daemon: add doc and fix map type defs (#55)

* add doc and install * group defs together --------- Co-authored-by: Littlefisher619 <[email protected]>
eunomia-bpf · Oct 24, 2023 · 6f2b542 · 6f2b542
1 parent e5b1081
commit 6f2b542
Show file tree

Hide file tree

Showing 16 changed files with 294 additions and 166 deletions.
diff --git a/daemon/CMakeLists.txt b/daemon/CMakeLists.txt
@@ -43,4 +43,6 @@ set_property(TARGET libbpftime_daemon PROPERTY CXX_STANDARD 20)
 add_dependencies(bpftime_daemon libbpftime_daemon)
 target_link_libraries(bpftime_daemon PRIVATE libbpftime_daemon)
 
+install(TARGETS bpftime_daemon CONFIGURATIONS Release Debug DESTINATION ~/.bpftime)
+
 add_subdirectory(test)
diff --git a/daemon/README.md b/daemon/README.md
@@ -2,3 +2,44 @@
 
 The bpftime daemon is a tool to trace and replay eBPF related events.
 It's similar to our syscall server but run together with kernel eBPF.
+
+## Run daemon
+
+```console
+$ sudo SPDLOG_LEVEL=Debug build/daemon/bpftime_daemon
+[2023-10-24 11:07:13.143] [info] Global shm constructed. shm_open_type 0 for bpftime_maps_shm
+```
+
+## Run malloc example
+
+```console
+$ sudo example/malloc/malloc
+libbpf: loading object 'malloc_bpf' from buffer
+11:08:11 
+11:08:12 
+11:08:13 
+```
+
+Unlike the kernel malloc without bpftime_daemon, this malloc will not print any message. This is because we modify the load and attach process of bpf and perf event with eBPF in the kernel.
+
+## Trace malloc calls in target
+
+```console
+$ sudo SPDLOG_LEVEL=Debug ~/.bpftime/bpftime start example/malloc/victim
+malloc called from pid 12314
+continue malloc...
+malloc called from pid 12314
+continue malloc...
+malloc called from pid 12314
+continue malloc...
+malloc called from pid 12314
+continue malloc...
+malloc called from pid 12314
+```
+
+## Debug: use bpftimetool for dump states
+
+The dump result example is in [daemon/test/malloc.json](test/malloc.json).
+
+See [tools/bpftimetool/README.md](../tools/bpftimetool/README.md) for how to load and replay it in the kernel.
+
diff --git a/daemon/test/malloc.json b/daemon/test/malloc.json
@@ -0,0 +1,59 @@
+{
+    "0": {
+        "attr": {
+            "btf_id": 3,
+            "btf_key_type_id": 8,
+            "btf_value_type_id": 12,
+            "btf_vmlinux_value_type_id": 0,
+            "flags": 0,
+            "ifindex": 0,
+            "key_size": 4,
+            "map_extra": 0,
+            "map_type": 1,
+            "max_entries": 1024,
+            "value_size": 8
+        },
+        "name": "libc_malloc_cal",
+        "type": "bpf_map_handler"
+    },
+    "1": {
+        "attr": {
+            "btf_id": 3,
+            "btf_key_type_id": 0,
+            "btf_value_type_id": 0,
+            "btf_vmlinux_value_type_id": 0,
+            "flags": 128,
+            "ifindex": 0,
+            "key_size": 4,
+            "map_extra": 0,
+            "map_type": 2,
+            "max_entries": 1,
+            "value_size": 27
+        },
+        "name": ".rodata.str1.1",
+        "type": "bpf_map_handler"
+    },
+    "2": {
+        "attr": {
+            "attach_fds": [
+                3
+            ],
+            "cnt": 55,
+            "insns": "850000000e0000007700000020000000630af4ff00000000b7010000640a00006b1af0ff00000000180100006f6d207000000000696420257b1ae8ff0000000018010000616c6c6500000000642066727b1ae0ff00000000180100006d616c6c000000006f6320637b1ad8ff00000000b706000000000000736af2ff00000000bfa100000000000007010000d8ffffffb70200001b000000bf0300000000000085000000060000007b6ad8ff00000000bfa200000000000007020000f4ffffff18110000040000000000000000000000850000000100000055000e0000000000bfa600000000000007060000f4ffffffbfa300000000000007030000d8ffffff18110000040000000000000000000000bf62000000000000b704000001000000850000000200000018110000040000000000000000000000bf62000000000000850000000100000015000b0000000000790100000000000007010000010000007b1af8ff00000000bfa200000000000007020000f4ffffffbfa300000000000007030000f8ffffff18110000040000000000000000000000b7040000020000008500000002000000b7000000000000009500000000000000",
+            "type": 2029950032
+        },
+        "name": "do_count",
+        "type": "bpf_prog_handler"
+    },
+    "3": {
+        "attr": {
+            "_module_name": "/lib/x86_64-linux-gnu/libc.so.6",
+            "offset": 653600,
+            "pid": -1,
+            "ref_ctr_off": 0,
+            "tracepoint_id": -1,
+            "type": 6
+        },
+        "type": "bpf_perf_event_handler"
+    }
+}
diff --git a/daemon/user/handle_bpf_event.cpp b/daemon/user/handle_bpf_event.cpp
@@ -174,10 +174,10 @@ static const char *const bpf_map_type_strings[] = {
 #define BPF_MAP_TYPE_MAX                                                       \
 	(sizeof(bpf_map_type_strings) / sizeof(bpf_map_type_strings[0]))
 
