Commit 3caa7d2e authored by Andrii Nakryiko's avatar Andrii Nakryiko

Merge branch 'libbpf: Add syscall-specific variant of BPF_KPROBE'

Hengqi Chen says:

====================

Add new macro BPF_KPROBE_SYSCALL, which provides easy access to syscall
input arguments. See [0] and [1] for background.

  [0]: https://github.com/libbpf/libbpf-bootstrap/issues/57
  [1]: https://github.com/libbpf/libbpf/issues/425

v2->v3:
  - Use PT_REGS_SYSCALL_REGS
  - Move selftest to progs/bpf_syscall_macro.c

v1->v2:
  - Use PT_REGS_PARM2_CORE_SYSCALL instead
====================
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
parents 8dd039a6 c2874823
...@@ -470,4 +470,39 @@ typeof(name(0)) name(struct pt_regs *ctx) \ ...@@ -470,4 +470,39 @@ typeof(name(0)) name(struct pt_regs *ctx) \
} \ } \
static __always_inline typeof(name(0)) ____##name(struct pt_regs *ctx, ##args) static __always_inline typeof(name(0)) ____##name(struct pt_regs *ctx, ##args)
#define ___bpf_syscall_args0() ctx
#define ___bpf_syscall_args1(x) ___bpf_syscall_args0(), (void *)PT_REGS_PARM1_CORE_SYSCALL(regs)
#define ___bpf_syscall_args2(x, args...) ___bpf_syscall_args1(args), (void *)PT_REGS_PARM2_CORE_SYSCALL(regs)
#define ___bpf_syscall_args3(x, args...) ___bpf_syscall_args2(args), (void *)PT_REGS_PARM3_CORE_SYSCALL(regs)
#define ___bpf_syscall_args4(x, args...) ___bpf_syscall_args3(args), (void *)PT_REGS_PARM4_CORE_SYSCALL(regs)
#define ___bpf_syscall_args5(x, args...) ___bpf_syscall_args4(args), (void *)PT_REGS_PARM5_CORE_SYSCALL(regs)
#define ___bpf_syscall_args(args...) ___bpf_apply(___bpf_syscall_args, ___bpf_narg(args))(args)
/*
* BPF_KPROBE_SYSCALL is a variant of BPF_KPROBE, which is intended for
* tracing syscall functions, like __x64_sys_close. It hides the underlying
* platform-specific low-level way of getting syscall input arguments from
* struct pt_regs, and provides a familiar typed and named function arguments
* syntax and semantics of accessing syscall input parameters.
*
* Original struct pt_regs* context is preserved as 'ctx' argument. This might
* be necessary when using BPF helpers like bpf_perf_event_output().
*
* This macro relies on BPF CO-RE support.
*/
#define BPF_KPROBE_SYSCALL(name, args...) \
name(struct pt_regs *ctx); \
static __attribute__((always_inline)) typeof(name(0)) \
____##name(struct pt_regs *ctx, ##args); \
typeof(name(0)) name(struct pt_regs *ctx) \
{ \
struct pt_regs *regs = PT_REGS_SYSCALL_REGS(ctx); \
_Pragma("GCC diagnostic push") \
_Pragma("GCC diagnostic ignored \"-Wint-conversion\"") \
return ____##name(___bpf_syscall_args(args)); \
_Pragma("GCC diagnostic pop") \
} \
static __attribute__((always_inline)) typeof(name(0)) \
____##name(struct pt_regs *ctx, ##args)
#endif #endif
...@@ -62,6 +62,12 @@ void test_bpf_syscall_macro(void) ...@@ -62,6 +62,12 @@ void test_bpf_syscall_macro(void)
ASSERT_EQ(skel->bss->arg4_core, exp_arg4, "syscall_arg4_core_variant"); ASSERT_EQ(skel->bss->arg4_core, exp_arg4, "syscall_arg4_core_variant");
ASSERT_EQ(skel->bss->arg5_core, exp_arg5, "syscall_arg5_core_variant"); ASSERT_EQ(skel->bss->arg5_core, exp_arg5, "syscall_arg5_core_variant");
ASSERT_EQ(skel->bss->option_syscall, exp_arg1, "BPF_KPROBE_SYSCALL_option");
ASSERT_EQ(skel->bss->arg2_syscall, exp_arg2, "BPF_KPROBE_SYSCALL_arg2");
ASSERT_EQ(skel->bss->arg3_syscall, exp_arg3, "BPF_KPROBE_SYSCALL_arg3");
ASSERT_EQ(skel->bss->arg4_syscall, exp_arg4, "BPF_KPROBE_SYSCALL_arg4");
ASSERT_EQ(skel->bss->arg5_syscall, exp_arg5, "BPF_KPROBE_SYSCALL_arg5");
cleanup: cleanup:
bpf_syscall_macro__destroy(skel); bpf_syscall_macro__destroy(skel);
} }
...@@ -21,6 +21,12 @@ unsigned long arg4_core_cx = 0; ...@@ -21,6 +21,12 @@ unsigned long arg4_core_cx = 0;
unsigned long arg4_core = 0; unsigned long arg4_core = 0;
unsigned long arg5_core = 0; unsigned long arg5_core = 0;
int option_syscall = 0;
unsigned long arg2_syscall = 0;
unsigned long arg3_syscall = 0;
unsigned long arg4_syscall = 0;
unsigned long arg5_syscall = 0;
const volatile pid_t filter_pid = 0; const volatile pid_t filter_pid = 0;
SEC("kprobe/" SYS_PREFIX "sys_prctl") SEC("kprobe/" SYS_PREFIX "sys_prctl")
...@@ -58,4 +64,21 @@ int BPF_KPROBE(handle_sys_prctl) ...@@ -58,4 +64,21 @@ int BPF_KPROBE(handle_sys_prctl)
return 0; return 0;
} }
SEC("kprobe/" SYS_PREFIX "sys_prctl")
int BPF_KPROBE_SYSCALL(prctl_enter, int option, unsigned long arg2,
unsigned long arg3, unsigned long arg4, unsigned long arg5)
{
pid_t pid = bpf_get_current_pid_tgid() >> 32;
if (pid != filter_pid)
return 0;
option_syscall = option;
arg2_syscall = arg2;
arg3_syscall = arg3;
arg4_syscall = arg4;
arg5_syscall = arg5;
return 0;
}
char _license[] SEC("license") = "GPL"; char _license[] SEC("license") = "GPL";
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment