summaryrefslogtreecommitdiff
path: root/tools/perf/examples/bpf/augmented_raw_syscalls.c
diff options
context:
space:
mode:
Diffstat (limited to 'tools/perf/examples/bpf/augmented_raw_syscalls.c')
-rw-r--r--tools/perf/examples/bpf/augmented_raw_syscalls.c100
1 files changed, 49 insertions, 51 deletions
diff --git a/tools/perf/examples/bpf/augmented_raw_syscalls.c b/tools/perf/examples/bpf/augmented_raw_syscalls.c
index 79787cf4fce9..b80437971d80 100644
--- a/tools/perf/examples/bpf/augmented_raw_syscalls.c
+++ b/tools/perf/examples/bpf/augmented_raw_syscalls.c
@@ -60,7 +60,7 @@ struct syscall_exit_args {
long ret;
};
-struct augmented_filename {
+struct augmented_arg {
unsigned int size;
int err;
char value[PATH_MAX];
@@ -72,41 +72,52 @@ struct augmented_args_payload {
struct syscall_enter_args args;
union {
struct {
- struct augmented_filename filename,
- filename2;
+ struct augmented_arg arg, arg2;
};
struct sockaddr_storage saddr;
};
};
+// We need more tmp space than the BPF stack can give us
bpf_map(augmented_args_tmp, PERCPU_ARRAY, int, struct augmented_args_payload, 1);
+static inline struct augmented_args_payload *augmented_args_payload(void)
+{
+ int key = 0;
+ return bpf_map_lookup_elem(&augmented_args_tmp, &key);
+}
+
+static inline int augmented__output(void *ctx, struct augmented_args_payload *args, int len)
+{
+ /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */
+ return perf_event_output(ctx, &__augmented_syscalls__, BPF_F_CURRENT_CPU, args, len);
+}
+
static inline
-unsigned int augmented_filename__read(struct augmented_filename *augmented_filename,
- const void *filename_arg, unsigned int filename_len)
+unsigned int augmented_arg__read_str(struct augmented_arg *augmented_arg, const void *arg, unsigned int arg_len)
{
- unsigned int len = sizeof(*augmented_filename);
- int size = probe_read_str(&augmented_filename->value, filename_len, filename_arg);
+ unsigned int augmented_len = sizeof(*augmented_arg);
+ int string_len = probe_read_str(&augmented_arg->value, arg_len, arg);
- augmented_filename->size = augmented_filename->err = 0;
+ augmented_arg->size = augmented_arg->err = 0;
/*
* probe_read_str may return < 0, e.g. -EFAULT
- * So we leave that in the augmented_filename->size that userspace will
+ * So we leave that in the augmented_arg->size that userspace will
*/
- if (size > 0) {
- len -= sizeof(augmented_filename->value) - size;
- len &= sizeof(augmented_filename->value) - 1;
- augmented_filename->size = size;
+ if (string_len > 0) {
+ augmented_len -= sizeof(augmented_arg->value) - string_len;
+ augmented_len &= sizeof(augmented_arg->value) - 1;
+ augmented_arg->size = string_len;
} else {
/*
* So that username notice the error while still being able
* to skip this augmented arg record
*/
- augmented_filename->err = size;
- len = offsetof(struct augmented_filename, value);
+ augmented_arg->err = string_len;
+ augmented_len = offsetof(struct augmented_arg, value);
}
- return len;
+ return augmented_len;
}
SEC("!raw_syscalls:unaugmented")
@@ -124,8 +135,7 @@ int syscall_unaugmented(struct syscall_enter_args *args)
SEC("!syscalls:sys_enter_connect")
int sys_enter_connect(struct syscall_enter_args *args)
{
- int key = 0;
- struct augmented_args_payload *augmented_args = bpf_map_lookup_elem(&augmented_args_tmp, &key);
+ struct augmented_args_payload *augmented_args = augmented_args_payload();
const void *sockaddr_arg = (const void *)args->args[1];
unsigned int socklen = args->args[2];
unsigned int len = sizeof(augmented_args->args);
@@ -138,15 +148,13 @@ int sys_enter_connect(struct syscall_enter_args *args)
probe_read(&augmented_args->saddr, socklen, sockaddr_arg);
- /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */
- return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, augmented_args, len + socklen);
+ return augmented__output(args, augmented_args, len + socklen);
}
SEC("!syscalls:sys_enter_sendto")
int sys_enter_sendto(struct syscall_enter_args *args)
{
- int key = 0;
- struct augmented_args_payload *augmented_args = bpf_map_lookup_elem(&augmented_args_tmp, &key);
+ struct augmented_args_payload *augmented_args = augmented_args_payload();
const void *sockaddr_arg = (const void *)args->args[4];
unsigned int socklen = args->args[5];
unsigned int len = sizeof(augmented_args->args);
@@ -159,49 +167,43 @@ int sys_enter_sendto(struct syscall_enter_args *args)
probe_read(&augmented_args->saddr, socklen, sockaddr_arg);
- /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */
- return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, augmented_args, len + socklen);
+ return augmented__output(args, augmented_args, len + socklen);
}
SEC("!syscalls:sys_enter_open")
int sys_enter_open(struct syscall_enter_args *args)
{
- int key = 0;
