初步完成新版迁移

SeeFlowerX · Jan 1, 2024 · 625ebae · 625ebae
1 parent 87c9a16
commit 625ebae
Show file tree

Hide file tree

Showing 33 changed files with 2,138 additions and 2,847 deletions.
diff --git a/cli/cmd/root.go b/cli/cmd/root.go
@@ -281,7 +281,6 @@ func persistentPreRunEFunc(command *cobra.Command, args []string) error {
     mconfig.DumpHex = gconfig.DumpHex
     mconfig.ShowTime = gconfig.ShowTime
     mconfig.ShowUid = gconfig.ShowUid
-    mconfig.Next = gconfig.Next
 
     // 1. hook uprobe
     mconfig.InitStackUprobeConfig()
@@ -393,9 +392,15 @@ func runFunc(command *cobra.Command, args []string) {
 
     var modNames []string
     if mconfig.BrkAddr != 0 {
-        modNames = []string{module.MODULE_NAME_BRK}
+        modNames = append(modNames, module.MODULE_NAME_BRK)
+    } else if gconfig.SysCall != "" {
+        modNames = append(modNames, module.MODULE_NAME_PERF)
+        modNames = append(modNames, module.MODULE_NAME_SYSCALL)
+    } else if len(gconfig.HookPoint) > 0 {
+        modNames = append(modNames, module.MODULE_NAME_PERF)
+        modNames = append(modNames, module.MODULE_NAME_STACK)
     } else {
-        modNames = []string{module.MODULE_NAME_PERF, module.MODULE_NAME_STACK}
+        Logger.Fatal("hook nothing, plz set -w/--point or -s/--syscall or --brk")
     }
     for _, modName := range modNames {
         // 现在合并成只有一个模块了 所以直接通过名字获取
@@ -618,6 +623,4 @@ func init() {
     // syscall hook
     rootCmd.PersistentFlags().StringVarP(&gconfig.SysCall, "syscall", "s", "", "filter syscalls")
     rootCmd.PersistentFlags().StringVar(&gconfig.NoSysCall, "no-syscall", "", "syscall black list, max 20")
-    // 新的数据读取方案
-    rootCmd.PersistentFlags().BoolVar(&gconfig.Next, "next", false, "next version")
 }
diff --git a/src/common/buffer.h b/src/common/buffer.h
@@ -216,32 +216,7 @@ static __always_inline str_buf_t *make_str_buf() {
     return bpf_map_lookup_elem(&str_buf_map, &id);
 }
 
-static __always_inline u32 strcmp_by_map(arg_filter_t *filter_config, buf_t *string_p) {
-    u32 str_len = 256;
-    if (str_len > filter_config->oldstr_len) {
-        str_len = filter_config->oldstr_len;
-    }
-    str_buf_t* str_value = make_str_buf();
-    if (str_value == NULL) {
-        return 0;
-    }
-    if (str_len > 0) {
-        // 必须重置
-        __builtin_memset(str_value->str_val, 0, sizeof(str_value->str_val));
-        bpf_probe_read(str_value->str_val, str_len, string_p->buf);
-    }
-    // map的key最好是一个不变的内容 否则会引起一些奇怪的冲突
-    bpf_map_update_elem(&str_buf, &filter_config->oldstr_val, &str_len, BPF_ANY);
-    u32* str_len_value = bpf_map_lookup_elem(&str_buf, str_value);
-
-    if (str_len_value == NULL) {
-        return 0;
-    }
-    bpf_map_delete_elem(&str_buf, str_value);
-    return 1;
-}
-
-static __always_inline u32 next_strcmp_by_map(op_ctx_t* op_ctx, next_arg_filter_t *filter) {
+static __always_inline u32 strcmp_by_map(op_ctx_t* op_ctx, arg_filter_t *filter) {
     str_buf_t* str_value = make_str_buf();
     if (unlikely(str_value == NULL)) return 0;
     __builtin_memset(str_value->str_val, 0, sizeof(str_value->str_val));

diff --git a/src/maps.h b/src/maps.h
@@ -39,16 +39,14 @@ BPF_HASH(common_filter, u32, common_filter_t, 1);
 BPF_HASH(common_list, u32, u32, 1024);
 
