perf examples bpf: Remove augmented_syscalls.c, the raw_syscalls one should be used instead

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

The attempt at using BPF to copy syscall pointer arguments to show them
like strace does started with sys_{enter,exit}_SYSCALL_NAME tracepoints,
in tools/perf/examples/bpf/augmented_syscalls.c, but then achieving this
result using raw_syscalls:{enter,exit} and BPF tail calls was deemed
more flexible.

The 'perf trace' codebase was adapted to using it while trying to
continue supporting the old style per-syscall tracepoints, which at some
point became too unwieldly and now isn't working properly.

So lets scale back and concentrate on the augmented_raw_syscalls.c
model on the way to using BPF skeletons.

For the same reason remove the etcsnoop.c example, that used the
old style per-tp syscalls just for the 'open' and 'openat' syscalls,
looking at the pathnames starting with "/etc/", we should be able
to do this later using filters, after we move to BPF skels.

The augmented_raw_syscalls.c one continues to work, now with libbpf 1.0,
after Ian work on using the libbpf map style:

# perf trace -e ~acme/git/perf/tools/perf/examples/bpf/augmented_raw_syscalls.c,open* --max-events 4
0.000 ping/194815 openat(dfd: CWD, filename: "/etc/hosts", flags: RDONLY|CLOEXEC) = 5
20.225 systemd-oomd/972 openat(dfd: CWD, filename: "/proc/meminfo", flags: RDONLY|CLOEXEC) = 12
20.285 abrt-dump-jour/1371 openat(dfd: CWD, filename: "/var/log/journal/d6a97235307247e09f13f326fb607e3c/system.journal", flags: RDONLY|CLOEXEC|NONBLOCK) = 21
20.301 abrt-dump-jour/1370 openat(dfd: CWD, filename: "/var/log/journal/d6a97235307247e09f13f326fb607e3c/system.journal", flags: RDONLY|CLOEXEC|NONBLOCK) = 21
#

This is using this:

