-
Notifications
You must be signed in to change notification settings - Fork 5
/
trace.bpf.zig
111 lines (92 loc) · 3.46 KB
/
trace.bpf.zig
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
const std = @import("std");
const bpf = @import("bpf");
const BPF = std.os.linux.BPF;
const helpers = BPF.kern.helpers;
const REGS = bpf.Args.REGS;
const TRACE_RECORD = bpf.Args.TRACE_RECORD;
const trace_printk = helpers.trace_printk;
const kprobes = @import("build_options").kprobes;
const syscalls = @import("build_options").syscalls;
var buffer = bpf.Map.HashMap("buffer", u64, REGS, 0xffff, 0).init();
var events = bpf.Map.RingBuffer("events", 16, 0).init();
fn generate_kprobe(comptime name: []const u8, comptime id: u32) type {
return struct {
const tracked_func = bpf.Kprobe{ .name = name };
fn kprobe_entry(regs: *REGS) linksection(tracked_func.entry_section()) callconv(.C) c_long {
const tpid = helpers.get_current_pid_tgid();
buffer.update(.any, tpid, regs.*);
return 0;
}
comptime {
@export(kprobe_entry, .{ .name = name ++ "_kprobe_entry" });
}
fn kprobe_exit(regs: *REGS) linksection(tracked_func.exit_section()) callconv(.C) c_long {
const tpid = helpers.get_current_pid_tgid();
if (buffer.lookup(tpid)) |v| {
const resv = events.reserve(TRACE_RECORD);
v.ret_ptr().* = regs.ret_ptr().*;
resv.data_ptr.* = .{
.id = id,
.tpid = tpid,
.regs = v.*,
};
resv.commit();
} else {
const fmt = "exit failed\n";
_ = trace_printk(fmt, fmt.len + 1, 0, 0, 0);
return 1;
}
return 0;
}
comptime {
@export(kprobe_exit, .{ .name = name ++ "_kprobe_exit" });
}
};
}
fn generate_syscall(comptime name: []const u8, comptime id: u32) type {
return struct {
const tracked_syscall = bpf.Ksyscall{ .name = name };
fn syscall_entry(args: *tracked_syscall.Ctx()) linksection(tracked_syscall.entry_section()) callconv(.C) c_long {
const tpid = helpers.get_current_pid_tgid();
buffer.update(.any, tpid, std.mem.zeroes(REGS));
if (buffer.lookup(tpid)) |v| {
const err = helpers.probe_read_kernel(v, @sizeOf(REGS), args.get_arg_ctx().get_regs());
if (err != 0) return 1;
} else return 1;
return 0;
}
comptime {
@export(syscall_entry, .{ .name = name ++ "_syscall_entry" });
}
fn syscall_exit(args: *tracked_syscall.Ctx()) linksection(tracked_syscall.exit_section()) callconv(.C) c_long {
const tpid = helpers.get_current_pid_tgid();
if (buffer.lookup(tpid)) |v| {
const ret = args.ret();
const resv = events.reserve(TRACE_RECORD);
v.ret_ptr().* = @bitCast(ret);
resv.data_ptr.* = .{
.id = id,
.tpid = tpid,
.regs = v.*,
};
resv.commit();
} else {
const fmt = "exit failed\n";
_ = trace_printk(fmt, fmt.len + 1, 0, 0, 0);
return 1;
}
return 0;
}
comptime {
@export(syscall_exit, .{ .name = name ++ "_syscall_exit" });
}
};
}
comptime {
for (kprobes, 0..) |f, i| {
_ = generate_kprobe(f, i);
}
for (syscalls, kprobes.len..) |f, i| {
_ = generate_syscall(f, i);
}
}