From 38ab04d53c1a46d214f0ad841d72679ea835c7db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=B5=B5=E7=BF=94=E5=AE=87?= Date: Mon, 1 Jul 2024 11:26:27 +0800 Subject: [PATCH 1/2] Dynamic addition of kprobe and tracepoint --- driver/ppm_events_public.h | 2 + userspace/libscap/scap-int.h | 22 ++- userspace/libscap/scap.c | 4 + userspace/libscap/scap.h | 7 + userspace/libscap/scap_bpf.c | 186 +++++++++++++++++++--- userspace/libscap/scap_bpf.h | 1 + userspace/libsinsp/CMakeLists.txt | 1 + userspace/libsinsp/examples/test.cpp | 220 ++++++++++++++++++++++++++- userspace/libsinsp/sinsp.h | 3 + userspace/libsinsp/sinsp_tp.cpp | 51 +++++++ 10 files changed, 468 insertions(+), 29 deletions(-) create mode 100644 userspace/libsinsp/sinsp_tp.cpp diff --git a/driver/ppm_events_public.h b/driver/ppm_events_public.h index 3f86018c85..5d4caa86cb 100644 --- a/driver/ppm_events_public.h +++ b/driver/ppm_events_public.h @@ -1526,6 +1526,8 @@ struct ppm_evt_hdr { #define PPM_IOCTL_GET_PROBE_VERSION _IO(PPM_IOCTL_MAGIC, 21) #define PPM_IOCTL_SET_FULLCAPTURE_PORT_RANGE _IO(PPM_IOCTL_MAGIC, 22) #define PPM_IOCTL_SET_STATSD_PORT _IO(PPM_IOCTL_MAGIC, 23) +#define PPM_IOCTL_MASK_SET_TP _IO(PPM_IOCTL_MAGIC, 24) +#define PPM_IOCTL_MASK_UNSET_TP _IO(PPM_IOCTL_MAGIC, 25) #endif // CYGWING_AGENT extern const struct ppm_name_value socket_families[]; diff --git a/userspace/libscap/scap-int.h b/userspace/libscap/scap-int.h index b7ca10c6f5..c8280125aa 100644 --- a/userspace/libscap/scap-int.h +++ b/userspace/libscap/scap-int.h @@ -72,7 +72,17 @@ typedef struct wh_t wh_t; // #define BPF_PROGS_MAX 128 #define BPF_MAPS_MAX 32 - +struct bpf_prog { + int fd; + int efd; + char name[255]; +}; +//For the real index that loaded kprobe and tracepoint events in struct bpf_prog bpf_progs. +struct kt_index { + char name[255]; + int index; + bool interest; +}; // // The device descriptor // @@ -156,13 +166,19 @@ struct scap // Anonymous struct with bpf stuff struct { - int m_bpf_prog_fds[BPF_PROGS_MAX]; + char m_filepath[SCAP_MAX_PATH_SIZE]; + struct bpf_prog m_bpf_progs[BPF_PROGS_MAX]; int m_bpf_prog_cnt; bool m_bpf_fillers[BPF_PROGS_MAX]; - int m_bpf_event_fd[BPF_PROGS_MAX]; int m_bpf_map_fds[BPF_MAPS_MAX]; int m_bpf_prog_array_map_idx; }; + // Anonymous struct with tracepoints and kprobe of interest + struct { + struct kt_index kt_indices[BPF_PROGS_MAX]; + int m_bpf_prog_real_size; // the real size of bpf program in probe.o + }; + // The set of process names that are suppressed char **m_suppressed_comms; diff --git a/userspace/libscap/scap.c b/userspace/libscap/scap.c index fd5f677a0d..1ee7eb8f9b 100644 --- a/userspace/libscap/scap.c +++ b/userspace/libscap/scap.c @@ -2200,6 +2200,10 @@ int32_t scap_unset_eventmask(scap_t* handle, uint32_t event_id) { #endif } +int32_t scap_set_ktmask(scap_t* handle, uint32_t kt, bool enabled){ + return scap_set_ktmask_bpf(handle, kt, enabled); +} + uint32_t scap_event_get_dump_flags(scap_t* handle) { return handle->m_last_evt_dump_flags; diff --git a/userspace/libscap/scap.h