init with documents from eunomia-bpf

5-uprobe-bashreadline/.gitignore

@@ -0,0 +1,7 @@
+.vscode
+package.json
+ecli
+*.o
+*.skel.json
+*.skel.yaml
+package.yaml

5-uprobe-bashreadline/README.md

@@ -0,0 +1,79 @@
+---
+layout: post
+title: bootstrap
+date: 2022-10-10 16:18
+category: bpftools
+author: yunwei37
+tags: [bpftools, examples, uprobe, perf event]
+summary: an example of a simple (but realistic) BPF application prints bash commands from all running bash shells on the system. 
+---
+
+
+
+This prints bash commands from all running bash shells on the system. 
+
+## System requirements:
+
+- Linux kernel > 5.5
+- Eunomia's [ecli](https://github.com/eunomia-bpf/eunomia-bpf/tree/master/ecli) installed
+
+
+## Run
+
+- Compile:
+
+  ```shell
+  docker run -it -v `pwd`/:/src/ yunwei37/ebpm:latest
+  ```
+
+  or
+
+  ```shell
+  ecc bashreadline.bpf.c bashreadline.h
+  ```
+
+- Run:
+
+  ```console
+  $ sudo ./ecli run eunomia-bpf/examples/bpftools/bootstrap/package.json
+  TIME      PID    STR
+  11:17:34  28796  whoami
+  11:17:41  28796  ps -ef
+  11:17:51  28796  echo "Hello eBPF!"
+  ```
+
+## details in bcc
+
+
+```
+Demonstrations of bashreadline, the Linux eBPF/bcc version.
+
+This prints bash commands from all running bash shells on the system. For
+example:
+
+# ./bashreadline
+TIME      PID    COMMAND
+05:28:25  21176  ls -l
+05:28:28  21176  date
+05:28:35  21176  echo hello world
+05:28:43  21176  foo this command failed
+05:28:45  21176  df -h
+05:29:04  3059   echo another shell
+05:29:13  21176  echo first shell again
+
+When running the script on Arch Linux, you may need to specify the location
+of libreadline.so library:
+
+# ./bashreadline -s /lib/libreadline.so
+TIME      PID    COMMAND
+11:17:34  28796  whoami
+11:17:41  28796  ps -ef
+11:17:51  28796  echo "Hello eBPF!"
+
+
+The entered command may fail. This is just showing what command lines were
+entered interactively for bash to process.
+
+It works by tracing the return of the readline() function using uprobes
+(specifically a uretprobe).
+```

5-uprobe-bashreadline/bashreadline.bpf.c

@@ -0,0 +1,48 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+/* Copyright (c) 2021 Facebook */
+#include <vmlinux.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include "bashreadline.h"
+
+#define TASK_COMM_LEN 16
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+	__uint(key_size, sizeof(__u32));
+	__uint(value_size, sizeof(__u32));
+} events SEC(".maps");
+
+/* Format of u[ret]probe section definition supporting auto-attach:
+ * u[ret]probe/binary:function[+offset]
+ *
+ * binary can be an absolute/relative path or a filename; the latter is resolved to a
+ * full binary path via bpf_program__attach_uprobe_opts.
+ *
+ * Specifying uprobe+ ensures we carry out strict matching; either "uprobe" must be
+ * specified (and auto-attach is not possible) or the above format is specified for
+ * auto-attach.
+ */
+SEC("uprobe//bin/bash:readline")
+int BPF_KRETPROBE(printret, const void *ret) {
+	struct str_t data;
+	char comm[TASK_COMM_LEN];
+	u32 pid;
+
+	if (!ret)
+		return 0;
+
+	bpf_get_current_comm(&comm, sizeof(comm));
+	if (comm[0] != 'b' || comm[1] != 'a' || comm[2] != 's' || comm[3] != 'h' || comm[4] != 0 )
+		return 0;
+
+	pid = bpf_get_current_pid_tgid() >> 32;
+	data.pid = pid;
+	bpf_probe_read_user_str(&data.str, sizeof(data.str), ret);
+
+	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
+
+	return 0;
+};
+
+char LICENSE[] SEC("license") = "GPL";

5-uprobe-bashreadline/bashreadline.h

@@ -0,0 +1,13 @@
+/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
+/* Copyright (c) 2021 Facebook */
+#ifndef __BASHREADLINE_H
+#define __BASHREADLINE_H
+
+#define MAX_LINE_SIZE 80
+
+struct str_t {
+	__u32 pid;
+	char str[MAX_LINE_SIZE];
+};
+
+#endif /* __BASHREADLINE_H */