[英]why bpf program doesn't find info? choose wrong kfunc?
I use kprobe/do_sys_open to observe something.我使用 kprobe/do_sys_open 来观察一些东西。 I write a demo to open a file and read.
我写了一个演示来打开一个文件并阅读。 I think when I execute this demo, bpf program can find these action, but from bpf_trace_printk, I can't find any info about my demo.
我想当我执行这个演示时,bpf 程序可以找到这些操作,但是从 bpf_trace_printk 中,我找不到关于我的演示的任何信息。 Did I choose the wrong kernel function?
kernel function 是我选错了吗? or what?
还是什么?
bpf_program.c bpf_program.c
SEC("kprobe/do_sys_open")
int bpf_program(struct pt_regs *ctx)
{
__u32 pid = bpf_get_current_pid_tgid() >> 32;
char msg[16] = "";
bpf_get_current_comm(msg, sizeof(msg)) ;
// u32 uid = bpf_get_current_uid_gid();
// const int dirfd = PT_REGS_PARM1(ctx);
const char *pathname = (char *)PT_REGS_PARM2(ctx);
char fmt[] = "@pid='%d' @pathname='%s' @ comm='%s'";
bpf_trace_printk(fmt, sizeof(fmt), pid, pathname, msg);
return 0 ;
}
openfile.c打开文件.c
#include <stdio.h>
#include <unistd.h>
int main(void)
{
FILE* fp ;
char buff[255] ;
printf("Pid %d\n", getpid()) ;
fp = fopen("./test.c", "r") ;
fscanf(fp, "%s", buff) ;
printf("Read: [%s]\n", buff) ;
getchar() ;
fclose(fp) ;
return 0 ;
}
The actual syscall involved in your demo is probably openat()
, I'd try hooking on kprobe/do_sys_openat2
instead of kprobe/do_sys_open
.您的演示中涉及的实际系统调用可能是
openat()
,我会尝试挂钩kprobe/do_sys_openat2
而不是kprobe/do_sys_open
。
See how opensnoop
in BCC, for example, hooks to both open
and openat
to catch calls to both (using the syscall tracepoints rather than kprobes, but the principle is the same).例如,查看 BCC 中的
opensnoop
如何挂钩open
和openat
以捕获对两者的调用(使用系统调用跟踪点而不是 kprobes,但原理是相同的)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.