe` and `kretprobe` in libbpf lingo. It attaches `kprobe` and
+`kretprobe` BPF programs to the `do_unlinkat()` function and logs the PID,
+filename, and return result, respectively, using `bpf_printk()` macro.
+
+```console
+$ sudo ecli  examples/bpftools/kprobe-link/package.json
+Runing eBPF program...
+```
+
+The `kprobe` demo output in `/sys/kernel/debug/tracing/trace_pipe` should look
+something like this:
+
+```shell
+$ sudo cat /sys/kernel/debug/tracing/trace_pipe
+              rm-9346    [005] d..3  4710.951696: bpf_trace_printk: KPROBE ENTRY pid = 9346, filename = test1
+              rm-9346    [005] d..4  4710.951819: bpf_trace_printk: KPROBE EXIT: ret = 0
+              rm-9346    [005] d..3  4710.951852: bpf_trace_printk: KPROBE ENTRY pid = 9346, filename = test2
+              rm-9346    [005] d..4  4710.951895: bpf_trace_printk: KPROBE EXIT: ret = 0
+```
+
+## Run
+
+ 
+
+Compile with docker:
+
+```console
+docker run -it -v `pwd`/:/src/ yunwei37/ebpm:latest
+```
+
+or compile with `ecc`:
+
+```console
+$ ecc kprobe-link.bpf.c
+Compiling bpf object...
+Packing ebpf object and config into package.json...
+```
+
+Run:
+
+```console
+sudo ecli examples/bpftools/kprobe-link/package.json
+```
--- a/3-kprobe-unlink/kprobe-link.bpf.c
+++ b/3-kprobe-unlink/kprobe-link.bpf.c
@@ -0,0 +1,30 @@
+// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+/* Copyright (c) 2021 Sartura */
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
+
+SEC("kprobe/do_unlinkat")
+int BPF_KPROBE(do_unlinkat, int dfd, struct filename *name)
+{
+	pid_t pid;
+	const char *filename;
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	filename = BPF_CORE_READ(name, name);
+	bpf_printk("KPROBE ENTRY pid = %d, filename = %s\n", pid, filename);
+	return 0;
+}
+
+SEC("kretprobe/do_unlinkat")
+int BPF_KRETPROBE(do_unlinkat_exit, long ret)
+{
+	pid_t pid;
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	bpf_printk("KPROBE EXIT: pid = %d, ret = %ld\n", pid, ret);
+	return 0;
+}