fix bpf programs with useless attach

2026-02-03 18:24:27 +08:00 · 2022-12-06 16:10:45 +08:00
parent 0fd76b02b8
commit c572e7f511
29 changed files with 183 additions and 760 deletions
--- a/4-opensnoop/README.md
+++ b/4-opensnoop/README.md
@@ -9,45 +9,28 @@ eBPF (Extended Berkeley Packet Filter) 是 Linux 内核上的一个强大的网
 首先，我们需要编写一段 eBPF 程序来捕获进程打开文件的系统调用，具体实现如下：

 ```c
-// SPDX-License-Identifier: GPL-2.0
-// Copyright (c) 2019 Facebook
-// Copyright (c) 2020 Netflix
 #include <vmlinux.h>
 #include <bpf/bpf_helpers.h>
-#include "opensnoop.h"

-
-/// Process ID to trace
+/// @description "Process ID to trace"
 const volatile int pid_target = 0;

-SEC("tracepoint/syscalls/sys_enter_open")
-int tracepoint__syscalls__sys_enter_open(struct trace_event_raw_sys_enter* ctx)
-{
-	u64 id = bpf_get_current_pid_tgid();
-	u32 pid = id;
-
-	if (pid_target && pid_target != pid)
-		return false;
-	// Use bpf_printk to print the process information
-	bpf_printk("Process ID: %d enter sys open\n", pid);
-	return 0;
-}
-
 SEC("tracepoint/syscalls/sys_enter_openat")
 int tracepoint__syscalls__sys_enter_openat(struct trace_event_raw_sys_enter* ctx)
 {
-	u64 id = bpf_get_current_pid_tgid();
-	u32 pid = id;
+ u64 id = bpf_get_current_pid_tgid();
+ u32 pid = id;

-	if (pid_target && pid_target != pid)
-		return false;
-	// Use bpf_printk to print the process information
-	bpf_printk("Process ID: %d enter sys openat\n", pid);
-	return 0;
+ if (pid_target && pid_target != pid)
+  return false;
+ // Use bpf_printk to print the process information
+ bpf_printk("Process ID: %d enter sys openat\n", pid);
+ return 0;
 }

-/// Trace open family syscalls.
+/// "Trace open family syscalls."
 char LICENSE[] SEC("license") = "GPL";
+
 ```

 上面的 eBPF 程序通过定义两个函数 tracepoint__syscalls__sys_enter_open 和 tracepoint__syscalls__sys_enter_openat 并使用 SEC 宏把它们附加到 sys_enter_open 和 sys_enter_openat 两个 tracepoint（即在进入 open 和 openat 系统调用时执行）。这两个函数通过使用 bpf_get_current_pid_tgid 函数获取调用 open 或 openat 系统调用的进程 ID，并使用 bpf_printk 函数在内核日志中打印出来。
@@ -66,9 +49,7 @@ Runing eBPF program...

 ```console
 $ sudo cat /sys/kernel/debug/tracing/trace_pipe
-           <...>-3840345 [010] d... 3220701.101143: bpf_trace_printk: Process ID: 3840345 enter sys open
           <...>-3840345 [010] d... 3220701.101179: bpf_trace_printk: Process ID: 3840345 enter sys openat
-           <...>-3840345 [010] d... 3220702.157967: bpf_trace_printk: Process ID: 3840345 enter sys open
           <...>-3840345 [010] d... 3220702.158000: bpf_trace_printk: Process ID: 3840345 enter sys openat
 ```

@@ -80,12 +61,39 @@ $ sudo cat /sys/kernel/debug/tracing/trace_pipe

 可以通过执行 ecli -h 命令来查看 opensnoop 的帮助信息：

-```c
+```console
+$ ecli package.json -h
+Usage: opensnoop_bpf [--help] [--version] [--verbose] [--pid_target VAR]

