diff --git a/bpf/accesslog/l24/read_l2.c b/bpf/accesslog/l24/read_l2.c index 0896eeb3..a98f6032 100644 --- a/bpf/accesslog/l24/read_l2.c +++ b/bpf/accesslog/l24/read_l2.c @@ -17,14 +17,18 @@ #include "l24.h" #include "../common/data_args.h" +#include "api.h" -struct netif_receive_skb { - unsigned long long pad; - void * skbaddr; -}; +struct trace_event_raw_net_dev_template { + struct trace_entry ent; + void *skbaddr; + unsigned int len; + __u32 __data_loc_name; + char __data[0]; +} __attribute__((preserve_access_index)) ; SEC("tracepoint/net/netif_receive_skb") -int tracepoint_netif_receive_skb(struct netif_receive_skb *ctx) { +int tracepoint_netif_receive_skb(struct trace_event_raw_net_dev_template *ctx) { struct sk_buff * skb = (struct sk_buff *)ctx->skbaddr; struct net_device *device = _(skb->dev); diff --git a/bpf/accesslog/l24/write_l2.c b/bpf/accesslog/l24/write_l2.c index 2f477dfa..f69937e6 100644 --- a/bpf/accesslog/l24/write_l2.c +++ b/bpf/accesslog/l24/write_l2.c @@ -18,18 +18,38 @@ #include "l24.h" #include "../common/data_args.h" -struct net_dev_start_xmit_args { - unsigned long pad0; - unsigned long pad1; +struct trace_event_raw_net_dev_start_xmit { + struct trace_entry ent; + __u32 __data_loc_name; + __u16 queue_mapping; + const void *skbaddr; + bool vlan_tagged; + __u16 vlan_proto; + __u16 vlan_tci; + __u16 protocol; + __u8 ip_summed; + unsigned int len; + unsigned int data_len; + int network_offset; + bool transport_offset_valid; + int transport_offset; + __u8 tx_flags; + __u16 gso_size; + __u16 gso_segs; + __u16 gso_type; + char __data[0]; +} __attribute__((aligned(8))) __attribute__((preserve_access_index)) ; - void *skb; -}; -struct net_dev_xmit_args { - unsigned long pad0; +struct trace_event_raw_net_dev_xmit { + struct trace_entry ent; + void *skbaddr; + unsigned int len; + int rc; + __u32 __data_loc_name; + char __data[0]; +} __attribute__((preserve_access_index)); - void *skb; -}; SEC("kprobe/__dev_queue_xmit") int dev_queue_emit(struct pt_regs * ctx){ @@ -52,8 +72,8 @@ int dev_queue_emit_ret(struct pt_regs * ctx){ } SEC("tracepoint/net/net_dev_start_xmit") -int tracepoint_net_dev_start_xmit(struct net_dev_start_xmit_args *args) { - struct sk_buff * skb = args->skb; +int tracepoint_net_dev_start_xmit(struct trace_event_raw_net_dev_start_xmit *args) { + struct sk_buff * skb = (struct sk_buff *)args->skbaddr; struct skb_transmit_detail *detail = bpf_map_lookup_elem(&sk_buff_transmit_detail_map, &skb); if (detail != NULL) { detail->l2_start_xmit_time = bpf_ktime_get_ns(); @@ -62,8 +82,8 @@ int tracepoint_net_dev_start_xmit(struct net_dev_start_xmit_args *args) { } SEC("tracepoint/net/net_dev_xmit") -int tracepoint_net_dev_xmit(struct net_dev_xmit_args *args) { - struct sk_buff * skb = args->skb; +int tracepoint_net_dev_xmit(struct trace_event_raw_net_dev_xmit *args) { + struct sk_buff * skb = (struct sk_buff *)args->skbaddr; struct skb_transmit_detail *detail = bpf_map_lookup_elem(&sk_buff_transmit_detail_map, &skb); if (detail != NULL) { detail->l2_finish_xmit_time = bpf_ktime_get_ns(); diff --git a/bpf/accesslog/l24/write_l4.c b/bpf/accesslog/l24/write_l4.c index c38ecc65..233574ac 100644 --- a/bpf/accesslog/l24/write_l4.c +++ b/bpf/accesslog/l24/write_l4.c @@ -19,12 +19,14 @@ #include "../common/data_args.h" #include "../common/sock.h" -struct kfree_skb_args { - unsigned long pad; - - void *skb; - void *location; -}; +struct trace_event_raw_kfree_skb { + struct trace_entry ent; + void *skbaddr; + void *location; + short unsigned int