Skip to content

Commit

Permalink
use kprobe on path_get to determine the relevant mount for file ope…
Browse files Browse the repository at this point in the history 
…ning
  • Loading branch information
@def
def committed Dec 10, 2024
1 parent 803664f commit d7bdc41
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 41 deletions.
4 changes: 0 additions & 4 deletions ebpftracer/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,14 +9,12 @@ RUN clang -g -O2 -target bpf -D__KERNEL_FROM=416 -D__TARGET_ARCH_x86 -c ebpf.c -
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=420 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf420x86.o && llvm-strip --strip-debug ebpf420x86.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=503 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf503x86.o && llvm-strip --strip-debug ebpf503x86.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=506 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf506x86.o && llvm-strip --strip-debug ebpf506x86.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=507 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf507x86.o && llvm-strip --strip-debug ebpf507x86.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=512 -D__TARGET_ARCH_x86 -c ebpf.c -o ebpf512x86.o && llvm-strip --strip-debug ebpf512x86.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=512 -D__TARGET_ARCH_x86 -D__CTX_EXTRA_PADDING -c ebpf.c -o ebpf512x86cep.o && llvm-strip --strip-debug ebpf512x86cep.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=416 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf416arm64.o && llvm-strip --strip-debug ebpf416arm64.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=420 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf420arm64.o && llvm-strip --strip-debug ebpf420arm64.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=503 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf503arm64.o && llvm-strip --strip-debug ebpf503arm64.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=506 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf506arm64.o && llvm-strip --strip-debug ebpf506arm64.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=507 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf507arm64.o && llvm-strip --strip-debug ebpf507arm64.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=512 -D__TARGET_ARCH_arm64 -c ebpf.c -o ebpf512arm64.o && llvm-strip --strip-debug ebpf512arm64.o
RUN clang -g -O2 -target bpf -D__KERNEL_FROM=512 -D__TARGET_ARCH_arm64 -D__CTX_EXTRA_PADDING -c ebpf.c -o ebpf512arm64cep.o && llvm-strip --strip-debug ebpf512arm64cep.o

Expand All @@ -30,7 +28,6 @@ RUN echo -en '// generated - do not edit\npackage ebpftracer\n\nvar ebpfProgs =
&& echo -en '\t\t{"5.12", "", []byte("' >> ebpf.go && gzip -c ebpf512x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"5.3", "", []byte("' >> ebpf.go && gzip -c ebpf503x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"5.6", "", []byte("' >> ebpf.go && gzip -c ebpf506x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"5.7", "", []byte("' >> ebpf.go && gzip -c ebpf507x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"4.20", "", []byte("' >> ebpf.go && gzip -c ebpf420x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"4.16", "", []byte("' >> ebpf.go && gzip -c ebpf416x86.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t},\n'>> ebpf.go \
Expand All @@ -39,7 +36,6 @@ RUN echo -en '// generated - do not edit\npackage ebpftracer\n\nvar ebpfProgs =
&& echo -en '\t\t{"5.12", "", []byte("' >> ebpf.go && gzip -c ebpf512arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"5.3", "", []byte("' >> ebpf.go && gzip -c ebpf503arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"5.6", "", []byte("' >> ebpf.go && gzip -c ebpf506arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"5.7", "", []byte("' >> ebpf.go && gzip -c ebpf507arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"4.20", "", []byte("' >> ebpf.go && gzip -c ebpf420arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t\t{"4.16", "", []byte("' >> ebpf.go && gzip -c ebpf416arm64.o | base64 -w0 >> ebpf.go && echo '")},' >> ebpf.go \
&& echo -en '\t},\n'>> ebpf.go \
Expand Down
26 changes: 12 additions & 14 deletions ebpftracer/ebpf.go
View file

Large diffs are not rendered by default.

30 changes: 7 additions & 23 deletions ebpftracer/ebpf/file.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,6 @@ struct path {
__u64 mnt;
};

struct nameidata {
struct path path;
};

struct file_info {
__u64 mnt;
__u64 log;
Expand Down Expand Up @@ -49,33 +45,21 @@ struct trace_event_raw_sys_enter_openat__stub {
long int flags;
};

static __always_inline
int do_open(struct pt_regs *ctx) {
SEC("kprobe/path_get")
int path_get(struct pt_regs *ctx) {
__u64 id = bpf_get_current_pid_tgid();
struct nameidata nd;
if (bpf_probe_read_kernel(&nd, sizeof(nd), (void *)PT_REGS_PARM1(ctx)) != 0) {
return 0;
}
struct file_info *i = bpf_map_lookup_elem(&open_file_info, &id);
if (!i) {
return 0;
}
i->mnt = nd.path.mnt;
struct path p;
if (bpf_probe_read_kernel(&p, sizeof(p), (void *)PT_REGS_PARM1(ctx)) != 0) {
return 0;
}
i->mnt = p.mnt;
return 0;
}

#if __KERNEL_FROM >= 507
SEC("kprobe/do_open")
int do_open_kprobe(struct pt_regs *ctx) {
return do_open(ctx);
}
#else
SEC("kprobe/do_last")
int do_last_kprobe(struct pt_regs *ctx) {
return do_open(ctx);
}
#endif

static __always_inline
int trace_enter_open(long int flags, char *filename)
{
Expand Down

0 comments on commit d7bdc41

Please sign in to comment.