+Trace open family syscalls.
+
+Optional arguments:
+  -h, --help    shows help message and exits 
+  -v, --version prints version information and exits 
+  --verbose     prints libbpf debug information 
+  --pid_target  Process ID to trace 
+
+Built with eunomia-bpf framework.
+See https://github.com/eunomia-bpf/eunomia-bpf for more information.
+```
+
+可以通过 --pid_target 参数来指定要捕获的进程的 pid，例如：
+
+```console
+$ sudo ./ecli run package.json  --pid_target 618
+Runing eBPF program...
+```
+
+运行这段程序后，可以通过查看 /sys/kernel/debug/tracing/trace_pipe 文件来查看 eBPF 程序的输出：
+
+```console
+$ sudo cat /sys/kernel/debug/tracing/trace_pipe
+           <...>-3840345 [010] d... 3220701.101179: bpf_trace_printk: Process ID: 618 enter sys openat
+           <...>-3840345 [010] d... 3220702.158000: bpf_trace_printk: Process ID: 618 enter sys openat
 ```

 ## 总结

 本文介绍了如何使用 eBPF 程序来捕获进程打开文件的系统调用。在 eBPF 程序中，我们可以通过定义 tracepoint__syscalls__sys_enter_open 和 tracepoint__syscalls__sys_enter_openat 函数并使用 SEC 宏把它们附加到 sys_enter_open 和 sys_enter_openat 两个 tracepoint 来捕获进程打开文件的系统调用。在这两个函数中，我们可以使用 bpf_get_current_pid_tgid 函数获取调用 open 或 openat 系统调用的进程 ID，并使用 bpf_printk 函数在内核日志中打印出来。在 eBPF 程序中，我们还可以通过定义一个全局变量 pid_target 来指定要捕获的进程的 pid，从而过滤输出，只输出指定的进程的信息。

-更多的例子和详细的开发指南，请参考 eunomia-bpf 的官方文档：https://github.com/eunomia-bpf/eunomia-bpf
+更多的例子和详细的开发指南，请参考 eunomia-bpf 的官方文档：<https://github.com/eunomia-bpf/eunomia-bpf>
--- a/4-opensnoop/opensnoop.bpf.c
+++ b/4-opensnoop/opensnoop.bpf.c
@@ -1,27 +1,9 @@
-// SPDX-License-Identifier: GPL-2.0
-// Copyright (c) 2019 Facebook
-// Copyright (c) 2020 Netflix
 #include <vmlinux.h>
 #include <bpf/bpf_helpers.h>
-#include "opensnoop.h"

-
-/// Process ID to trace
+/// @description "Process ID to trace"
 const volatile int pid_target = 0;

-SEC("tracepoint/syscalls/sys_enter_open")
-int tracepoint__syscalls__sys_enter_open(struct trace_event_raw_sys_enter* ctx)
-{
-	u64 id = bpf_get_current_pid_tgid();
-	u32 pid = id;
-
-	if (pid_target && pid_target != pid)
-		return false;
-	// Use bpf_printk to print the process information
-	bpf_printk("Process ID: %d enter sys open\n", pid);
-	return 0;
-}
-
 SEC("tracepoint/syscalls/sys_enter_openat")
 int tracepoint__syscalls__sys_enter_openat(struct trace_event_raw_sys_enter* ctx)
 {
@@ -35,5 +17,5 @@ int tracepoint__syscalls__sys_enter_openat(struct trace_event_raw_sys_enter* ctx
 	return 0;
 }

-/// Trace open family syscalls.
+/// "Trace open family syscalls."
 char LICENSE[] SEC("license") = "GPL";
--- a/4-opensnoop/opensnoop.h
+++ b/4-opensnoop/opensnoop.h
@@ -1,21 +0,0 @@
-/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
-#ifndef __OPENSNOOP_H
-#define __OPENSNOOP_H
-
-#define TASK_COMM_LEN 16
-#define NAME_MAX 255
-#define INVALID_UID ((uid_t)-1)
-
-// used for export event
-struct event {
-	/* user terminology for pid: */
-	unsigned long long ts;
-	int pid;
-	int uid;
-	int ret;
-	int flags;
-	char comm[TASK_COMM_LEN];
-	char fname[NAME_MAX];
-};
-
-#endif /* __OPENSNOOP_H */