 BPF_HASH(thread_filter, thread_name_t, u32, 40);
-BPF_HASH(arg_filter, u32, arg_filter_t, 40);
-BPF_HASH(next_arg_filter, u64, next_arg_filter_t, 40);
+BPF_HASH(arg_filter, u64, arg_filter_t, 40);
 BPF_HASH(str_buf, str_buf_t, u32, 256);
 BPF_ARRAY(str_buf_gen, str_buf_t, 1);
-BPF_LRU_HASH(str_buf_map, u64, str_buf_t, 1024);
-BPF_ARRAY(match_ctx_gen, match_ctx_t, 1);
-BPF_LRU_HASH(match_ctx_map, u64, match_ctx_t, 1024);
+BPF_LRU_HASH(str_buf_map, u64, str_buf_t, 256);
 BPF_PERCPU_ARRAY(event_data_map, event_data_t, 1);
 BPF_PERCPU_ARRAY(op_ctx_map, op_ctx_t, 2);
 BPF_HASH(op_list, u32, op_config_t, 256);
+BPF_HASH(uprobe_point_args, u32, point_args_t, 6);
 BPF_HASH(sysenter_point_args, u32, point_args_t, 512);
 BPF_HASH(sysexit_point_args, u32, point_args_t, 512);
 BPF_ARRAY(base_config, config_entry_t, 1);

diff --git a/src/stack.c b/src/stack.c
@@ -7,19 +7,6 @@
 
 #include "utils.h"
 
-typedef struct uprobe_point_args_t {
-    u32 count;
-    point_arg point_args[MAX_POINT_ARG_COUNT];
-} uprobe_point_args;
-
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __type(key, u32);
-    __type(value, struct uprobe_point_args_t);
-    __uint(max_entries, 512);
-} uprobe_point_args_map SEC(".maps");
-
-
 SEC("raw_tracepoint/sched_process_fork")
 int tracepoint__sched__sched_process_fork(struct bpf_raw_tracepoint_args *ctx)
 {
@@ -37,39 +24,31 @@ int tracepoint__sched__sched_process_fork(struct bpf_raw_tracepoint_args *ctx)
     u32 child_ns_tgid = get_task_ns_tgid(child);
 
     u32* pid = bpf_map_lookup_elem(&child_parent_map, &parent_ns_pid);
-    if (pid == NULL) {
-        return 0;
-    }
+    if (unlikely(pid == NULL)) return 0;
+
     if (*pid == parent_ns_pid){
         ret = bpf_map_update_elem(&child_parent_map, &child_ns_pid, &parent_ns_pid, BPF_ANY);
     } else {
         bpf_printk("[stack] parent pid from map:%d\n", *pid);
     }
-
     return 0;
 }
 
-static __always_inline u32 probe_stack_warp(struct pt_regs* ctx, u32 args_key) {
-
+static __always_inline u32 probe_stack_warp(struct pt_regs* ctx, u32 point_key) {
     program_data_t p = {};
     if (!init_program_data(&p, ctx))
         return 0;
 
     if (!should_trace(&p))
         return 0;
-
-    struct uprobe_point_args_t* uprobe_point_args = bpf_map_lookup_elem(&uprobe_point_args_map, &args_key);
-    if (uprobe_point_args == NULL) {
-        return 0;
-    }
+    point_args_t* point_args = bpf_map_lookup_elem(&uprobe_point_args, &point_key);
+    if (unlikely(point_args == NULL)) return 0;
 
     u32 filter_key = 0;
     common_filter_t* filter = bpf_map_lookup_elem(&common_filter, &filter_key);
-    if (filter == NULL) {
-        return 0;
-    }
+    if (unlikely(filter == NULL)) return 0;
 
