EBPF -Codes nicht an KPROBE anhängen? ⇐ Linux

[Anonymous]

Mein Linux-System ist WSL2 mit Kernel-5.15.133, und ich habe in Kernel mit KPROBE .

Code: Select all

// kmalloc_counter.c
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include 
#include "bpf_insn.h"

#ifndef __NR_bpf
# define __NR_bpf 321
#endif

#ifndef barrier
# define barrier() asm volatile("" ::: "memory")
#endif

static int sys_bpf(enum bpf_cmd cmd, union bpf_attr *attr, unsigned int size) {
return syscall(__NR_bpf, cmd, attr, size);
}

static int create_map() {
union bpf_attr attr = {
.map_type    = BPF_MAP_TYPE_ARRAY,
.key_size    = sizeof(int),
.value_size  = sizeof(long long),
.max_entries = 1,
};
return sys_bpf(BPF_MAP_CREATE, &attr, sizeof(attr));
}

static int load_prog(int map_fd) {
struct bpf_insn prog[] = {
BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
BPF_ST_MEM(BPF_W, BPF_REG_10, -4, 0),        // *(u32 *)(r10 -4) = 0
BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),       // r2 = fp -4
BPF_LD_MAP_FD(BPF_REG_1, map_fd),            // r1 = map_fd
BPF_RAW_INSN(BPF_JMP|BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 3),       // if (r0 == 0) goto exit
BPF_MOV64_IMM(BPF_REG_1, 1),                 // r1 = 1
BPF_RAW_INSN(BPF_STX|BPF_XADD|BPF_DW, BPF_REG_0, BPF_REG_1, 0, 0), // xadd r0 += r1
BPF_MOV64_REG(BPF_REG_0, BPF_REG_6),         // r0 = r6
BPF_EXIT_INSN(),                             // return
};

union bpf_attr attr = {
.prog_type = BPF_PROG_TYPE_KPROBE,
.insns     = (__u64)prog,
.insn_cnt  = sizeof(prog)/sizeof(prog[0]),
.license   = (__u64)"GPL",
.kern_version = LINUX_VERSION_CODE,
};
return sys_bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
}

static int attach_kprobe(int prog_fd, const char *func) {
int pfd;
struct perf_event_attr attr = {
.type = PERF_TYPE_TRACEPOINT,
.size = sizeof(attr),
.config = 0,
.sample_period = 1,
.sample_type = PERF_SAMPLE_RAW,
};

pfd = syscall(__NR_perf_event_open, &attr, -1, 0, -1, PERF_FLAG_FD_CLOEXEC);
if (pfd < 0) return -1;

if (ioctl(pfd, PERF_EVENT_IOC_SET_BPF, prog_fd) < 0) {
close(pfd);
return -1;
}

if (ioctl(pfd, PERF_EVENT_IOC_ENABLE, 0) < 0) {
close(pfd);
return -1;
}

int fd = open("/sys/kernel/debug/tracing/kprobe_events", O_WRONLY);
if (fd < 0) return -1;
dprintf(fd, "p:myprobe %s\n", func);
close(fd);

return pfd;
}

int main() {
int map_fd, prog_fd, pfd;
int key = 0;
long long value = 0;

if ((map_fd = create_map()) < 0) {
perror("map create failed");
return 1;
}

union bpf_attr update_attr = {
.map_fd = map_fd,
.key    = (__u64)&key,
.value  = (__u64)&value,
.flags  = BPF_ANY,
};
sys_bpf(BPF_MAP_UPDATE_ELEM, &update_attr, sizeof(update_attr));

if ((prog_fd = load_prog(map_fd)) < 0) {
perror("prog load failed");
return 1;
}

if ((pfd = attach_kprobe(prog_fd, "kmalloc")) <  0) {
perror("kprobe attach failed");
return 1;
}

printf("Monitoring kmalloc calls...\n");
while (1) {
union bpf_attr lookup_attr = {
.map_fd = map_fd,
.key    = (__u64)&key,
.value  = (__u64)&value,
};
if (sys_bpf(BPF_MAP_LOOKUP_ELEM, &lookup_attr, sizeof(lookup_attr)) == 0) {
printf("kmalloc calls: %lld\n", value);
}
sleep(1);
}

close(pfd);
return 0;
}
< /code>
debufs

ist montiert at/sys/kernel/debug , Tracefs ist montiert unter /sys/kernel/debug/tracing.
Ich bin ziemlich neu bei EBPF, ich konnte nicht herausfinden, warum Attach_KPROBE