protocol; + // enum skb_drop_reason reason; + // char __data[0]; +} __attribute__((preserve_access_index)); SEC("kprobe/tcp_sendmsg") int tcp_sendmsg(struct pt_regs* ctx) { @@ -83,8 +85,8 @@ int tracepoint_tcp_retransmit_skb() { } SEC("tracepoint/skb/kfree_skb") -int kfree_skb(struct kfree_skb_args *args) { - struct sk_buff *skb = args->skb; +int kfree_skb(struct trace_event_raw_kfree_skb *args) { + struct sk_buff *skb = (struct sk_buff *)args->skbaddr; if (skb == NULL) { return 0; } diff --git a/bpf/accesslog/process/process.c b/bpf/accesslog/process/process.c index 7ad67239..ae587402 100644 --- a/bpf/accesslog/process/process.c +++ b/bpf/accesslog/process/process.c @@ -26,19 +26,17 @@ struct process_execute_event { __u32 pid; }; -struct sched_comm_fork_ctx { - unsigned short common_type; - unsigned char common_flags; - unsigned char common_preempt_count; - int common_pid; - char parent_comm[16]; - pid_t parent_pid; - char child_comm[16]; - pid_t child_pid; -}; +struct trace_event_raw_sched_process_fork { + struct trace_entry ent; + char parent_comm[16]; + __u32 parent_pid; + char child_comm[16]; + __u32 child_pid; + char __data[0]; +} __attribute__((preserve_access_index)) ; SEC("tracepoint/sched/sched_process_fork") -int tracepoint_sched_process_fork(struct sched_comm_fork_ctx* ctx) { +int tracepoint_sched_process_fork(struct trace_event_raw_sched_process_fork* ctx) { __u32 tgid = ctx->parent_pid; // adding to the monitor __u32 v = 1; diff --git a/bpf/accesslog/syscalls/close.c b/bpf/accesslog/syscalls/close.c index d4539c65..a1bc953b 100644 --- a/bpf/accesslog/syscalls/close.c +++ b/bpf/accesslog/syscalls/close.c @@ -21,19 +21,6 @@ #include "../process/process.h" #include "../common/connection.h" -struct trace_point_enter_close { - __u64 pad_0; - int __syscall_nr; - __u32 pad_1; - int fd; -}; -struct trace_point_exit_close { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - __u64 ret; -}; - static __inline void process_close_sock(void* ctx, __u64 id, struct sock_close_args_t *args, int ret) { __u32 tgid = (__u32)(id >> 32); if (args->fd < 0) { @@ -44,25 +31,25 @@ static __inline void process_close_sock(void* ctx, __u64 id, struct sock_close_a } SEC("tracepoint/syscalls/sys_enter_close") -int tracepoint_enter_close(struct trace_point_enter_close *ctx) { +int tracepoint_enter_close(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } struct sock_close_args_t close_args = {}; - close_args.fd = ctx->fd; + close_args.fd = (__u32)ctx->args[0]; close_args.start_nacs = bpf_ktime_get_ns(); bpf_map_update_elem(&closing_args, &id, &close_args, 0); return 0; } SEC("tracepoint/syscalls/sys_exit_close") -int tracepoint_exit_close(struct trace_point_exit_close *ctx) { +int tracepoint_exit_close(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); struct sock_close_args_t *close_args = bpf_map_lookup_elem(&closing_args, &id); if (close_args) { - process_close_sock(ctx, id, close_args, ctx->ret); + process_close_sock(ctx, id, close_args, (int)ctx->ret); } bpf_map_delete_elem(&closing_args, &id); diff --git a/bpf/accesslog/syscalls/connect.c b/bpf/accesslog/syscalls/connect.c index d1441f7c..061a4eeb 100644 --- a/bpf/accesslog/syscalls/connect.c +++ b/bpf/accesslog/syscalls/connect.c @@ -21,34 +21,6 @@ #include "../process/process.h" #include "../common/connection.h" -struct trace_point_enter_connect { - __u64 pad_0; - int __syscall_nr; - __u32 pad_1; - int fd; - struct sockaddr * uservaddr; -}; -struct trace_point_exit_connect { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - __u64 ret; -}; - -struct trace_point_enter_accept { - __u64 pad_0; - int __syscall_nr; - __u32 pad_1; - int fd; - struct sockaddr * upeer_sockaddr; -}; -struct trace_point_exit_accept { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - long ret; -}; - static __inline void process_connect(void *ctx, __u64 id, struct connect_args_t *connect_args, long ret) { bool success = true; if (ret < 0 && ret != -EINPROGRESS) { @@ -71,22 +43,22 @@ static __inline void process_accept(void *ctx, __u64 id, struct accept_args_t *a } SEC("tracepoint/syscalls/sys_enter_connect") -int tracepoint_enter_connect(struct trace_point_enter_connect *ctx) { +int tracepoint_enter_connect(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } struct connect_args_t connect_args = {}; - connect_args.fd = ctx->fd; - connect_args.addr = ctx->uservaddr; + connect_args.fd = (__u32)ctx->args[0]; + connect_args.addr = (struct sockaddr *)ctx->args[1]; connect_args.start_nacs = bpf_ktime_get_ns(); bpf_map_update_elem(&conecting_args, &id, &connect_args, 0); return 0; } SEC("tracepoint/syscalls/sys_exit_connect") -int tracepoint_exit_connect(struct trace_point_exit_connect *ctx) { +int tracepoint_exit_connect(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); struct connect_args_t *connect_args; @@ -110,21 +82,21 @@ int tcp_connect(struct pt_regs *ctx) { } SEC("tracepoint/syscalls/sys_enter_accept") -int tracepoint_enter_accept(struct trace_point_enter_accept *ctx) { +int tracepoint_enter_accept(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } struct accept_args_t accept_args = {}; - accept_args.addr = ctx->upeer_sockaddr; + accept_args.addr = (struct sockaddr *)ctx->args[1]; accept_args.start_nacs = bpf_ktime_get_ns(); bpf_map_update_elem(&accepting_args, &id, &accept_args, 0); return 0; } SEC("tracepoint/syscalls/sys_exit_accept") -int tracepoint_exit_accept(struct trace_point_exit_accept *ctx) { +int tracepoint_exit_accept(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); struct accept_args_t *accept_args = bpf_map_lookup_elem(&accepting_args, &id); if (accept_args) { diff --git a/bpf/accesslog/syscalls/transfer.c b/bpf/accesslog/syscalls/transfer.c index f3a26088..bed6be3f 100644 --- a/bpf/accesslog/syscalls/transfer.c +++ b/bpf/accesslog/syscalls/transfer.c @@ -23,103 +23,26 @@ #include "../l24/l24.h" #include "transfer.h" -struct trace_point_common_exit { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - __u64 ret; -}; -struct trace_point_common_write { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - int fd; - char * buf; - size_t count; -}; -struct trace_point_common_writev { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - int fd; - struct iovec * vec; - size_t count; -}; -struct trace_point_common_readv { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - int fd; - struct iovec * vec; - size_t count; -}; -struct trace_point_common_sendmsg { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - int fd; - struct user_msghdr * msg; -}; -struct trace_point_common_sendmmsg { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - int fd; - struct mmsghdr * mmsg; - unsigned int vlen; -}; -struct trace_point_enter_sendto { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - int fd; - char * buf; - size_t count; - unsigned int flags; - struct sockaddr * addr; -}; -struct trace_point_enter_recvfrom { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - int fd; - char * buf; - size_t count; - unsigned int flags; - struct sockaddr * addr; -}; -struct