int bpf_prog1(struct pt_regs *ctx) { /* attaches to kprobe netif_receive_skb, * looks for packets on loobpack device and prints them */ char devname[IFNAMSIZ] = {}; struct net_device *dev; struct sk_buff *skb; int len; /* non-portable! works for the given kernel only */ skb = (struct sk_buff *) PT_REGS_PARM1(ctx); dev = _(skb->dev); len = _(skb->len); bpf_probe_read(devname, sizeof(devname), dev->name); if (devname[0] == 'l' && devname[1] == 'o') { char fmt[] = "skb %p len %d\n"; /* using bpf_trace_printk() for DEBUG ONLY */ bpf_trace_printk(fmt, sizeof(fmt), skb, len); } return 0; }
int bpf_prog1(struct pt_regs *ctx) { long rq = PT_REGS_PARM1(ctx); u64 val = bpf_ktime_get_ns(); bpf_map_update_elem(&my_map, &rq, &val, BPF_ANY); return 0; }
PROG(__NR_read)(struct pt_regs *ctx) { struct seccomp_data sd; bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM1(ctx)); if (sd.args[2] > 128 && sd.args[2] <= 1024) { char fmt[] = "read(fd=%d, buf=%p, size=%d)\n"; bpf_trace_printk(fmt, sizeof(fmt), sd.args[0], sd.args[1], sd.args[2]); } return 0; }
int bpf_prog1(struct pt_regs *ctx) { int sc_nr = (int)PT_REGS_PARM1(ctx); /* dispatch into next BPF program depending on syscall number */ bpf_tail_call(ctx, &progs, sc_nr); /* fall through -> unknown syscall */ if (sc_nr >= __NR_getuid && sc_nr <= __NR_getsid) { char fmt[] = "syscall=%d (one of get/set uid/pid/gid)\n"; bpf_trace_printk(fmt, sizeof(fmt), sc_nr); } return 0; }
int bpf_prog1(struct pt_regs *ctx) { struct seccomp_data sd; bpf_probe_read(&sd, sizeof(sd), (void *)PT_REGS_PARM1(ctx)); /* dispatch into next BPF program depending on syscall number */ bpf_tail_call(ctx, &progs, sd.nr); /* fall through -> unknown syscall */ if (sd.nr >= __NR_getuid && sd.nr <= __NR_getsid) { char fmt[] = "syscall=%d (one of get/set uid/pid/gid)\n"; bpf_trace_printk(fmt, sizeof(fmt), sd.nr); } return 0; }
int bpf_prog2(struct pt_regs *ctx) { long rq = PT_REGS_PARM1(ctx); u64 *value, l, base; u32 index; value = bpf_map_lookup_elem(&my_map, &rq); if (!value) return 0; u64 cur_time = bpf_ktime_get_ns(); u64 delta = cur_time - *value; bpf_map_delete_elem(&my_map, &rq); /* the lines below are computing index = log10(delta)*10 * using integer arithmetic * index = 29 ~ 1 usec * index = 59 ~ 1 msec * index = 89 ~ 1 sec * index = 99 ~ 10sec or more * log10(x)*10 = log2(x)*10/log2(10) = log2(x)*3 */ l = log2l(delta); base = 1ll << l; index = (l * 64 + (delta - base) * 64 / base) * 3 / 64; if (index >= SLOTS) index = SLOTS - 1; value = bpf_map_lookup_elem(&lat_map, &index); if (value) *value += 1; return 0; }