-    save_to_submit_buf(p.event, (void *) &args_key, sizeof(u32), 0);
+    save_to_submit_buf(p.event, (void *) &filter_key, sizeof(u32), 0);
     u64 lr = 0;
     if(filter->is_32bit) {
         bpf_probe_read_kernel(&lr, sizeof(lr), &ctx->regs[14]);
@@ -79,44 +58,29 @@ static __always_inline u32 probe_stack_warp(struct pt_regs* ctx, u32 args_key) {
         bpf_probe_read_kernel(&lr, sizeof(lr), &ctx->regs[30]);
         save_to_submit_buf(p.event, (void *) &lr, sizeof(u64), 1);
     }
-    u64 pc = 0;
     u64 sp = 0;
-    bpf_probe_read_kernel(&pc, sizeof(pc), &ctx->pc);
     bpf_probe_read_kernel(&sp, sizeof(sp), &ctx->sp);
-    save_to_submit_buf(p.event, (void *) &pc, sizeof(u64), 2);
-    save_to_submit_buf(p.event, (void *) &sp, sizeof(u64), 3);
+    save_to_submit_buf(p.event, (void *) &sp, sizeof(u64), 2);
+    u64 pc = 0;
+    bpf_probe_read_kernel(&pc, sizeof(pc), &ctx->pc);
+    save_to_submit_buf(p.event, (void *) &pc, sizeof(u64), 3);
 
-    u32 point_arg_count = MAX_POINT_ARG_COUNT;
-    if (uprobe_point_args->count <= point_arg_count) {
-        point_arg_count = uprobe_point_args->count;
-    }
+    int ctx_index = 0;
+    op_ctx_t* op_ctx = bpf_map_lookup_elem(&op_ctx_map, &ctx_index);
+    if (unlikely(op_ctx == NULL)) return 0;
+    __builtin_memset((void *)op_ctx, 0, sizeof(op_ctx));
+
+    op_ctx->reg_0 = READ_KERN(ctx->regs[0]);
+    op_ctx->save_index = 4;
+    op_ctx->op_key_index = 0;
+
+    read_args(p, point_args, op_ctx, ctx);
 
-    u32 next_arg_index = 4;
-    u64 reg_0 = READ_KERN(ctx->regs[0]);
-    for (int i = 0; i < point_arg_count; i++) {
-        struct point_arg_t* point_arg = (struct point_arg_t*) &uprobe_point_args->point_args[i];
-        if (point_arg->read_index == REG_ARM64_MAX) {
-            continue;
-        }
-        u64 arg_ptr = get_arg_ptr(ctx, point_arg, i, reg_0);
-
-        // 先保存参数值本身
-        save_to_submit_buf(p.event, (void *)&arg_ptr, sizeof(u64), (u8)next_arg_index);
-        next_arg_index += 1;
-
-        if (point_arg->point_flag != UPROBE_ENTER_READ) {
-            continue;
-        }
-        if (arg_ptr == 0) {
-            continue;
-        }
-        u32 read_count = get_read_count(ctx, point_arg);
-        next_arg_index = read_arg(p, point_arg, arg_ptr, read_count, next_arg_index);
-        if (point_arg->tmp_index == FILTER_INDEX_SKIP) {
-            point_arg->tmp_index = 0;
-            return 0;
-        }
+    if (op_ctx->skip_flag) {
+        op_ctx->skip_flag = 0;
+        return 0;
     }
+
     events_perf_submit(&p, UPROBE_ENTER);
     if (filter->signal > 0) {
         bpf_send_signal(filter->signal);
@@ -126,16 +90,16 @@ static __always_inline u32 probe_stack_warp(struct pt_regs* ctx, u32 args_key) {
 
 SEC("uprobe/stack_0")
 int probe_stack_0(struct pt_regs* ctx) {
-    u32 args_key = 0;
-    return probe_stack_warp(ctx, args_key);
+    u32 point_key = 0;
+    return probe_stack_warp(ctx, point_key);
 }
 
 #define PROBE_STACK(name)                          \
     SEC("uprobe/stack_##name")                     \
     int probe_stack_##name(struct pt_regs* ctx)    \
     {                                              \
-        u32 args_key = name;                       \
-        return probe_stack_warp(ctx, args_key);    \
+        u32 point_key = name;                       \
+        return probe_stack_warp(ctx, point_key);    \
     }
 
 // PROBE_STACK(0);