fs_watcher增加-p参数，用于监控指定pid的写操作

MagicEyes/src/backend/fs/fs_watcher/bpf/write.bpf.c

@@ -18,15 +18,33 @@ struct {
 	__uint(max_entries,256 * 1024);
 } rb SEC(".maps");
 
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 256 * 1024);
+	__type(key, u32);
+	__type(value, struct dist_args);
+} args_map SEC(".maps");
 
 SEC("kprobe/vfs_write")
 int kprobe_vfs_write(struct pt_regs *ctx)
 {
   pid_t pid;
+  int index = 0;
   struct fs_t *e;
   unsigned long inode_number;//定义用于存储inode号码的变量
 
-   //探测的是第一个参数，文件指针,读取inode_number
+  struct dist_args *d_args = bpf_map_lookup_elem(&args_map, &index);
+  if (d_args == NULL){
+    bpf_printk("Failed to look args\n");
+    return 0;
+  }
+
+  pid = bpf_get_current_pid_tgid() >> 32;
+  if (d_args->pid > 0 && d_args->pid != pid) {
+    return 0;
+  }
+
+  //探测的是第一个参数，文件指针,读取inode_number
   struct file *filp = (struct file *)PT_REGS_PARM1(ctx);  
   struct dentry *dentry = BPF_CORE_READ(filp,f_path.dentry);
   if(!dentry){
@@ -42,11 +60,10 @@ int kprobe_vfs_write(struct pt_regs *ctx)
 
   //探测的是第三个参数，要写入的字节数
   size_t count = (size_t)PT_REGS_PARM3(ctx);
-  
+
   //这是vfs_write的返回值，它是一个实际写入的字节数
   size_t real_count = PT_REGS_RC(ctx);
-
-  pid = bpf_get_current_pid_tgid() >> 32;
+
   e = bpf_ringbuf_reserve(&rb,sizeof(*e),0); 
   if(!e)
     return 0;

MagicEyes/src/backend/fs/fs_watcher/include/fs_watcher.h

@@ -58,4 +58,8 @@ struct event_CacheTrack{
     unsigned long flags;    // inode 标志
 };
 
+/*send pid to ebpf*/
+struct dist_args {
+    pid_t pid;
+};
 #endif /* __MEM_WATCHER_H */

MagicEyes/src/backend/fs/fs_watcher/src/fs_watcher.c

@@ -105,13 +105,15 @@ static struct env{
     bool disk_io_visit;
     bool block_rq_issue;
     bool CacheTrack;
+    pid_t pid;
 }env = {
     .open = false,
     .read = false,
     .write = false,
     .disk_io_visit = false,
     .block_rq_issue = false,
     .CacheTrack = false,
+    .pid = -1,
 };
 
 static const struct argp_option opts[] = {
@@ -121,6 +123,7 @@ static const struct argp_option opts[] = {
     {"disk_io_visit", 'd', 0, 0, "Print disk I/O visit report"},
     {"block_rq_issue", 'b', 0, 0, "Print block I/O request submission events. Reports when block I/O requests are submitted to device drivers."},
     {"CacheTrack", 't' , 0 ,0 , "WriteBack dirty lagency and other information"},
+    {"pid", 'p', "PID", 0, "Specify pid number when report weite. Only support for write report now"},
     {0} // 结束标记，用于指示选项列表的结束
 };
 
@@ -139,7 +142,19 @@ static error_t parse_arg(int key, char *arg, struct argp_state *state) {
         env.block_rq_issue = true;break;
         case 't':
         env.CacheTrack = true;break;
-        default: 
+        case 'p':
+        if (arg) {
+            env.pid = atoi(arg);
+            if (env.pid <= 0) {
+                fprintf(stderr, "Invalid PID value: %s\n", arg);
+                argp_usage(state);
+            }
+        } else {
+            fprintf(stderr, "-p option requires an argument\n");
+            argp_usage(state);
+        }
+        break;
+        default:
             return ARGP_ERR_UNKNOWN;
     }
     return 0;
@@ -351,9 +366,21 @@ static int process_read(struct read_bpf *skel_read){
 static int process_write(struct write_bpf *skel_write){
     int err;
     struct ring_buffer *rb;
-
+    int arg_index = 0;
+
+    struct dist_args d_args = {-1};
+
     LOAD_AND_ATTACH_SKELETON(skel_write,write);
 
+    d_args.pid = env.pid;
+    struct bpf_map *arg_map = bpf_object__find_map_by_name((const struct bpf_object *)*(skel_write->skeleton->obj), "args_map");
+    err = bpf_map__update_elem(arg_map, &arg_index, sizeof(arg_index), &d_args, sizeof(d_args), BPF_ANY);
+
+    if (err < 0) {
+        fprintf(stderr, "ERROR: failed to update args map\n");
+        goto write_cleanup;
+    }
+
     printf("%-8s    %-8s    %-8s    %-8s    %-8s\n","ds","inode_number","pid","real_count","count");
     POLL_RING_BUFFER(rb, 1000, err);