why bpf program doesn't find info? choose wrong kfunc?
Question
I use kprobe/do_sys_open to observe something. I write a demo to open a file and read. I think when I execute this demo, bpf program can find these action, but from bpf_trace_printk, I can't find any info about my demo. Did I choose the wrong kernel function? or what?
bpf_program.c
SEC("kprobe/do_sys_open")
int bpf_program(struct pt_regs *ctx)
{
__u32 pid = bpf_get_current_pid_tgid() >> 32;
char msg[16] = "";
bpf_get_current_comm(msg, sizeof(msg)) ;
// u32 uid = bpf_get_current_uid_gid();
// const int dirfd = PT_REGS_PARM1(ctx);
const char *pathname = (char *)PT_REGS_PARM2(ctx);
char fmt[] = "@pid='%d' @pathname='%s' @ comm='%s'";
bpf_trace_printk(fmt, sizeof(fmt), pid, pathname, msg);
return 0 ;
}
openfile.c
#include <stdio.h>
#include <unistd.h>
int main(void)
{
FILE* fp ;
char buff[255] ;
printf("Pid %d\n", getpid()) ;
fp = fopen("./test.c", "r") ;
fscanf(fp, "%s", buff) ;
printf("Read: [%s]\n", buff) ;
getchar() ;
fclose(fp) ;
return 0 ;
}
1 answers
solution1
0 2022-04-06 15:08:44
The actual syscall involved in your demo is probably openat() , I'd try hooking on kprobe/do_sys_openat2 instead of kprobe/do_sys_open .
See how opensnoop in BCC, for example, hooks to both open and openat to catch calls to both (using the syscall tracepoints rather than kprobes, but the principle is the same).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.