[PATCH v1 2/7] perf trace: Etcsnoop fix libbpf 1.0+ compatibility
From: Ian Rogers
Date: Thu Nov 03 2022 - 00:55:16 EST
Don't use deprecated and now broken map style. Avoid use of
tools/perf/include/bpf/bpf.h and use the more regular BPF headers.
Add "< 0" checks to fix BPF verifier failures about potentially
negative values being passed to bpf_perf_event_output. Add a
raw_syscalls:sys_enter to avoid the evlist being empty and causing
perf trace to exit during argument parsing.
Signed-off-by: Ian Rogers <irogers@xxxxxxxxxx>
---
tools/perf/examples/bpf/etcsnoop.c | 41 ++++++++++++++++++++++++------
1 file changed, 33 insertions(+), 8 deletions(-)
diff --git a/tools/perf/examples/bpf/etcsnoop.c b/tools/perf/examples/bpf/etcsnoop.c
index e81b535346c0..a04109d9b2b5 100644
--- a/tools/perf/examples/bpf/etcsnoop.c
+++ b/tools/perf/examples/bpf/etcsnoop.c
@@ -5,7 +5,7 @@
*
* Test it with:
*
- * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null
+ * perf trace -e tools/perf/examples/bpf/etcsnoop.c cat /etc/passwd > /dev/null
*
* It'll catch some openat syscalls related to the dynamic linked and
* the last one should be the one for '/etc/passwd'.
@@ -19,10 +19,17 @@
* tools/perf/include/bpf/stdio.h.
*/
-#include <stdio.h>
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
/* bpf-output associated map */
-bpf_map(__augmented_syscalls__, PERF_EVENT_ARRAY, int, u32, __NR_CPUS__);
+struct __augmented_syscalls__ {
+ __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+ __type(key, int);
+ __type(value, __u32);
+ __uint(max_entries, __NR_CPUS__);
+} __augmented_syscalls__ SEC(".maps");
+
struct augmented_filename {
int size;
@@ -30,6 +37,9 @@ struct augmented_filename {
char value[64];
};
+#define syscall_enter(name) \
+ SEC("!syscalls:sys_enter_" #name) syscall_enter_ ## name
+
#define augmented_filename_syscall_enter(syscall) \
struct augmented_enter_##syscall##_args { \
struct syscall_enter_##syscall##_args args; \
@@ -39,17 +49,25 @@ int syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args) \
{ \
char etc[6] = "/etc/"; \
struct augmented_enter_##syscall##_args augmented_args = { .filename.reserved = 0, }; \
- probe_read(&augmented_args.args, sizeof(augmented_args.args), args); \
- augmented_args.filename.size = probe_read_str(&augmented_args.filename.value, \
+ long size; \
+ \
+ if (bpf_probe_read(&augmented_args.args, sizeof(augmented_args.args), args) < 0) \
+ return -1; \
+ \
+ size = bpf_probe_read_str(&augmented_args.filename.value, \
sizeof(augmented_args.filename.value), \
args->filename_ptr); \
+ if (size < 0) \
+ return -1; \
+ \
+ augmented_args.filename.size = size; \
if (__builtin_memcmp(augmented_args.filename.value, etc, 4) != 0) \
return 0; \
/* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */ \
- return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, \
+ return bpf_perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, \
&augmented_args, \
(sizeof(augmented_args) - sizeof(augmented_args.filename.value) + \
- augmented_args.filename.size)); \
+ size)); \
}
struct syscall_enter_openat_args {
@@ -73,4 +91,11 @@ struct syscall_enter_open_args {
augmented_filename_syscall_enter(open);
-license(GPL);
+struct syscall_enter_args;
+
+SEC("raw_syscalls:sys_enter")
+int sys_enter(struct syscall_enter_args *args)
+{
+ return 0;
+}
+char _license[] SEC("license") = "GPL";
--
2.38.1.273.g43a17bfeac-goog