fix bpf programs with useless attach

6-sigsnoop/README.md

@@ -2,9 +2,9 @@
 
 ## sigsnoop
 
+示例代码如下：
+
 ```c
-// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
-/* Copyright (c) 2021~2022 Hengqi Chen */
 #include <vmlinux.h>
 #include <bpf/bpf_helpers.h>
 #include "sigsnoop.h"
@@ -85,7 +85,6 @@ int tkill_exit(struct trace_event_raw_sys_exit *ctx)
 }
 
 char LICENSE[] SEC("license") = "Dual BSD/GPL";
-
 ```
 
 上面的代码定义了一个 eBPF 程序，用于捕获进程发送信号的系统调用，包括 kill、tkill 和 tgkill。它通过使用 tracepoint 来捕获系统调用的进入和退出事件，并在这些事件发生时执行指定的探针函数，例如 probe_entry 和 probe_exit。

6-sigsnoop/sigsnoop.bpf.c

@@ -64,34 +64,4 @@ int kill_exit(struct trace_event_raw_sys_exit *ctx)
 	return probe_exit(ctx, ctx->ret);
 }
 
-SEC("tracepoint/syscalls/sys_enter_tkill")
-int tkill_entry(struct trace_event_raw_sys_enter *ctx)
-{
-	pid_t tpid = (pid_t)ctx->args[0];
-	int sig = (int)ctx->args[1];
-
-	return probe_entry(tpid, sig);
-}
-
-SEC("tracepoint/syscalls/sys_exit_tkill")
-int tkill_exit(struct trace_event_raw_sys_exit *ctx)
-{
-	return probe_exit(ctx, ctx->ret);
-}
-
-SEC("tracepoint/syscalls/sys_enter_tgkill")
-int tgkill_entry(struct trace_event_raw_sys_enter *ctx)
-{
-	pid_t tpid = (pid_t)ctx->args[1];
-	int sig = (int)ctx->args[2];
-
-	return probe_entry(tpid, sig);
-}
-
-SEC("tracepoint/syscalls/sys_exit_tgkill")
-int tgkill_exit(struct trace_event_raw_sys_exit *ctx)
-{
-	return probe_exit(ctx, ctx->ret);
-}
-
 char LICENSE[] SEC("license") = "Dual BSD/GPL";

6-sigsnoop/sigsnoop.md

@@ -6,80 +6,6 @@
 
 `sigsnoop` 在利用了linux的tracepoint挂载点，其在syscall进入和退出的各个关键挂载点均挂载了执行函数。
 ```c
-SEC("tracepoint/syscalls/sys_enter_kill")
-int kill_entry(struct trace_event_raw_sys_enter *ctx)
-{
-	pid_t tpid = (pid_t)ctx->args[0];
-	int sig = (int)ctx->args[1];
-
-	return probe_entry(tpid, sig);
-}
-
-SEC("tracepoint/syscalls/sys_exit_kill")
-int kill_exit(struct trace_event_raw_sys_exit *ctx)
-{
-	return probe_exit(ctx, ctx->ret);
-}
-
-SEC("tracepoint/syscalls/sys_enter_tkill")
-int tkill_entry(struct trace_event_raw_sys_enter *ctx)
-{
-	pid_t tpid = (pid_t)ctx->args[0];
-	int sig = (int)ctx->args[1];
-
-	return probe_entry(tpid, sig);
-}
-
-SEC("tracepoint/syscalls/sys_exit_tkill")
-int tkill_exit(struct trace_event_raw_sys_exit *ctx)
-{
-	return probe_exit(ctx, ctx->ret);
-}
-
-SEC("tracepoint/syscalls/sys_enter_tgkill")
-int tgkill_entry(struct trace_event_raw_sys_enter *ctx)
-{
-	pid_t tpid = (pid_t)ctx->args[1];
-	int sig = (int)ctx->args[2];
-
-	return probe_entry(tpid, sig);
-}
-
-SEC("tracepoint/syscalls/sys_exit_tgkill")
-int tgkill_exit(struct trace_event_raw_sys_exit *ctx)
-{
-	return probe_exit(ctx, ctx->ret);
-}
-
-SEC("tracepoint/signal/signal_generate")
-int sig_trace(struct trace_event_raw_signal_generate *ctx)
-{
-	struct event event = {};
-	pid_t tpid = ctx->pid;
-	int ret = ctx->errno;
-	int sig = ctx->sig;
-	__u64 pid_tgid;
-	__u32 pid;
-
-	if (failed_only && ret == 0)
-		return 0;
-
-	if (target_signal && sig != target_signal)
-		return 0;
-
-	pid_tgid = bpf_get_current_pid_tgid();
-	pid = pid_tgid >> 32;
-	if (filtered_pid && pid != filtered_pid)
-		return 0;
-
-	event.pid = pid;
-	event.tpid = tpid;
-	event.sig = sig;
-	event.ret = ret;
-	bpf_get_current_comm(event.comm, sizeof(event.comm));
-	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &event, sizeof(event));
-	return 0;
-}
 
 ```