读取eBPF跟踪点参数
读取eBPF跟踪点参数
提问于 2020-11-21 15:22:19
假设我有一个跟踪点eBPF探针,它连接到chown函数中。
SEC("tracepoint/syscalls/sys_enter_chown")
int bpf_prog(void *ctx) {
// someone changed ownership of a file
char msg[] = "Ownership change of file!";
bpf_trace_printk(msg, sizeof(msg));
}如何访问呼叫的上下文?例如,如果我想打印出更改所有权的文件或新所有者,怎么办?
回答 1
Stack Overflow用户
回答已采纳
发布于 2020-11-23 10:52:17
TL;博士在sys_enter_chown的案例中,您的ctx论点将具有如下结构:
struct syscalls_enter_chown_args {
unsigned long long unused;
long syscall_nr;
long filename_ptr;
long user;
long group;
};正如这就是答案指出的,在内核中记录了跟踪点挂钩。您可以在sys_enter_chown的/sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format上找到对其参数的完整描述。
# cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_chown/format
name: sys_enter_chown
ID: 625
format:
field:unsigned short common_type; offset:0; size:2; signed:0;
field:unsigned char common_flags; offset:2; size:1; signed:0;
field:unsigned char common_preempt_count; offset:3; size:1; signed:0;
field:int common_pid; offset:4; size:4; signed:1;
field:int __syscall_nr; offset:8; size:4; signed:1;
field:const char * filename; offset:16; size:8; signed:0;
field:uid_t user; offset:24; size:8; signed:0;
field:gid_t group; offset:32; size:8; signed:0;
print fmt: "filename: 0x%08lx, user: 0x%08lx, group: 0x%08lx", ((unsigned long)(REC->filename)), ((unsigned long)(REC->user)), ((unsigned long)(REC->group))您还可以在内核示例中检查示例BPF跟踪点程序。它实现了您要寻找的东西,但适用于sys_enter_open。
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/64944729
复制相关文章
相似问题
腾讯云开发者
