为什么 bpf 程序找不到信息? 选择错误的kfunc?
[英]why bpf program doesn't find info? choose wrong kfunc?
问题描述
I use kprobe/do_sys_open to observe something.
我使用 kprobe/do_sys_open 来观察一些东西。 I write a demo to open a file and read.我写了一个演示来打开一个文件并阅读。 I think when I execute this demo, bpf program can find these action, but from bpf_trace_printk, I can't find any info about my demo.我想当我执行这个演示时,bpf 程序可以找到这些操作,但是从 bpf_trace_printk 中,我找不到关于我的演示的任何信息。 Did I choose the wrong kernel function? kernel function 是我选错了吗? or what?还是什么?
bpf_program.c bpf_program.c
SEC("kprobe/do_sys_open")
int bpf_program(struct pt_regs *ctx)
{
__u32 pid = bpf_get_current_pid_tgid() >> 32;
char msg[16] = "";
bpf_get_current_comm(msg, sizeof(msg)) ;
// u32 uid = bpf_get_current_uid_gid();
// const int dirfd = PT_REGS_PARM1(ctx);
const char *pathname = (char *)PT_REGS_PARM2(ctx);
char fmt[] = "@pid='%d' @pathname='%s' @ comm='%s'";
bpf_trace_printk(fmt, sizeof(fmt), pid, pathname, msg);
return 0 ;
}
openfile.c打开文件.c
#include <stdio.h>
#include <unistd.h>
int main(void)
{
FILE* fp ;
char buff[255] ;
printf("Pid %d\n", getpid()) ;
fp = fopen("./test.c", "r") ;
fscanf(fp, "%s", buff) ;
printf("Read: [%s]\n", buff) ;
getchar() ;
fclose(fp) ;
return 0 ;
}
1 个解决方案
解决方案1
0 2022-04-06 15:08:44
The actual syscall involved in your demo is probably openat() , I'd try hooking on kprobe/do_sys_openat2 instead of kprobe/do_sys_open .您的演示中涉及的实际系统调用可能是openat() ,我会尝试挂钩kprobe/do_sys_openat2而不是kprobe/do_sys_open 。
See how opensnoop in BCC, for example, hooks to both open and openat to catch calls to both (using the syscall tracepoints rather than kprobes, but the principle is the same).例如,查看 BCC 中的opensnoop如何挂钩open和openat以捕获对两者的调用(使用系统调用跟踪点而不是 kprobes,但原理是相同的)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.