Let's get the BPF party on

54shady · 54shady · commit 695dfde6cd1f · 2021-08-25T15:38:49.000+08:00
diff --git a/bpf/README.md b/bpf/README.md
@@ -0,0 +1,43 @@
+# BPF samples
+
+## Usage
+
+使用对应文件
+
+	ln -s $PWD/demo_kern.c /usr/src/linux/samples/bpf
+	ln -s $PWD/demo_user.c /usr/src/linux/samples/bpf
+
+修改makefile(/usr/src/linux/samples/bpf/Makefile)
+
+添加目标(demo)
+
+	tprogs-y += demo
+
+demo依赖demo_user
+
+	demo-objs := demo_user.o $(TRACE_HELPERS)
+
+编译对应的bpf模块
+
+	always-y += demo_kern.o
+
+需要县编译好内核并安装头文件
+
+	cd /usr/src/linux
+	make defconfig && make && make headers_install
+
+编译bpf模块
+
+	make M=samples/bpf
+
+或者在bpf目录编译
+
+	cd /usr/src/linux/samples/bpf && make
+
+用file查看下编译输出文件(demo_user.o和demo_kern.o)
+
+	demo_user.o: ELF 64-bit LSB relocatable, x86-64, version 1 (SYSV), not stripped
+	demo_kern.o: ELF 64-bit LSB relocatable, eBPF, version 1 (SYSV), with debug_info, not stripped
+
+- demo_kern.c中的文件是被编译成eBPF的二进制文件,是要被eBPF虚拟机执行的代码
+- demo_user.c是将eBPF二进制文件加载到内核的代码
diff --git a/bpf/demo_kern.c b/bpf/demo_kern.c
@@ -0,0 +1,36 @@
+#include <linux/ptrace.h>
+#include <linux/version.h>
+#include <uapi/linux/bpf.h>
+#include <uapi/linux/seccomp.h>
+#include <uapi/linux/unistd.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+struct {
+	__uint(type, BPF_MAP_TYPE_PROG_ARRAY);
+	__uint(key_size, sizeof(u32));
+	__uint(value_size, sizeof(u32));
+	__uint(max_entries, 1024);
+} progs SEC(".maps");
+
+/*
+ * /sys/kernel/debug/tracing/events/syscalls/sys_enter_execve
+ * 通过监控内核中系统调用execve
+ * 当系统中调用了这个系统调用的话就会调用mybpfprog函数
+ *
+ * 编译好程序后执行./demo
+ *
+ * 然后打开一个新终端,输入一些命令即可看到结果
+ */
+SEC("tracepoint/syscalls/sys_enter_execve")
+int mybpfprog(struct pt_regs *ctx)
+{
+	char msg[] = "Hello, BPF World!";
+
+	bpf_trace_printk(msg, sizeof(msg));
+
+	return 0;
+}
+
+char _license[] SEC("license") = "GPL";
+u32 _version SEC("version") = LINUX_VERSION_CODE;
diff --git a/bpf/demo_user.c b/bpf/demo_user.c
@@ -0,0 +1,69 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <linux/filter.h>
+#include <linux/seccomp.h>
+#include <sys/prctl.h>
+#include <bpf/bpf.h>
+#include <bpf/libbpf.h>
+#include <sys/resource.h>
+#include "trace_helpers.h"
+
+int main(int argc, char *argv[])
+{
+	struct bpf_link *link = NULL;
+	struct bpf_program *prog;
+	struct bpf_object *obj;
+	int key, fd, progs_fd;
+	const char *section;
+	char filename[256];
+
+	snprintf(filename, sizeof(filename), "%s_kern.o", argv[0]);
+	obj = bpf_object__open_file(filename, NULL);
+	if (libbpf_get_error(obj)) {
+		fprintf(stderr, "ERROR: opening BPF object file failed\n");
+		return 0;
+	}
+
+	prog = bpf_object__find_program_by_name(obj, "mybpfprog");
+	if (!prog) {
+		printf("finding a prog in obj file failed\n");
+		goto cleanup;
+	}
+
+	/* load BPF program */
+	if (bpf_object__load(obj)) {
+		fprintf(stderr, "ERROR: loading BPF object file failed\n");
+		goto cleanup;
+	}
+
+	link = bpf_program__attach(prog);
+	if (libbpf_get_error(link)) {
+		fprintf(stderr, "ERROR: bpf_program__attach failed\n");
+		link = NULL;
+		goto cleanup;
+	}
+
+	progs_fd = bpf_object__find_map_fd_by_name(obj, "progs");
+	if (progs_fd < 0) {
+		fprintf(stderr, "ERROR: finding a map in obj file failed\n");
+		goto cleanup;
+	}
+
+	bpf_object__for_each_program(prog, obj) {
+		section = bpf_program__section_name(prog);
+		/* register only syscalls to PROG_ARRAY */
+		if (sscanf(section, "kprobe/%d", &key) != 1)
+			continue;
+
+		fd = bpf_program__fd(prog);
+		bpf_map_update_elem(progs_fd, &key, &fd, BPF_ANY);
+	}
+
+	read_trace_pipe();
+
+cleanup:
+	bpf_link__destroy(link);
+	bpf_object__close(obj);
+	return 0;
+}
