Hed*_*dam 1 c linux linux-kernel bpf ebpf
假设我有一个跟踪点 eBPF 探针,它挂接到 chown 函数中。
SEC("tracepoint/syscalls/sys_enter_chown")
int bpf_prog(void *ctx) {
// someone changed ownership of a file
char msg[] = "Ownership change of file!";
bpf_trace_printk(msg, sizeof(msg));
}
如何访问通话上下文?例如,如果我想打印更改所有权或新所有者的文件怎么办?
TL;博士。在 的情况下sys_enter_chown,你的ctx论点将具有以下结构:
struct syscalls_enter_chown_args {
unsigned long long unused;
long syscall_nr;
long filename_ptr;
long user;
long group;
};
正如这个 SO 答案所指出的,跟踪点挂钩记录在内核中。sys_enter_chown您可以在以下位置找到参数的完整描述/sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format:
# cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format
name: sys_enter_chown
ID: 625
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
field:unsigned char common_flags; offset:2; size:1; signed:0;
field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
field:int common_pid; offset:4; size:4; signed:1;
field:int __syscall_nr; offset:8; size:4; signed:1;
field:const char * filename; offset:16; size:8; signed:0;
field:uid_t user; offset:24; size:8; signed:0;
field:gid_t group; offset:32; size:8; signed:0;
print fmt: "filename: 0x%08lx, user: 0x%08lx, group: 0x%08lx", ((unsigned long)(REC->filename)), ((unsigned long)(REC->user)), ((unsigned long)(REC->group))
您还可以检查内核示例中的示例 BPF 跟踪点程序。它实现了您正在寻找的东西,但是对于sys_enter_open.
| 归档时间: |
|
| 查看次数: |
2137 次 |
| 最近记录: |