- struct augmented_args_payload *augmented_args = bpf_map_lookup_elem(&augmented_args_tmp, &key);
+ struct augmented_args_payload *augmented_args = augmented_args_payload();
const void *filename_arg = (const void *)args->args[0];
unsigned int len = sizeof(augmented_args->args);
if (augmented_args == NULL)
return 1; /* Failure: don't filter */
- len += augmented_filename__read(&augmented_args->filename, filename_arg, sizeof(augmented_args->filename.value));
+ len += augmented_arg__read_str(&augmented_args->arg, filename_arg, sizeof(augmented_args->arg.value));
- /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */
- return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, augmented_args, len);
+ return augmented__output(args, augmented_args, len);
}
SEC("!syscalls:sys_enter_openat")
int sys_enter_openat(struct syscall_enter_args *args)
{
- int key = 0;
- struct augmented_args_payload *augmented_args = bpf_map_lookup_elem(&augmented_args_tmp, &key);
+ struct augmented_args_payload *augmented_args = augmented_args_payload();
const void *filename_arg = (const void *)args->args[1];
unsigned int len = sizeof(augmented_args->args);
if (augmented_args == NULL)
return 1; /* Failure: don't filter */
- len += augmented_filename__read(&augmented_args->filename, filename_arg, sizeof(augmented_args->filename.value));
+ len += augmented_arg__read_str(&augmented_args->arg, filename_arg, sizeof(augmented_args->arg.value));
- /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */
- return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, augmented_args, len);
+ return augmented__output(args, augmented_args, len);
}
SEC("!syscalls:sys_enter_rename")
int sys_enter_rename(struct syscall_enter_args *args)
{
- int key = 0;
- struct augmented_args_payload *augmented_args = bpf_map_lookup_elem(&augmented_args_tmp, &key);
+ struct augmented_args_payload *augmented_args = augmented_args_payload();
const void *oldpath_arg = (const void *)args->args[0],
*newpath_arg = (const void *)args->args[1];
unsigned int len = sizeof(augmented_args->args), oldpath_len;
@@ -209,18 +211,16 @@ int sys_enter_rename(struct syscall_enter_args *args)
if (augmented_args == NULL)
return 1; /* Failure: don't filter */
- oldpath_len = augmented_filename__read(&augmented_args->filename, oldpath_arg, sizeof(augmented_args->filename.value));
- len += oldpath_len + augmented_filename__read((void *)(&augmented_args->filename) + oldpath_len, newpath_arg, sizeof(augmented_args->filename.value));
+ oldpath_len = augmented_arg__read_str(&augmented_args->arg, oldpath_arg, sizeof(augmented_args->arg.value));
+ len += oldpath_len + augmented_arg__read_str((void *)(&augmented_args->arg) + oldpath_len, newpath_arg, sizeof(augmented_args->arg.value));
- /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */
- return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, augmented_args, len);
+ return augmented__output(args, augmented_args, len);
}
SEC("!syscalls:sys_enter_renameat")
int sys_enter_renameat(struct syscall_enter_args *args)
{
- int key = 0;
- struct augmented_args_payload *augmented_args = bpf_map_lookup_elem(&augmented_args_tmp, &key);
+ struct augmented_args_payload *augmented_args = augmented_args_payload();
const void *oldpath_arg = (const void *)args->args[1],
*newpath_arg = (const void *)args->args[3];
unsigned int len = sizeof(augmented_args->args), oldpath_len;
@@ -228,11 +228,10 @@ int sys_enter_renameat(struct syscall_enter_args *args)
if (augmented_args == NULL)
return 1; /* Failure: don't filter */
- oldpath_len = augmented_filename__read(&augmented_args->filename, oldpath_arg, sizeof(augmented_args->filename.value));
- len += oldpath_len + augmented_filename__read((void *)(&augmented_args->filename) + oldpath_len, newpath_arg, sizeof(augmented_args->filename.value));
+ oldpath_len = augmented_arg__read_str(&augmented_args->arg, oldpath_arg, sizeof(augmented_args->arg.value));
+ len += oldpath_len + augmented_arg__read_str((void *)(&augmented_args->arg) + oldpath_len, newpath_arg, sizeof(augmented_args->arg.value));
- /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */
- return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, augmented_args, len);
+ return augmented__output(args, augmented_args, len);
}
SEC("raw_syscalls:sys_enter")
@@ -250,15 +249,14 @@ int sys_enter(struct syscall_enter_args *args)
*/
unsigned int len = sizeof(augmented_args->args);
struct syscall *syscall;
- int key = 0;
-
- augmented_args = bpf_map_lookup_elem(&augmented_args_tmp, &key);
- if (augmented_args == NULL)
- return 1;
if (pid_filter__has(&pids_filtered, getpid()))
return 0;
+ augmented_args = augmented_args_payload();
+ if (augmented_args == NULL)
+ return 1;
+
probe_read(&augmented_args->args, sizeof(augmented_args->args), args);
/*
generated by cgit v1.2.3 (git 2.0.4) at 2025-12-25 05:59:28 +0000