# cat ~/.perfconfig
[trace]
show_zeros = yes
show_duration = no
no_inherit = yes
args_alignment = 40

Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>

Arnaldo Carvalho de Melo 3 years ago 3cd65616 cfddf0d4

-245

2 changed files

expand all

tools

perf

examples

bpf

augmented_syscalls.c

etcsnoop.c

-169

tools/perf/examples/bpf/augmented_syscalls.c

··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * Augment syscalls with the contents of the pointer arguments. 4 - * 5 - * Test it with: 6 - * 7 - * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null 8 - * 9 - * It'll catch some openat syscalls related to the dynamic linked and 10 - * the last one should be the one for '/etc/passwd'. 11 - * 12 - * This matches what is marshalled into the raw_syscall:sys_enter payload 13 - * expected by the 'perf trace' beautifiers, and can be used by them, that will 14 - * check if perf_sample->raw_data is more than what is expected for each 15 - * syscalls:sys_{enter,exit}_SYSCALL tracepoint, uing the extra data as the 16 - * contents of pointer arguments. 17 - */ 18 - 19 - #include <stdio.h> 20 - #include <linux/socket.h> 21 - 22 - /* bpf-output associated map */ 23 - bpf_map(__augmented_syscalls__, PERF_EVENT_ARRAY, int, u32, __NR_CPUS__); 24 - 25 - struct syscall_exit_args { 26 - unsigned long long common_tp_fields; 27 - long syscall_nr; 28 - long ret; 29 - }; 30 - 31 - struct augmented_filename { 32 - unsigned int size; 33 - int reserved; 34 - char value[256]; 35 - }; 36 - 37 - #define augmented_filename_syscall(syscall) \ 38 - struct augmented_enter_##syscall##_args { \ 39 - struct syscall_enter_##syscall##_args args; \ 40 - struct augmented_filename filename; \ 41 - }; \ 42 - int syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args) \ 43 - { \ 44 - struct augmented_enter_##syscall##_args augmented_args = { .filename.reserved = 0, }; \ 45 - unsigned int len = sizeof(augmented_args); \ 46 - probe_read(&augmented_args.args, sizeof(augmented_args.args), args); \ 47 - augmented_args.filename.size = probe_read_str(&augmented_args.filename.value, \ 48 - sizeof(augmented_args.filename.value), \ 49 - args->filename_ptr); \ 50 - if (augmented_args.filename.size < sizeof(augmented_args.filename.value)) { \ 51 - len -= sizeof(augmented_args.filename.value) - augmented_args.filename.size; \ 52 - len &= sizeof(augmented_args.filename.value) - 1; \ 53 - } \ 54 - /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */ \ 55 - return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, \ 56 - &augmented_args, len); \ 57 - } \ 58 - int syscall_exit(syscall)(struct syscall_exit_args *args) \ 59 - { \ 60 - return 1; /* 0 as soon as we start copying data returned by the kernel, e.g. 'read' */ \ 61 - } 62 - 63 - struct syscall_enter_openat_args { 64 - unsigned long long common_tp_fields; 65 - long syscall_nr; 66 - long dfd; 67 - char *filename_ptr; 68 - long flags; 69 - long mode; 70 - }; 71 - 72 - augmented_filename_syscall(openat); 73 - 74 - struct syscall_enter_open_args { 75 - unsigned long long common_tp_fields; 76 - long syscall_nr; 77 - char *filename_ptr; 78 - long flags; 79 - long mode; 80 - }; 81 - 82 - augmented_filename_syscall(open); 83 - 84 - struct syscall_enter_inotify_add_watch_args { 85 - unsigned long long common_tp_fields; 86 - long syscall_nr; 87 - long fd; 88 - char *filename_ptr; 89 - long mask; 90 - }; 91 - 92 - augmented_filename_syscall(inotify_add_watch); 93 - 94 - struct statbuf; 95 - 96 - struct syscall_enter_newstat_args { 97 - unsigned long long common_tp_fields; 98 - long syscall_nr; 99 - char *filename_ptr; 100 - struct stat *statbuf; 101 - }; 102 - 103 - augmented_filename_syscall(newstat); 104 - 105 - #ifndef _K_SS_MAXSIZE 106 - #define _K_SS_MAXSIZE 128 107 - #endif 108 - 109 - #define augmented_sockaddr_syscall(syscall) \ 110 - struct augmented_enter_##syscall##_args { \ 111 - struct syscall_enter_##syscall##_args args; \ 112 - struct sockaddr_storage addr; \ 113 - }; \ 114 - int syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args) \ 115 - { \ 116 - struct augmented_enter_##syscall##_args augmented_args; \ 117 - unsigned long addrlen = sizeof(augmented_args.addr); \ 118 - probe_read(&augmented_args.args, sizeof(augmented_args.args), args); \ 119 - /* FIXME_CLANG_OPTIMIZATION_THAT_ACCESSES_USER_CONTROLLED_ADDRLEN_DESPITE_THIS_CHECK */ \ 120 - /* if (addrlen > augmented_args.args.addrlen) */ \ 121 - /* addrlen = augmented_args.args.addrlen; */ \ 122 - /* */ \ 123 - probe_read(&augmented_args.addr, addrlen, args->addr_ptr); \ 124 - /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */ \ 125 - return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, \ 126 - &augmented_args, \ 127 - sizeof(augmented_args) - sizeof(augmented_args.addr) + addrlen);\ 128 - } \ 129 - int syscall_exit(syscall)(struct syscall_exit_args *args) \ 130 - { \ 131 - return 1; /* 0 as soon as we start copying data returned by the kernel, e.g. 'read' */ \ 132 - } 133 - 134 - struct sockaddr; 135 - 136 - struct syscall_enter_bind_args { 137 - unsigned long long common_tp_fields; 138 - long syscall_nr; 139 - long fd; 140 - struct sockaddr *addr_ptr; 141 - unsigned long addrlen; 142 - }; 143 - 144 - augmented_sockaddr_syscall(bind); 145 - 146 - struct syscall_enter_connect_args { 147 - unsigned long long common_tp_fields; 148 - long syscall_nr; 149 - long fd; 150 - struct sockaddr *addr_ptr; 151 - unsigned long addrlen; 152 - }; 153 - 154 - augmented_sockaddr_syscall(connect); 155 - 156 - struct syscall_enter_sendto_args { 157 - unsigned long long common_tp_fields; 158 - long syscall_nr; 159 - long fd; 160 - void *buff; 161 - long len; 162 - unsigned long flags; 163 - struct sockaddr *addr_ptr; 164 - long addr_len; 165 - }; 166 - 167 - augmented_sockaddr_syscall(sendto); 168 - 169 - license(GPL);