b/userspace/libscap/scap.h index 2a685a982a..64b31346ab 100644 --- a/userspace/libscap/scap.h +++ b/userspace/libscap/scap.h @@ -994,7 +994,14 @@ int32_t scap_set_eventmask(scap_t* handle, uint32_t event_id); */ int32_t scap_unset_eventmask(scap_t* handle, uint32_t event_id); +/*! + \brief enabled the event fd + \param handle Handle to the capture instance. + \param enabled true or false + \note This function can only be called for live captures. + */ +int32_t scap_set_ktmask(scap_t* handle, uint32_t kt, bool enabled); /*! \brief Get the root directory of the system. This usually changes if running in a container, so that all the information for the diff --git a/userspace/libscap/scap_bpf.c b/userspace/libscap/scap_bpf.c index 89d825eb39..00452512c4 100644 --- a/userspace/libscap/scap_bpf.c +++ b/userspace/libscap/scap_bpf.c @@ -522,6 +522,7 @@ static int32_t load_tracepoint(scap_t* handle, const char *event, struct bpf_ins bool is_raw_tracepoint = strncmp(event, "raw_tracepoint/", 15) == 0; insns_cnt = size / sizeof(struct bpf_insn); + char *full_event = event; attr.type = PERF_TYPE_TRACEPOINT; attr.sample_type = PERF_SAMPLE_RAW; @@ -593,7 +594,21 @@ static int32_t load_tracepoint(scap_t* handle, const char *event, struct bpf_ins free(error); - handle->m_bpf_prog_fds[handle->m_bpf_prog_cnt++] = fd; + handle->m_bpf_progs[handle->m_bpf_prog_cnt].fd = fd; + strncpy(handle->m_bpf_progs[handle->m_bpf_prog_cnt].name, full_event, NAME_MAX); + + + //When loading all eBPF programs for the first time, update the kt_indices. + if(handle->m_bpf_prog_cnt + 1 > handle->m_bpf_prog_real_size){ + strncpy(handle->kt_indices[handle->m_bpf_prog_real_size].name, full_event, NAME_MAX); + handle->kt_indices[handle->m_bpf_prog_real_size].index = handle->m_bpf_prog_cnt; + handle->kt_indices[handle->m_bpf_prog_real_size].interest = true; + handle->m_bpf_prog_real_size++; + } + + handle->m_bpf_prog_cnt++; + //printf("prog_type:%d, insns_cnt:%d, license: %s, fd: %d\n", program_type, insns_cnt, license, fd); + if(memcmp(event, "filler/", sizeof("filler/") - 1) == 0) { @@ -687,14 +702,26 @@ static int32_t load_tracepoint(scap_t* handle, const char *event, struct bpf_ins return SCAP_FAILURE; } } - - handle->m_bpf_event_fd[handle->m_bpf_prog_cnt - 1] = efd; + handle->m_bpf_progs[handle->m_bpf_prog_cnt - 1].efd = efd; return SCAP_SUCCESS; } #ifndef MINIMAL_BUILD -static int32_t load_bpf_file(scap_t *handle, const char *path) + +static bool is_kt_enabled(scap_t *handle, char* event_name){ + bool enabled = true; + for(int i = 0; i < handle->m_bpf_prog_real_size; i++){ + if(strcmp(event_name, handle->kt_indices[i].name) == 0){ + enabled = handle->kt_indices[i].interest; + break; + } + } + + return enabled; +} + +static int32_t load_bpf_file(scap_t *handle) { int j; int maps_shndx = 0; @@ -706,8 +733,8 @@ static int32_t load_bpf_file(scap_t *handle, const char *path) Elf_Data *symbols = NULL; char *shname; char *shname_prog; - int nr_maps = 0; - struct bpf_map_data maps[BPF_MAPS_MAX]; + static int