ebpf
bpftool
· ☕ 1 分钟
bpftool bpftool prog 1 $ ./execsnoop & 1 2 3 4 5 6 7 $ bpftool prog 9: kprobe name syscall__execve tag f66477d6a4dd923d gpl loaded_at 2021-03-05T16:52:05+0800 uid 0 xlated 4064B jited 2321B memlock 8192B map_ids 11 10: kprobe name do_ret_sys_exec tag 3a66f7b49f929a2e gpl loaded_at 2021-03-05T16:52:05+0800 uid 0 xlated 480B jited 314B memlock 4096B map_ids 11 The prog show subcommand lists all programs (not just those that are perf_event_open() based): 1

eBPF API
· ☕ 1 分钟
User Space API 1 2 3 4 5 6 7 8 9 10 11 # strace -ebpf ./execsnoop bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=0, map_name="events", map_ifindex=0, btf_fd=0, btf_key_type_id=0, btf_value_type_id=0}, 120) = -1 EPERM (Operation not permitted) bpf(BPF_MAP_CREATE, {map_type=BPF_MAP_TYPE_PERF_EVENT_ARRAY, key_size=4, value_size=4, max_entries=4, map_flags=0, inner_map_fd=0, map_name="events", map_ifindex=0, btf_fd=0, btf_key_type_id=0, btf_value_type_id=0}, 120) = 3 bpf(BPF_PROG_LOAD, {prog_type=BPF_PROG_TYPE_KPROBE, insn_cnt=508, insns=0x7fbdc7157000, license="GPL", log_level=0, log_size=0, log_buf=NULL, kern_version=KERNEL_VERSION(5, 3, 18), prog_flags=0, prog_name="syscall__execve", prog_ifindex=0, expected_attach_type=BPF_CGROUP_INET_INGRESS, prog_btf_fd=0, func_info_rec_size=0, func_info=NULL,

系统级跟踪 eBPF 工具 —— bpftrace 入门
· ☕ 1 分钟
bpftrace 简介 bpftrace 简单使用 查询可以跟踪的内核函数,以 sleep 为关键字 1 2 3 4 5 6 7 8 9 $ bpftrace -l '*open*' tracepoint:syscalls:sys_exit_open_tree tracepoint:syscalls:sys_enter_open ... kprobe:vfs_open kprobe:tcp_try_fastopen ... 跟踪所有 sys_enter_open() 系统调用 1 $ bpftrace -e 'tracepoint:syscalls:sys_enter_open{ printf("%s %s\n", comm,str(args->filename)); }' | grep vi 然后在另