expend_code

Signed-off-by: shangfan <[email protected]>
sf1999817 · May 10, 2024 · 3a7be6e · 3a7be6e
1 parent ae2afbc
commit 3a7be6e
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 54 deletions.
diff --git a/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.bpf.c b/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.bpf.c
@@ -17,60 +17,44 @@ struct {
 	__uint(max_entries,256 * 1024);
 } rb SEC(".maps");
 
-
-SEC("kprobe/do_sys_openat2")
-int BPF_KPROBE(do_sys_openat2)
+SEC("kretprobe/do_sys_openat2")
+int BPF_KRETPROBE(do_sys_openat2_exit,long fd)
 {
-  int value = 1;
   struct fs_t *e;
   pid_t pid;
-
+ 
   pid = bpf_get_current_pid_tgid() >> 32;
-  int fd = PT_REGS_RC(ctx);
-  if(fd >= 0){
-    //将PID和文件描述符存入哈希映射
-    e->fd = fd;
-    bpf_map_update_elem(&data,&pid,&value,BPF_ANY);
-  }
-  return 0;
+  bpf_printk("pid = %d",pid);
+
+  e = bpf_ringbuf_reserve(&rb,sizeof(*e),0);
+  if(!e)
+    return 0;
+
+  bpf_map_update_elem(&data,&pid,&fd,BPF_ANY);
+  bpf_ringbuf_submit(e,0);
 }
 
 SEC("kprobe/vfs_write")
-
-int kprobe_vfs_write(struct pt_regs *ctx)
+int BPF_KPROBE(vfs_write)
 {
-  struct file *filp;
-  pid_t pid;
   struct fs_t *e;
   int *fd_ptr;
+  pid_t pid;
 
-  //探测的是第一个参数，文件指针
-  filp = PT_REGS_PARM1(ctx);
-
-  //探测的是第三个参数，要写入的字节数
-  size_t count = (size_t)PT_REGS_PARM3(ctx);
-
-  //这是vfs_write的返回值，它是一个实际写入的字节数
-  size_t real_count = PT_REGS_RC(ctx);
-
   pid = bpf_get_current_pid_tgid() >> 32;
-
-  //获取文件描述符指针
-  fd_ptr = bpf_map_lookup_elem(&data,&pid);
 
-  e = bpf_ringbuf_reserve(&rb,sizeof(*e),0);
+  fd_ptr = bpf_map_lookup_elem(&data,&pid);
 
+  e = bpf_ringbuf_reserve(&rb,sizeof(*e),0);
   if(!e)
     return 0;
 
-  //如果探测到的指针不为空
   if(fd_ptr){
-    int fd = *fd_ptr;
-    e->fd = fd;
-    e->real_count = real_count;
-    e->count = count;
+    int fd_value = *fd_ptr;
+    e->fd = fd_value;
     e->pid = pid;
-  }
+  } 
   bpf_ringbuf_submit(e,0);
   return 0;
-}
+}
+
diff --git a/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.c b/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.c
@@ -7,7 +7,6 @@
 #include "write.h"
 #include "write.skel.h"
 
-#define PATH_MAX 128
 
 static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args)
 {
@@ -27,19 +26,10 @@ static int write_event(void *ctx, void *data, size_t data_sz)
     struct tm *tm;
     char ts[32];
     time_t t;
-	char path[PATH_MAX];
     time(&t);
     tm = localtime(&t);
     strftime(ts, sizeof(ts), "%H:%M:%S", tm);
-	//获取文件真实路径
-	snprintf(path,sizeof(path),"/proc/self/fd/%d",e->fd);
-	//通过realpath来合并文件路径
-	char *real_path = realpath(path,NULL);
-	if(real_path != NULL){
-		printf("%-8s  %-7d  %-7ld  %-7ld   %-7s\n", ts, e->pid,e->real_count,e->count,real_path);
-		free(real_path);
-	}
-
+	printf("%-8s  %-7ld %-7ld\n", ts, e->pid,e->fd);
     return 0;
 }
 
@@ -87,7 +77,7 @@ int main(int argc, char **argv)
 	}
 
     /* Process events */
-	printf("%-8s  %-7s   %-7s  %-7s  %-7s  %-7s\n", "TIME", "PID","Real_Count","Count","Real_Path");
+	// printf("%-8s  %-7s   %-7s  %-7s  %-7s  %-7s\n", "TIME", "PID","Count","Real_Path");
 	while (!exiting) {
 		err = ring_buffer__poll(rb, 100 /* timeout, ms */);
 		/* Ctrl-C will cause -EINTR */
@@ -102,9 +92,17 @@ int main(int argc, char **argv)
 		}
 	}
 
+	// printf("Successfully started! Please run `sudo cat /sys/kernel/debug/tracing/trace_pipe` to see output of the BPF programs.\n");
+	// for (;;) {
+	// 	/* trigger our BPF program */
+	// 	fprintf(stderr, ".");
+	// 	sleep(1);
+	// }
+
 cleanup:
 	/* Clean up */
 	ring_buffer__free(rb);
 	write_bpf__destroy(skel);
+
 	return err < 0 ? -err : 0;
 }
diff --git a/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.h b/eBPF_Supermarket/Filesystem_Subsystem/fs_watcher/write.h
@@ -1,13 +1,9 @@
 #ifndef __WRITE_H
 #define __WRITE_H
-
-//获取vfs_write各个参数信息
+// #define PATH_MAX 256
 struct fs_t {
     int fd;
-    int pid;
-
-    size_t real_count;
-    size_t count;
+    pid_t pid;
 };
 
 #endif /* __WRITE_H */