nr_maps = 0; + static struct bpf_map_data maps[BPF_MAPS_MAX]; struct utsname osname; int32_t res = SCAP_FAILURE; @@ -723,10 +750,10 @@ static int32_t load_bpf_file(scap_t *handle, const char *path) return SCAP_FAILURE; } - int program_fd = open(path, O_RDONLY, 0); + int program_fd = open(handle->m_filepath, O_RDONLY, 0); if(program_fd < 0) { - snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "can't open BPF probe '%s': %s", path, scap_strerror(handle, errno)); + snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "can't open BPF probe '%s': %s", handle->m_filepath, scap_strerror(handle, errno)); return SCAP_FAILURE; } @@ -788,9 +815,11 @@ static int32_t load_bpf_file(scap_t *handle, const char *path) snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "missing SHT_SYMTAB section"); goto cleanup; } - - if(maps_shndx) + //Map initialization occurs only upon the map's first load. + static bool first_load_map = true; + if(maps_shndx && first_load_map) { + first_load_map = false; if(load_elf_maps_section(handle, maps, maps_shndx, elf, symbols, strtabidx, &nr_maps) != SCAP_SUCCESS) { goto cleanup; @@ -833,7 +862,18 @@ static int32_t load_bpf_file(scap_t *handle, const char *path) { continue; } - + if(is_kt_enabled(handle, shname)) + { + bool already_attached = false; + for(int i = 0; i < handle->m_bpf_prog_cnt && !already_attached; i++) + { + if(strcmp(handle->m_bpf_progs[i].name, shname) == 0) + { + already_attached = true; + } + } + if(!already_attached) + { if(memcmp(shname, "tracepoint/", sizeof("tracepoint/") - 1) == 0 || memcmp(shname, "raw_tracepoint/", sizeof("raw_tracepoint/") - 1) == 0 || memcmp(shname, "kprobe/", sizeof("kprobe/") - 1) == 0 || @@ -851,6 +891,9 @@ static int32_t load_bpf_file(scap_t *handle, const char *path) goto cleanup; } } + } + } + } res = SCAP_SUCCESS; @@ -1263,6 +1306,19 @@ int32_t scap_bpf_enable_tracers_capture(scap_t* handle) return SCAP_SUCCESS; } +static void close_prog(struct bpf_prog *prog) +{ + if(prog->efd > 0) + { + int res = close(prog->efd); + } + if(prog->fd > 0) + { + int res = close(prog->fd); + } + memset(prog, 0, sizeof(*prog)); +} + int32_t scap_bpf_close(scap_t *handle) { int j; @@ -1291,23 +1347,16 @@ int32_t scap_bpf_close(scap_t *handle) } } - for(j = 0; j < sizeof(handle->m_bpf_event_fd) / sizeof(handle->m_bpf_event_fd[0]); ++j) - { - if(handle->m_bpf_event_fd[j] > 0) + for(j = 0; j < sizeof(handle->m_bpf_progs) / sizeof(handle->m_bpf_progs[0]); ++j) { - close(handle->m_bpf_event_fd[j]); - handle->m_bpf_event_fd[j] = 0; - } + close_prog(&handle->m_bpf_progs[j]); } - for(j = 0; j < sizeof(handle->m_bpf_prog_fds) / sizeof(handle->m_bpf_prog_fds[0]); ++j) - { - if(handle->m_bpf_prog_fds[j] > 0) + for(j = 0; j < handle->m_bpf_prog_real_size; ++j) { - close(handle->m_bpf_prog_fds[j]); - handle->m_bpf_prog_fds[j] = 0; + handle->kt_indices[j].index = -1; } - } + for(j = 0; j < sizeof(handle->m_bpf_map_fds) / sizeof(handle->m_bpf_map_fds[0]); ++j) { @@ -1324,6 +1373,93 @@ int32_t scap_bpf_close(scap_t *handle) return