trace_point_common_recvmsg { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - int fd; - struct user_msghdr * msg; -}; -struct trace_point_common_recvmmsg { - __u64 pad_0; - __u32 __syscall_nr; - __u32 pad_1; - int fd; - struct mmsghdr * mmsg; - unsigned int vlen; -}; -struct trace_point_skb_copy_datagram_iovec { - __u64 pad_0; - void *skb; -}; + +struct trace_event_raw_skb_copy_datagram_iovec { + struct trace_entry ent; + const void *skbaddr; + int len; + char __data[0]; +} __attribute__((preserve_access_index)); #define BPF_PROBE_READ_VAR(value, ptr) bpf_probe_read(&value, sizeof(value), ptr) SEC("tracepoint/syscalls/sys_enter_write") -int tracepoint_enter_write(struct trace_point_common_write *ctx) { +int tracepoint_enter_write(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; - data_args.buf = ctx->buf; + data_args.fd = (__u32)ctx->args[0]; + data_args.buf = (char *)ctx->args[1]; data_args.start_nacs = bpf_ktime_get_ns(); data_args.data_id = generate_socket_data_id(id, data_args.fd, SOCKET_OPTS_TYPE_WRITE, false); bpf_map_update_elem(&socket_data_args, &id, &data_args, 0); @@ -127,7 +50,7 @@ int tracepoint_enter_write(struct trace_point_common_write *ctx) { } SEC("tracepoint/syscalls/sys_exit_write") -int tracepoint_exit_write(struct trace_point_common_exit *ctx) { +int tracepoint_exit_write(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); struct sock_data_args_t *data_args = bpf_map_lookup_elem(&socket_data_args, &id); if (data_args && data_args->is_sock_event) { @@ -140,22 +63,22 @@ int tracepoint_exit_write(struct trace_point_common_exit *ctx) { } SEC("tracepoint/syscalls/sendto") -int tracepoint_enter_sendto(struct trace_point_enter_sendto *ctx) { +int tracepoint_enter_sendto(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } - if (ctx->addr != NULL) { + if ((struct sockaddr *)ctx->args[4] != NULL) { struct connect_args_t connect_args = {}; - connect_args.addr = ctx->addr; - connect_args.fd = ctx->fd; + connect_args.addr = (struct sockaddr *)ctx->args[4]; + connect_args.fd = (__u32)ctx->args[0]; bpf_map_update_elem(&conecting_args, &id, &connect_args, 0); } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; - data_args.buf = ctx->buf; + data_args.fd = (__u32)ctx->args[0]; + data_args.buf = (char *)ctx->args[1]; data_args.start_nacs = bpf_ktime_get_ns(); data_args.data_id = generate_socket_data_id(id, data_args.fd, SOCKET_OPTS_TYPE_SENDTO, false); bpf_map_update_elem(&socket_data_args, &id, &data_args, 0); @@ -163,7 +86,7 @@ int tracepoint_enter_sendto(struct trace_point_enter_sendto *ctx) { } SEC("tracepoint/syscalls/sys_exit_sendto") -int tracepoint_exit_sendto(struct trace_point_common_exit *ctx) { +int tracepoint_exit_sendto(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); ssize_t bytes_count = ctx->ret; @@ -184,16 +107,16 @@ int tracepoint_exit_sendto(struct trace_point_common_exit *ctx) { } SEC("tracepoint/syscalls/sys_enter_writev") -int tracepoint_enter_writev(struct trace_point_common_writev *ctx) { +int tracepoint_enter_writev(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; - data_args.iovec = ctx->vec; - data_args.iovlen = ctx->count; + data_args.fd = (__u32)ctx->args[0]; + data_args.iovec = (struct iovec *)ctx->args[1]; + data_args.iovlen = (size_t)ctx->args[2]; data_args.start_nacs = bpf_ktime_get_ns(); data_args.data_id = generate_socket_data_id(id, data_args.fd, SOCKET_OPTS_TYPE_WRITE, false); bpf_map_update_elem(&socket_data_args, &id, &data_args, 0); @@ -201,7 +124,7 @@ int tracepoint_enter_writev(struct trace_point_common_writev *ctx) { } SEC("tracepoint/syscalls/sys_exit_writev") -int tracepoint_exit_writev(struct trace_point_common_exit *ctx) { +int tracepoint_exit_writev(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); struct sock_data_args_t *data_args = bpf_map_lookup_elem(&socket_data_args, &id); if (data_args && data_args->is_sock_event) { @@ -214,12 +137,12 @@ int tracepoint_exit_writev(struct trace_point_common_exit *ctx) { } SEC("tracepoint/syscalls/sys_enter_sendmsg") -int tracepoint_enter_sendmsg(struct trace_point_common_sendmsg *ctx) { +int tracepoint_enter_sendmsg(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } - struct user_msghdr* msghdr = ctx->msg; + struct user_msghdr* msghdr = (struct user_msghdr*)ctx->args[1]; if (msghdr == NULL) { return 0; } @@ -228,13 +151,13 @@ int tracepoint_enter_sendmsg(struct trace_point_common_sendmsg *ctx) { if (addr != NULL) { struct connect_args_t connect_args = {}; connect_args.addr = addr; - connect_args.fd = ctx->fd; + connect_args.fd = (__u32)ctx->args[0]; connect_args.start_nacs = bpf_ktime_get_ns(); bpf_map_update_elem(&conecting_args, &id, &connect_args, 0); } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; + data_args.fd = (__u32)ctx->args[0]; data_args.iovec = _(msghdr->msg_iov); data_args.iovlen = _(msghdr->msg_iovlen); data_args.start_nacs = bpf_ktime_get_ns(); @@ -244,7 +167,7 @@ int tracepoint_enter_sendmsg(struct trace_point_common_sendmsg *ctx) { } SEC("tracepoint/syscalls/sys_exit_sendmsg") -int tracepoint_exit_sendmsg(struct trace_point_common_exit *ctx) { +int tracepoint_exit_sendmsg(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); ssize_t bytes_count = ctx->ret; @@ -265,13 +188,13 @@ int tracepoint_exit_sendmsg(struct trace_point_common_exit *ctx) { } SEC("tracepoint/syscalls/sys_enter_sendmmsg") -int tracepoint_enter_sendmmsg(struct trace_point_common_sendmmsg *ctx) { +int tracepoint_enter_sendmmsg(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } - struct mmsghdr* mmsghdr = ctx->mmsg; - __u32 vlen = ctx->vlen; + struct mmsghdr* mmsghdr = (struct mmsghdr*)ctx->args[1]; + __u32 vlen = (__u32)ctx->args[2]; if (mmsghdr == NULL || vlen <= 0) { return 0; } @@ -280,13 +203,13 @@ int tracepoint_enter_sendmmsg(struct trace_point_common_sendmmsg *ctx) { if (addr != NULL) { struct connect_args_t connect_args = {}; connect_args.addr = addr; - connect_args.fd = ctx->fd; + connect_args.fd = (__u32)ctx->args[0]; connect_args.start_nacs = bpf_ktime_get_ns(); bpf_map_update_elem(&conecting_args, &id, &connect_args, 0); } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; + data_args.fd = (__u32)ctx->args[0]; struct iovec *msg_iov = _(mmsghdr->msg_hdr.msg_iov); data_args.iovec = msg_iov; size_t msg_iovlen = _(mmsghdr->msg_hdr.msg_iovlen); @@ -299,7 +222,7 @@ int tracepoint_enter_sendmmsg(struct trace_point_common_sendmmsg *ctx) { } SEC("tracepoint/syscalls/sys_exit_sendmmsg") -int tracepoint_exit_sendmmsg(struct trace_point_common_exit *ctx) { +int tracepoint_exit_sendmmsg(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); ssize_t bytes_count = ctx->ret; @@ -322,15 +245,15 @@ int tracepoint_exit_sendmmsg(struct trace_point_common_exit *ctx) { } SEC("tracepoint/syscalls/sys_enter_read") -int tracepoint_enter_read(struct trace_point_common_write *ctx) { +int tracepoint_enter_read(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; - data_args.buf = ctx->buf; + data_args.fd = (__u32)ctx->args[0]; + data_args.buf = (char *)ctx->args[1]; data_args.start_nacs = bpf_ktime_get_ns(); data_args.data_id = generate_socket_data_id(id, data_args.fd, SOCKET_OPTS_TYPE_READ, false); bpf_map_update_elem(&socket_data_args, &id, &data_args, 0); @@ -338,7 +261,7 @@ int tracepoint_enter_read(struct trace_point_common_write *ctx) { } SEC("tracepoint/syscalls/sys_exit_read") -int tracepoint_exit_read(struct trace_point_common_exit *ctx) { +int tracepoint_exit_read(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); struct sock_data_args_t *data_args = bpf_map_lookup_elem(&socket_data_args, &id); if (data_args && data_args->is_sock_event) { @@ -351,16 +274,16 @@ int tracepoint_exit_read(struct trace_point_common_exit *ctx) { } SEC("tracepoint/syscalls/sys_enter_readv") -int tracepoint_enter_readv(struct trace_point_common_readv *ctx) { +int tracepoint_enter_readv(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; - data_args.iovec = ctx->vec; - data_args.iovlen = ctx->count; + data_args.fd = (__u32)ctx->args[0]; + data_args.iovec = (struct iovec *)ctx->args[1]; + data_args.iovlen = (size_t)ctx->args[2]; data_args.start_nacs = bpf_ktime_get_ns(); data_args.data_id = generate_socket_data_id(id, data_args.fd, SOCKET_OPTS_TYPE_READV, false); bpf_map_update_elem(&socket_data_args, &id, &data_args, 0); @@ -368,7 +291,7 @@ int tracepoint_enter_readv(struct trace_point_common_readv *ctx) { } SEC("tracepoint/syscalls/sys_exit_readv") -int tracepoint_exit_readv(struct trace_point_common_exit *ctx) { +int tracepoint_exit_readv(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); struct sock_data_args_t *data_args = bpf_map_lookup_elem(&socket_data_args, &id); if (data_args && data_args->is_sock_event) { @@ -411,22 +334,22 @@ int sys_recv_ret(struct pt_regs* ctx) { } SEC("tracepoint/syscalls/sys_enter_recvfrom") -int tracepoint_enter_recvfrom(struct trace_point_enter_recvfrom *ctx) { +int tracepoint_enter_recvfrom(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } - if (ctx->addr != NULL) { + if ((struct sockaddr *)ctx->args[4] != NULL) { struct connect_args_t connect_args = {}; - connect_args.addr = ctx->addr; - connect_args.fd = ctx->fd; + connect_args.addr = (struct sockaddr *)ctx->args[4]; + connect_args.fd = (__u32)ctx->args[0]; bpf_map_update_elem(&conecting_args, &id, &connect_args, 0); } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; - data_args.buf = ctx->buf; + data_args.fd = (__u32)ctx->args[0]; + data_args.buf = (char *)ctx->args[1]; data_args.start_nacs = bpf_ktime_get_ns(); data_args.data_id = generate_socket_data_id(id, data_args.fd, SOCKET_OPTS_TYPE_RECVFROM, false); bpf_map_update_elem(&socket_data_args, &id, &data_args, 0); @@ -434,7 +357,7 @@ int tracepoint_enter_recvfrom(struct trace_point_enter_recvfrom *ctx) { } SEC("tracepoint/syscalls/sys_exit_recvfrom") -int tracepoint_exit_recvfrom(struct trace_point_common_exit *ctx) { +int tracepoint_exit_recvfrom(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); ssize_t bytes_count = ctx->ret; @@ -455,12 +378,12 @@ int tracepoint_exit_recvfrom(struct trace_point_common_exit *ctx) { } SEC("tracepoint/syscalls/sys_enter_recvmsg") -int tracepoint_enter_recvmsg(struct trace_point_common_recvmsg *ctx) { +int tracepoint_enter_recvmsg(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } - struct user_msghdr* msghdr = ctx->msg; + struct user_msghdr* msghdr = (struct user_msghdr*)ctx->args[1]; if (msghdr == NULL) { return 0; } @@ -469,13 +392,13 @@ int tracepoint_enter_recvmsg(struct trace_point_common_recvmsg *ctx) { if (addr != NULL) { struct connect_args_t connect_args = {}; connect_args.addr = addr; - connect_args.fd = ctx->fd; + connect_args.fd = (__u32)ctx->args[0]; connect_args.start_nacs = bpf_ktime_get_ns(); bpf_map_update_elem(&conecting_args, &id, &connect_args, 0); } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; + data_args.fd = (__u32)ctx->args[0]; data_args.iovec = _(msghdr->msg_iov); data_args.iovlen = _(msghdr->msg_iovlen); data_args.start_nacs = bpf_ktime_get_ns(); @@ -485,7 +408,7 @@ int tracepoint_enter_recvmsg(struct trace_point_common_recvmsg *ctx) { } SEC("tracepoint/syscalls/sys_exit_recvmsg") -int tracepoint_exit_recvmsg(struct trace_point_common_exit *ctx) { +int tracepoint_exit_recvmsg(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); ssize_t bytes_count = ctx->ret; @@ -506,13 +429,13 @@ int tracepoint_exit_recvmsg(struct trace_point_common_exit *ctx) { } SEC("tracepoint/syscalls/sys_enter_recvmmsg") -int tracepoint_enter_recvmmsg(struct trace_point_common_recvmmsg *ctx) { +int tracepoint_enter_recvmmsg(struct syscall_trace_enter *ctx) { uint64_t id = bpf_get_current_pid_tgid(); if (tgid_should_trace(id >> 32) == false) { return 0; } - struct mmsghdr* mmsghdr = ctx->mmsg; - __u32 vlen = ctx->vlen; + struct mmsghdr* mmsghdr = (struct mmsghdr*)ctx->args[1]; + __u32 vlen = (__u32)ctx->args[2]; if (mmsghdr == NULL || vlen <= 0) { return 0; } @@ -521,13 +444,13 @@ int tracepoint_enter_recvmmsg(struct trace_point_common_recvmmsg *ctx) { if (addr != NULL) { struct connect_args_t connect_args = {}; connect_args.addr = addr; - connect_args.fd = ctx->fd; + connect_args.fd = (__u32)ctx->args[0]; connect_args.start_nacs = bpf_ktime_get_ns(); bpf_map_update_elem(&conecting_args, &id, &connect_args, 0); } struct sock_data_args_t data_args = {}; - data_args.fd = ctx->fd; + data_args.fd = (__u32)ctx->args[0]; struct iovec *msg_iov = _(mmsghdr->msg_hdr.msg_iov); data_args.iovec = msg_iov; size_t msg_iovlen = _(mmsghdr->msg_hdr.msg_iovlen); @@ -540,7 +463,7 @@ int tracepoint_enter_recvmmsg(struct trace_point_common_recvmmsg *ctx) { } SEC("tracepoint/syscalls/sys_exit_recvmmsg") -int tracepoint_exit_recvmmsg(struct trace_point_common_exit *ctx) { +int tracepoint_exit_recvmmsg(struct syscall_trace_exit *ctx) { __u64 id = bpf_get_current_pid_tgid(); ssize_t bytes_count = ctx->ret; @@ -563,9 +486,9 @@ int tracepoint_exit_recvmmsg(struct trace_point_common_exit *ctx) { } SEC("tracepoint/skb/skb_copy_datagram_iovec") -int tracepoint_skb_copy_datagram_iovec(struct trace_point_skb_copy_datagram_iovec* ctx) { +int tracepoint_skb_copy_datagram_iovec(struct trace_event_raw_skb_copy_datagram_iovec* ctx) { __u64 id = bpf_get_current_pid_tgid(); - struct sk_buff *buff = ctx->skb; + struct sk_buff *buff = (struct sk_buff *)ctx->skbaddr; struct sock_data_args_t *data_args = bpf_map_lookup_elem(&socket_data_args, &id); if (data_args == NULL) { bpf_map_delete_elem(&sk_buff_receive_detail_map, &buff); diff --git a/bpf/include/api.h b/bpf/include/api.h index be139bf1..f27dd1c8 100644 --- a/bpf/include/api.h +++ b/bpf/include/api.h @@ -46,6 +46,23 @@ typedef enum true=1, false=0 } bool; +struct trace_entry { + short unsigned int type; + unsigned char flags; + unsigned char preempt_count; + int pid; +} __attribute__((preserve_access_index)); +struct syscall_trace_enter { + struct trace_entry ent; + int nr; + long unsigned int args[0]; +} __attribute__((preserve_access_index)); +struct syscall_trace_exit { + struct trace_entry ent; + int nr; + long int ret; +}__attribute__((preserve_access_index)); + struct thread_struct { // x86_64 long unsigned int fsbase;