-76

tools/perf/examples/bpf/etcsnoop.c

··· 1 - // SPDX-License-Identifier: GPL-2.0 2 - /* 3 - * Augment the filename syscalls with the contents of the filename pointer argument 4 - * filtering only those that do not start with /etc/. 5 - * 6 - * Test it with: 7 - * 8 - * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null 9 - * 10 - * It'll catch some openat syscalls related to the dynamic linked and 11 - * the last one should be the one for '/etc/passwd'. 12 - * 13 - * This matches what is marshalled into the raw_syscall:sys_enter payload 14 - * expected by the 'perf trace' beautifiers, and can be used by them unmodified, 15 - * which will be done as that feature is implemented in the next csets, for now 16 - * it will appear in a dump done by the default tracepoint handler in 'perf trace', 17 - * that uses bpf_output__fprintf() to just dump those contents, as done with 18 - * the bpf-output event associated with the __bpf_output__ map declared in 19 - * tools/perf/include/bpf/stdio.h. 20 - */ 21 - 22 - #include <stdio.h> 23 - 24 - /* bpf-output associated map */ 25 - bpf_map(__augmented_syscalls__, PERF_EVENT_ARRAY, int, u32, __NR_CPUS__); 26 - 27 - struct augmented_filename { 28 - int size; 29 - int reserved; 30 - char value[64]; 31 - }; 32 - 33 - #define augmented_filename_syscall_enter(syscall) \ 34 - struct augmented_enter_##syscall##_args { \ 35 - struct syscall_enter_##syscall##_args args; \ 36 - struct augmented_filename filename; \ 37 - }; \ 38 - int syscall_enter(syscall)(struct syscall_enter_##syscall##_args *args) \ 39 - { \ 40 - char etc[6] = "/etc/"; \ 41 - struct augmented_enter_##syscall##_args augmented_args = { .filename.reserved = 0, }; \ 42 - probe_read(&augmented_args.args, sizeof(augmented_args.args), args); \ 43 - augmented_args.filename.size = probe_read_str(&augmented_args.filename.value, \ 44 - sizeof(augmented_args.filename.value), \ 45 - args->filename_ptr); \ 46 - if (__builtin_memcmp(augmented_args.filename.value, etc, 4) != 0) \ 47 - return 0; \ 48 - /* If perf_event_output fails, return non-zero so that it gets recorded unaugmented */ \ 49 - return perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU, \ 50 - &augmented_args, \ 51 - (sizeof(augmented_args) - sizeof(augmented_args.filename.value) + \ 52 - augmented_args.filename.size)); \ 53 - } 54 - 55 - struct syscall_enter_openat_args { 56 - unsigned long long common_tp_fields; 57 - long syscall_nr; 58 - long dfd; 59 - char *filename_ptr; 60 - long flags; 61 - long mode; 62 - }; 63 - 64 - augmented_filename_syscall_enter(openat); 65 - 66 - struct syscall_enter_open_args { 67 - unsigned long long common_tp_fields; 68 - long syscall_nr; 69 - char *filename_ptr; 70 - long flags; 71 - long mode; 72 - }; 73 - 74 - augmented_filename_syscall_enter(open); 75 - 76 - license(GPL);