SCAP_SUCCESS; } +static int32_t scap_bpf_handle_kt_mask( scap_t *handle, uint32_t op, uint32_t kt_index) +{ + // error kt_index + if(kt_index < 0 || kt_index > handle->m_bpf_prog_real_size) + return SCAP_SUCCESS; + + int prg_idx = handle->kt_indices[kt_index].index; + + // We want to unload a never loaded tracepoint + if (prg_idx == -1 && op != PPM_IOCTL_MASK_SET_TP) + { + return SCAP_SUCCESS; + } + // We want to load an already loaded tracepoint + if (prg_idx >= 0 && op != PPM_IOCTL_MASK_UNSET_TP) + { + return SCAP_SUCCESS; + } + + if (op == PPM_IOCTL_MASK_UNSET_TP) + { + // Algo: + // Close the event and tracepoint fds, + // reduce number of prog cnt + // move left remaining array elements + // reset last array element + handle->kt_indices[kt_index].index = -1; + handle->kt_indices[kt_index].interest = false; + + close_prog(&handle->m_bpf_progs[prg_idx]); + handle->m_bpf_prog_cnt--; + size_t byte_size = (handle->m_bpf_prog_cnt - prg_idx) * sizeof(handle->m_bpf_progs[prg_idx]); + if (byte_size > 0) + { + memmove(&handle->m_bpf_progs[prg_idx], &handle->m_bpf_progs[prg_idx + 1], byte_size); + } + memset(&handle->m_bpf_progs[handle->m_bpf_prog_cnt], 0, sizeof(handle->m_bpf_progs[handle->m_bpf_prog_cnt])); + return SCAP_SUCCESS; + } + + handle->kt_indices[kt_index].interest = true; + return load_bpf_file(handle); +} + +static int32_t scap_handle_ktmask(scap_t* handle, uint32_t op, uint32_t kt) +{ + switch(op) + { + case PPM_IOCTL_MASK_SET_TP: + case PPM_IOCTL_MASK_UNSET_TP: + break; + + default: + snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "%s(%d) internal error", __FUNCTION__, op); + ASSERT(false); + return SCAP_FAILURE; + break; + } + + if (kt >= BPF_PROGS_MAX) + { + snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "%s(%d) wrong param", __FUNCTION__, kt); + ASSERT(false); + return SCAP_FAILURE; + } + + if(handle) + { + return scap_bpf_handle_kt_mask(handle, op, kt); + } +#if !defined(HAS_CAPTURE) || defined(_WIN32) + snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "tpmask not supported on %s", PLATFORM_NAME); + return SCAP_FAILURE; +#else + if (handle == NULL) + { + return SCAP_FAILURE; + } + + snprintf(handle->m_lasterr, SCAP_LASTERR_SIZE, "manipulating tpmask not supported on this scap mode"); + return SCAP_FAILURE; +#endif // HAS_CAPTURE +} +int32_t scap_set_ktmask_bpf(scap_t* handle, uint32_t kt, bool enabled) { + return(scap_handle_ktmask(handle, enabled ? PPM_IOCTL_MASK_SET_TP : PPM_IOCTL_MASK_UNSET_TP, kt)); +} + // // This is completely horrible, revisit this shameful code // with a proper solution @@ -1491,8 +1627,8 @@ int32_t scap_bpf_load(scap_t *handle, const char *bpf_probe) ASSERT(false); return SCAP_FAILURE; } - - if(load_bpf_file(handle, bpf_probe) != SCAP_SUCCESS) + snprintf(handle->m_filepath, SCAP_MAX_PATH_SIZE, "%s", bpf_probe); + if(load_bpf_file(handle) != SCAP_SUCCESS) { return SCAP_FAILURE; } diff --git a/userspace/libscap/scap_bpf.h b/userspace/libscap/scap_bpf.h index af2e248bf4..85ad9140fa 100644 --- a/userspace/libscap/scap_bpf.h +++ b/userspace/libscap/scap_bpf.h @@ -49,6 +49,7 @@ int32_t scap_bpf_get_n_tracepoint_hit(scap_t* handle, long* ret); int32_t scap_bpf_enable_skb_capture(scap_t *handle, const char *ifname); int32_t scap_bpf_disable_skb_capture(scap_t *handle); int32_t scap_bpf_handle_eventmask(scap_t* handle, uint32_t op, uint32_t event_id); +int32_t scap_set_ktmask_bpf(scap_t* handle, uint32_t kt, bool enabled); static inline scap_evt *scap_bpf_evt_from_perf_sample(void *evt) { diff --git a/userspace/libsinsp/CMakeLists.txt b/userspace/libsinsp/CMakeLists.txt index d54e147599..1816bb4098 100644 --- a/userspace/libsinsp/CMakeLists.txt +++ b/userspace/libsinsp/CMakeLists.txt @@ -83,6 +83,7 @@ set(SINSP_SOURCES threadinfo.cpp tuples.cpp sinsp.cpp + sinsp_tp.cpp stats.cpp table.cpp token_bucket.cpp diff --git a/userspace/libsinsp/examples/test.cpp b/userspace/libsinsp/examples/test.cpp index 6f380400a9..f2983769ae 100644 --- a/userspace/libsinsp/examples/test.cpp +++ b/userspace/libsinsp/examples/test.cpp @@ -15,12 +15,19 @@ limitations under the License. */ #include +#include #include #include #include #include #include +#include +#include #include "util.h" +#include "unordered_set" +#include "eventformatter.h" +#include + using namespace std; @@ -80,8 +87,29 @@ int main(int argc, char **argv) signal(SIGINT, sigint_handler); signal(SIGPIPE, sigint_handler); - + inspector.set_bpf_probe("../../../driver/bpf/probe.o"); inspector.open(); + inspector.enable_page_faults(); + + //添加filter + std::unique_ptr> evttypes (new set()); + std::unique_ptr> syscalls (new set()); + // evttypes->insert(PPME_TCP_CONNECT_E); + // evttypes->insert(PPME_SYSCALL_CLONE_11_X); + // evttypes->insert(PPME_SYSCALL_CLONE_16_X); + // evttypes->insert(PPME_SYSCALL_CLONE_17_X); + // evttypes->insert(PPME_SYSCALL_CLONE_20_X); + // evttypes->insert(PPME_SYSCALL_CLONE_11_E); + // evttypes->insert(PPME_TCP_CONNECT_X); + +// string filter_name = "open"; +// set filter_tags = {"a"}; +// inspector.add_evttype_filter(filter_name,*evttypes,*syscalls,filter_tags,NULL); +// inspector.m_filter =NULL; +// if(inspector.m_evttype_filter){ +// inspector.m_evttype_filter->enable(filter_name, true,0); +// std::cout<<"开启筛选"<tostring(ev, &line)) { + cout << line << endl; + } + } + + ///打印kfree_skb_reason事件 + bool print_kfree_skb_reson = false; + if(ev->get_type()==PPME_TCP_CONNECT_X&&print_kfree_skb_reson){ + + // string line; + // string output_format ="%evt.info"; + // auto formatter = new sinsp_evt_formatter(&inspector, output_format); + // if (formatter->tostring(ev, &line)) + // cout << line << endl; + + char* reason; + for(int i=0; iget_num_params();i++){ + auto info = ev->get_param_info(i); + auto param = ev->get_param(i); + auto payload = param->m_val; + + auto payload_len = param->m_len; + if(i==0)reason=payload; + if(payload_len == 1 + 4 + 2 + 4 + 2) + { + + ipv4tuple addr; + struct in_addr addr_ip_s={0}; + struct in_addr addr_ip_d={0}; + addr.m_fields.m_sip = *(uint32_t*)(payload + 1); + addr.m_fields.m_sport = *(uint16_t*)(payload+5); + addr.m_fields.m_dip = *(uint32_t*)(payload + 7); + addr.m_fields.m_dport = *(uint16_t*)(payload+11); +// if(addr.m_fields.m_dip == 3480357386 ||addr.m_fields.m_dip==0||*(unsigned long *)reason==0)continue; + // if(*(unsigned long *)reason==0)continue; + std::cout<<"reason:"<<*(unsigned long *)reason<get_param(i); + } + + } + +#ifdef GATHER_INTERNAL_STATS + static int count = 0; + count++; + ///打印stats信息 + bool print_stats = false; + if(print_stats && count > 100000){ + count=0; + inspector.m_thread_manager->get_metric_val(); + inspector.get_stats(); + auto stats = &inspector.m_stats; + std::cout<<" Removed threads:"<metric_table.val_removed_threads; + std::cout<<" Number of added threads:"<metric_table.val_added_threads; + std::cout<<" Non cached thread lookups:"<metric_table.val_non_cached_lookups; + std::cout<<" Cached thread lookups:"<metric_table.val_cached_lookups; + std::cout<<" Failed thread lookups:"<metric_table.val_failed_lookups<m_n_seen_evts); + printf("drops: %" PRIu64 "\n", stats->m_n_drops); + printf("preemptions: %" PRIu64 "\n", stats->m_n_preemptions); + printf("fd lookups: %" PRIu64 "(%" PRIu64 " cached %" PRIu64 " noncached)\n", + stats->m_n_noncached_fd_lookups + stats->m_n_cached_fd_lookups, + stats->m_n_cached_fd_lookups, + stats->m_n_noncached_fd_lookups); + printf("failed fd lookups: %" PRIu64 "\n", stats->m_n_failed_fd_lookups); + printf("n. threads: %" PRIu64 "\n", stats->m_n_threads); + printf("n. fds: %" PRIu64 "\n", stats->m_n_fds); + printf("added fds: %" PRIu64 "\n", stats->m_n_added_fds); + printf("removed fds: %" PRIu64 "\n", stats->m_n_removed_fds); + printf("stored evts: %" PRIu64 "\n", stats->m_n_stored_evts); + printf("store drops: %" PRIu64 "\n", stats->m_n_store_drops); + printf("retrieved evts: %" PRIu64 "\n", stats->m_n_retrieved_evts); + printf("retrieve drops: %" PRIu64 "\n", stats->m_n_retrieve_drops); + for(auto it :stats->m_n_retrieve_list){ + std::cout<<" "<get_type()))==s.end()){ + // std::cout<get_type())<<" params num :"<get_num_params()<get_type())); + //// for(int i=0; iget_num_params();i++){ + //// auto info = ev->get_param_info(i); + //// + //// std::cout<<" "<get_param_name(i)<<":"<type; + //// if(info->name=="length")std::cout<get_param(i).; + //// } + //// puts(""); + // string line; + // string output_format = + // "*%evt.num %evt.outputtime %evt.cpu %container.name (%container.id) %proc.name " + // "(%thread.tid:%thread.vtid) %evt.dir %evt.type %evt.info"; + // auto formatter = new sinsp_evt_formatter(&inspector, output_format); + // if (formatter->tostring(ev, &line)) { + // cout << line << endl; + // } + // } + continue; + + //新增 + + // if(ev->get_type()==PPME_TCP_CONNECT_X){ + // std::cout<get_type()<tostring(ev, &line)) + // cout << line << endl; + // } + continue; sinsp_threadinfo* thread = ev->get_thread_info(); if(thread) diff --git a/userspace/libsinsp/sinsp.h b/userspace/libsinsp/sinsp.h index e4ada1562f..61323ea297 100644 --- a/userspace/libsinsp/sinsp.h +++ b/userspace/libsinsp/sinsp.h @@ -792,6 +792,9 @@ class SINSP_PUBLIC sinsp : public capture_stats_source, public wmi_handle_source */ void unset_eventmask(uint32_t event_id); + void mark_kt_of_interest(uint32_t tp, bool enabled = true); + + std::unordered_map get_all_kt(); /*! \brief When reading events from a trace file, this function returns the read progress as a number between 0 and 100. diff --git a/userspace/libsinsp/sinsp_tp.cpp b/userspace/libsinsp/sinsp_tp.cpp new file mode 100644 index 0000000000..7400212ca7 --- /dev/null +++ b/userspace/libsinsp/sinsp_tp.cpp @@ -0,0 +1,51 @@ +// +// Created by zhaoxiangyu on 24-4-2. +// +#include +#include "scap-int.h" +#include "unordered_map" + +std::unordered_map sinsp::get_all_kt() +{ + std::unordered_map ppm_kt_map; + for(uint32_t kt = 0; kt < m_h->m_bpf_prog_real_size; kt++) + { + auto index = m_h->kt_indices[kt]; + if(strstr(index.name,"/filler/") == nullptr) + { + ppm_kt_map[index.name] = kt; + } + } + + return ppm_kt_map; +} + +static void update_ktindex(scap_t* m_h){ + static std::unordered_map ppm_kt_map; + if(ppm_kt_map.empty()){ + for(uint32_t kt = 0; kt < m_h->m_bpf_prog_real_size; kt++) + { + auto index = m_h->kt_indices[kt]; + ppm_kt_map[index.name] = kt; + } + } + for(int i = 0; i < m_h->m_bpf_prog_cnt;i++){ + auto name = m_h->m_bpf_progs[i].name; + m_h->kt_indices[ppm_kt_map[name]].index = i; + } +} +void sinsp::mark_kt_of_interest(uint32_t tp, bool enable) +{ + /* This API must be used only after the initialization phase. */ + if (!is_live()) + { + throw sinsp_exception("you cannot use this method before opening the inspector or if the running mode isn't BPF!"); + } + int ret = scap_set_ktmask(m_h, tp, enable); + update_ktindex(m_h); + + if (ret != SCAP_SUCCESS) + { + throw sinsp_exception(scap_getlasterr(m_h)); + } +} From d052e599ad45a136ae7bd1cda32f8bc2b04cebb8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E8=B5=B5=E7=BF=94=E5=AE=87?= Date: Tue, 9 Jul 2024 11:27:46 +0800 Subject: [PATCH 2/2] Dynamic addition of kprobe and tracepoint --- userspace/libscap/scap_bpf.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/userspace/libscap/scap_bpf.c b/userspace/libscap/scap_bpf.c index 00452512c4..cf1d262c5a 100644 --- a/userspace/libscap/scap_bpf.c +++ b/userspace/libscap/scap_bpf.c @@ -711,7 +711,8 @@ static int32_t load_tracepoint(scap_t* handle, const char *event, struct bpf_ins static bool is_kt_enabled(scap_t *handle, char* event_name){ bool enabled = true; - for(int i = 0; i < handle->m_bpf_prog_real_size; i++){ + int i; + for(i = 0; i < handle->m_bpf_prog_real_size; i++){ if(strcmp(event_name, handle->kt_indices[i].name) == 0){ enabled = handle->kt_indices[i].interest; break; @@ -865,7 +866,8 @@ static int32_t load_bpf_file(scap_t *handle) if(is_kt_enabled(handle, shname)) { bool already_attached = false; - for(int i = 0; i < handle->m_bpf_prog_cnt && !already_attached; i++) + int i; + for(i = 0; i < handle->m_bpf_prog_cnt && !already_attached; i++) { if(strcmp(handle->m_bpf_progs[i].name, shname) == 0) {