forked from cilium/ebpf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.go
120 lines (102 loc) · 3.48 KB
/
main.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
// This program demonstrates how to attach an eBPF program to a tracepoint.
// The program is attached to the syscall/sys_enter_openat tracepoint and
// prints out the integer 123 every time the syscall is entered.
package main
import (
"errors"
"log"
"os"
"os/signal"
"syscall"
"github.com/cilium/ebpf"
"github.com/cilium/ebpf/asm"
"github.com/cilium/ebpf/link"
"github.com/cilium/ebpf/perf"
"github.com/cilium/ebpf/rlimit"
)
// Metadata for the eBPF program used in this example.
var progSpec = &ebpf.ProgramSpec{
Name: "my_trace_prog", // non-unique name, will appear in `bpftool prog list` while attached
Type: ebpf.TracePoint, // only TracePoint programs can be attached to trace events created by link.Tracepoint()
License: "GPL", // license must be GPL for calling kernel helpers like perf_event_output
}
func main() {
// Subscribe to signals for terminating the program.
stopper := make(chan os.Signal, 1)
signal.Notify(stopper, os.Interrupt, syscall.SIGTERM)
// Allow the current process to lock memory for eBPF resources.
if err := rlimit.RemoveMemlock(); err != nil {
log.Fatal(err)
}
// Create a perf event array for the kernel to write perf records to.
// These records will be read by userspace below.
events, err := ebpf.NewMap(&ebpf.MapSpec{
Type: ebpf.PerfEventArray,
Name: "my_perf_array",
})
if err != nil {
log.Fatalf("creating perf event array: %s", err)
}
defer events.Close()
// Open a perf reader from userspace into the perf event array
// created earlier.
rd, err := perf.NewReader(events, os.Getpagesize())
if err != nil {
log.Fatalf("creating event reader: %s", err)
}
defer rd.Close()
// Close the reader when the process receives a signal, which will exit
// the read loop.
go func() {
<-stopper
rd.Close()
}()
// Minimal program that writes the static value '123' to the perf ring on
// each event. Note that this program refers to the file descriptor of
// the perf event array created above, which needs to be created prior to the
// program being verified by and inserted into the kernel.
progSpec.Instructions = asm.Instructions{
// store the integer 123 at FP[-8]
asm.Mov.Imm(asm.R2, 123),
asm.StoreMem(asm.RFP, -8, asm.R2, asm.Word),
// load registers with arguments for call of FnPerfEventOutput
asm.LoadMapPtr(asm.R2, events.FD()), // file descriptor of the perf event array
asm.LoadImm(asm.R3, 0xffffffff, asm.DWord),
asm.Mov.Reg(asm.R4, asm.RFP),
asm.Add.Imm(asm.R4, -8),
asm.Mov.Imm(asm.R5, 4),
// call FnPerfEventOutput, an eBPF kernel helper
asm.FnPerfEventOutput.Call(),
// set exit code to 0
asm.Mov.Imm(asm.R0, 0),
asm.Return(),
}
// Instantiate and insert the program into the kernel.
prog, err := ebpf.NewProgram(progSpec)
if err != nil {
log.Fatalf("creating ebpf program: %s", err)
}
defer prog.Close()
// Open a trace event based on a pre-existing kernel hook (tracepoint).
// Each time a userspace program uses the 'openat()' syscall, the eBPF
// program specified above will be executed and a '123' value will appear
// in the perf ring.
tp, err := link.Tracepoint("syscalls", "sys_enter_openat", prog, nil)
if err != nil {
log.Fatalf("opening tracepoint: %s", err)
}
defer tp.Close()
log.Println("Waiting for events..")
for {
record, err := rd.Read()
if err != nil {
if errors.Is(err, perf.ErrClosed) {
log.Println("Received signal, exiting..")
return
}
log.Printf("reading from reader: %s", err)
continue
}
log.Println("Record:", record)
}
}