From feeb4e97b1a75cb207043665fc70c6c8c65cf810 Mon Sep 17 00:00:00 2001 From: wubijie Date: Wed, 21 Jun 2023 12:41:26 +0800 Subject: [PATCH] Use the BPF library to write traces and modify socket tables in the Linux kernel --- observation/src/bindsnoop/bindsnoop.bpf.c | 28 ++++++++++++++++++ observation/src/bindsnoop/bindsnoop.c | 36 +++++++++++++++++++++++ observation/src/bindsnoop/bindsnoop.h | 31 +++++++++++++++++++ 3 files changed, 95 insertions(+) create mode 100644 observation/src/bindsnoop/bindsnoop.bpf.c create mode 100644 observation/src/bindsnoop/bindsnoop.c create mode 100644 observation/src/bindsnoop/bindsnoop.h diff --git a/observation/src/bindsnoop/bindsnoop.bpf.c b/observation/src/bindsnoop/bindsnoop.bpf.c new file mode 100644 index 00000000..9d1aa85e --- /dev/null +++ b/observation/src/bindsnoop/bindsnoop.bpf.c @@ -0,0 +1,28 @@ +// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) +#include "vmlinux.h" +#include +#include +#include +#include +#include "bindsnoop.h" + +#define MAX_ENTRIES 10240 +#define MAX_PORTS 1024 + +const volatile bool filter_memcg = false; +const volatile pid_t target_pid = 0; +const volatile bool ignore_errors = true; +const volatile bool filter_by_port = false; + +static int probe_entry(struct pt_regs *ctx, struct socket *socket) +{ + __u64 pid_tgid = bpf_get_current_pid_tgid(); + pid_t tgid = pid_tgid >> 32; + pid_t pid = (pid_t)pid_tgid; + + if (target_pid && target_pid != tgid) + return 0; + + bpf_map_update_elem(&sockets, &pid, &socket, BPF_ANY); + return 0; +} \ No newline at end of file diff --git a/observation/src/bindsnoop/bindsnoop.c b/observation/src/bindsnoop/bindsnoop.c new file mode 100644 index 00000000..8cb65a49 --- /dev/null +++ b/observation/src/bindsnoop/bindsnoop.c @@ -0,0 +1,36 @@ +// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) +#include "commons.h" +#include "bindsnoop.h" +#include "bindsnoop.skel.h" +#include "trace_helpers.h" +#include "btf_helpers.h" + +#include +#include +static struct env { + char *cgroupspath; + bool cg; + bool emit_timestamp; + pid_t target_pid; + bool ignore_errors; + char *target_ports; + bool verbose; +} env = { + .ignore_errors = true, +}; + +static volatile sig_atomic_t exiting; + +const char *argp_program_version = "bindsnoop 0.1"; +const char *argp_program_bug_address = "Jackie Liu "; + +static const struct argp_option opts[] = { + { "timestamp", 't', NULL, 0, "Include timestamp on output" }, + { "cgroup", 'c', "/sys/fs/cgroup/unified", 0, "Trace process in cgroup path" }, + { "failed", 'x', NULL, 0, "Include errors on outputs" }, + { "pid", 'p', "PID", 0, "Process ID to trace" }, + { "ports", 'P', "PORTS", 0, "Comma-separated list of ports to trace" }, + { "verbose", 'v', NULL, 0, "Verbose debug output" }, + { NULL, 'h', NULL, OPTION_HIDDEN, "Show the full help" }, + {} +}; \ No newline at end of file diff --git a/observation/src/bindsnoop/bindsnoop.h b/observation/src/bindsnoop/bindsnoop.h new file mode 100644 index 00000000..72f8f4c3 --- /dev/null +++ b/observation/src/bindsnoop/bindsnoop.h @@ -0,0 +1,31 @@ +// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) +#ifndef __BINDSNOOP_H +#define __BINDSNOOP_H + +#define TASK_COMM_LEN 16 + +struct bind_event { + unsigned __int128 addr; + __u64 ts_us; + __u32 pid; + __u32 bound_dev_if; + int ret; + __u16 port; + __u16 proto; + __u8 opts; + __u8 ver; + char task[TASK_COMM_LEN]; +}; + +union bind_options { + __u8 data; + struct { + __u8 freebind : 1; + __u8 transparent : 1; + __u8 bind_address_no_port : 1; + __u8 reuseaddress : 1; + __u8 reuseport : 1; + } fields; +}; + +#endif -- Gitee