lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Fri, 12 Feb 2016 10:11:28 -0600
From:	Tom Zanussi <tom.zanussi@...ux.intel.com>
To:	ast@...mgrid.com, rostedt@...dmis.org
Cc:	masami.hiramatsu.pt@...achi.com, namhyung@...nel.org,
	peterz@...radead.org, linux-kernel@...r.kernel.org,
	Tom Zanussi <tom.zanussi@...ux.intel.com>
Subject: [RFC][PATCH 10/10] samples/bpf: Add kprobe-event-fields example

This is a simple demonstration of an eBPF program attached to both a
kprobe trace event ("event/kprobe/...") and the same event through a
static trace event ("event/subsys:event".  The common_pid, name, and
len fields in the netif_receive_skb static trace event here are the
values grabbed from the event and printed.  The common_pid value for
the __netif_receive_skb_core kprobe event here is also the value
grabbed from the kprobe trace event.

Example output:

  # ./kprobe-event-fields
              ping-4074  [000] d.s1   131.098630: : __netif_receive_skb_core kprobe fields:  common_pid = 4074
              ping-4074  [000] ..s1   131.098653: : netif_receive_skb trace event fields:  common_pid = 4074, name = lo, len 84

Signed-off-by: Tom Zanussi <tom.zanussi@...ux.intel.com>
---
 samples/bpf/Makefile                   |  4 +++
 samples/bpf/kprobe-event-fields_kern.c | 56 ++++++++++++++++++++++++++++++++++
 samples/bpf/kprobe-event-fields_user.c | 25 +++++++++++++++
 3 files changed, 85 insertions(+)
 create mode 100644 samples/bpf/kprobe-event-fields_kern.c
 create mode 100644 samples/bpf/kprobe-event-fields_user.c

diff --git a/samples/bpf/Makefile b/samples/bpf/Makefile
index d7af8d5..6b9ceae 100644
--- a/samples/bpf/Makefile
+++ b/samples/bpf/Makefile
@@ -17,6 +17,7 @@ hostprogs-y += tracex6
 hostprogs-y += trace_output
 hostprogs-y += lathist
 hostprogs-y += readcounts-by-pid
+hostprogs-y += kprobe-event-fields
 
 test_verifier-objs := test_verifier.o libbpf.o
 test_maps-objs := test_maps.o libbpf.o
@@ -34,6 +35,7 @@ tracex6-objs := bpf_load.o libbpf.o tracex6_user.o
 trace_output-objs := bpf_load.o libbpf.o trace_output_user.o
 lathist-objs := bpf_load.o libbpf.o lathist_user.o
 readcounts-by-pid-objs := bpf_load.o libbpf.o readcounts-by-pid_user.o
+kprobe-event-fields-objs := bpf_load.o libbpf.o kprobe-event-fields_user.o
 
 # Tell kbuild to always build the programs
 always := $(hostprogs-y)
@@ -50,6 +52,7 @@ always += trace_output_kern.o
 always += tcbpf1_kern.o
 always += lathist_kern.o
 always += readcounts-by-pid_kern.o
+always += kprobe-event-fields_kern.o
 
 HOSTCFLAGS += -I$(objtree)/usr/include
 
@@ -67,6 +70,7 @@ HOSTLOADLIBES_tracex6 += -lelf
 HOSTLOADLIBES_trace_output += -lelf -lrt
 HOSTLOADLIBES_lathist += -lelf
 HOSTLOADLIBES_readcounts-by-pid += -lelf
+HOSTLOADLIBES_kprobe-event-fields += -lelf
 
 # point this to your LLVM backend with bpf support
 LLC=$(srctree)/tools/bpf/llvm/bld/Debug+Asserts/bin/llc
diff --git a/samples/bpf/kprobe-event-fields_kern.c b/samples/bpf/kprobe-event-fields_kern.c
new file mode 100644
index 0000000..3d01e08
--- /dev/null
+++ b/samples/bpf/kprobe-event-fields_kern.c
@@ -0,0 +1,56 @@
+/* Copyright (c) 2016 Intel Corporation
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of version 2 of the GNU General Public
+ * License as published by the Free Software Foundation.
+ */
+
+#include <uapi/linux/bpf.h>
+#include <linux/version.h>
+#include "bpf_helpers.h"
+
+/*
+ * With kprobes and event/kprobe/xxx, we can access the common trace
+ * event fields:
+ */
+SEC("event/kprobe/__netif_receive_skb_core")
+int bpf_prog1(void *ctx)
+{
+	int common_pid;
+
+	char common_pid_field[] = "common_pid";
+	common_pid = bpf_trace_event_field_read(ctx, common_pid_field);
+
+	char fmt[] = "__netif_receive_skb_core kprobe fields:  common_pid = %d\n";
+	bpf_trace_printk(fmt, sizeof(fmt), common_pid);
+
+	return 1;
+}
+
+/*
+ * Without the event/kprobe, we can access all the static trace event
+ * fields:
+ */
+SEC("event/net:netif_receive_skb")
+int bpf_prog2(void *ctx)
+{
+	char name[256] = {};
+	int len, common_pid;
+
+	char len_field[] = "len";
+	len = bpf_trace_event_field_read(ctx, len_field);
+
+	char name_field[] = "name";
+	bpf_trace_event_field_read_string(ctx, name_field, name, sizeof(name));
+
+	char common_pid_field[] = "common_pid";
+	common_pid = bpf_trace_event_field_read(ctx, common_pid_field);
+
+	char fmt[] = "netif_receive_skb trace event fields:  common_pid = %d, name = %s, len %d\n";
+	bpf_trace_printk(fmt, sizeof(fmt), common_pid, name, len);
+
+	return 1;
+}
+
+char _license[] SEC("license") = "GPL";
+u32 _version SEC("version") = LINUX_VERSION_CODE;
diff --git a/samples/bpf/kprobe-event-fields_user.c b/samples/bpf/kprobe-event-fields_user.c
new file mode 100644
index 0000000..31a4818
--- /dev/null
+++ b/samples/bpf/kprobe-event-fields_user.c
@@ -0,0 +1,25 @@
+#include <stdio.h>
+#include <linux/bpf.h>
+#include <unistd.h>
+#include "libbpf.h"
+#include "bpf_load.h"
+
+int main(int ac, char **argv)
+{
+	FILE *f;
+	char filename[256];
+
+	snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]);
+
+	if (load_bpf_file(filename)) {
+		printf("%s", bpf_log_buf);
+		return 1;
+	}
+
+	f = popen("taskset 1 ping -c5 localhost", "r");
+	(void) f;
+
+	read_trace_pipe();
+
+	return 0;
+}
-- 
1.9.3

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