-static const char *get_bpf_map_type_string(enum bpf_map_type type)
+static const char *get_bpf_map_type_string(bpftime::bpf_map_type type)
 {
-	if (type >= 0 && type < BPF_MAP_TYPE_MAX) {
-		return bpf_map_type_strings[type];
+	if ((int)type >= 0 && (int)type < BPF_MAP_TYPE_MAX) {
+		return bpf_map_type_strings[(int)type];
 	}
 	return "Unknown";
 }

diff --git a/runtime/include/bpftime_shm.hpp b/runtime/include/bpftime_shm.hpp
@@ -27,6 +27,68 @@ struct bpf_map_attr {
 	uint32_t btf_key_type_id = 0;
 	uint32_t btf_value_type_id = 0;
 	uint64_t map_extra = 0;
+
+	// additional fields for bpftime only
+	uint32_t kernel_bpf_map_id = 0;
+};
+
+enum class bpf_event_type {
+	PERF_TYPE_HARDWARE = 0,
+	PERF_TYPE_SOFTWARE = 1,
+	PERF_TYPE_TRACEPOINT = 2,
+	PERF_TYPE_HW_CACHE = 3,
+	PERF_TYPE_RAW = 4,
+	PERF_TYPE_BREAKPOINT = 5,
+
+	// custom types
+	BPF_TYPE_UPROBE = 6,
+	BPF_TYPE_URETPROBE = 7,
+	BPF_TYPE_FILTER = 8,
+	BPF_TYPE_REPLACE = 9,
+};
+
+enum class bpf_map_type {
+	BPF_MAP_TYPE_UNSPEC,
+	BPF_MAP_TYPE_HASH,
+	BPF_MAP_TYPE_ARRAY,
+	BPF_MAP_TYPE_PROG_ARRAY,
+	BPF_MAP_TYPE_PERF_EVENT_ARRAY,
+	BPF_MAP_TYPE_PERCPU_HASH,
+	BPF_MAP_TYPE_PERCPU_ARRAY,
+	BPF_MAP_TYPE_STACK_TRACE,
+	BPF_MAP_TYPE_CGROUP_ARRAY,
+	BPF_MAP_TYPE_LRU_HASH,
+	BPF_MAP_TYPE_LRU_PERCPU_HASH,
+	BPF_MAP_TYPE_LPM_TRIE,
+	BPF_MAP_TYPE_ARRAY_OF_MAPS,
+	BPF_MAP_TYPE_HASH_OF_MAPS,
+	BPF_MAP_TYPE_DEVMAP,
+	BPF_MAP_TYPE_SOCKMAP,
+	BPF_MAP_TYPE_CPUMAP,
+	BPF_MAP_TYPE_XSKMAP,
+	BPF_MAP_TYPE_SOCKHASH,
+	BPF_MAP_TYPE_CGROUP_STORAGE_DEPRECATED,
+	/* BPF_MAP_TYPE_CGROUP_STORAGE is available to bpf programs
+	 * attaching to a cgroup. The newer BPF_MAP_TYPE_CGRP_STORAGE is
+	 * available to both cgroup-attached and other progs and
+	 * supports all functionality provided by
+	 * BPF_MAP_TYPE_CGROUP_STORAGE. So mark
+	 * BPF_MAP_TYPE_CGROUP_STORAGE deprecated.
+	 */
+	BPF_MAP_TYPE_CGROUP_STORAGE = BPF_MAP_TYPE_CGROUP_STORAGE_DEPRECATED,
+	BPF_MAP_TYPE_REUSEPORT_SOCKARRAY,
+	BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE,
+	BPF_MAP_TYPE_QUEUE,
+	BPF_MAP_TYPE_STACK,
+	BPF_MAP_TYPE_SK_STORAGE,
+	BPF_MAP_TYPE_DEVMAP_HASH,
+	BPF_MAP_TYPE_STRUCT_OPS,
+	BPF_MAP_TYPE_RINGBUF,
+	BPF_MAP_TYPE_INODE_STORAGE,
+	BPF_MAP_TYPE_TASK_STORAGE,
+	BPF_MAP_TYPE_BLOOM_FILTER,
+	BPF_MAP_TYPE_USER_RINGBUF,
+	BPF_MAP_TYPE_CGRP_STORAGE,
 };
 
 enum class shm_open_type {
@@ -36,6 +98,42 @@ enum class shm_open_type {
 	SHM_CREATE_OR_OPEN,
 };
 
+enum class bpf_prog_type {
+	BPF_PROG_TYPE_UNSPEC,
+	BPF_PROG_TYPE_SOCKET_FILTER,
+	BPF_PROG_TYPE_KPROBE,
+	BPF_PROG_TYPE_SCHED_CLS,
+	BPF_PROG_TYPE_SCHED_ACT,
+	BPF_PROG_TYPE_TRACEPOINT,
+	BPF_PROG_TYPE_XDP,
+	BPF_PROG_TYPE_PERF_EVENT,
+	BPF_PROG_TYPE_CGROUP_SKB,
+	BPF_PROG_TYPE_CGROUP_SOCK,
+	BPF_PROG_TYPE_LWT_IN,
+	BPF_PROG_TYPE_LWT_OUT,
+	BPF_PROG_TYPE_LWT_XMIT,
+	BPF_PROG_TYPE_SOCK_OPS,
+	BPF_PROG_TYPE_SK_SKB,
+	BPF_PROG_TYPE_CGROUP_DEVICE,
+	BPF_PROG_TYPE_SK_MSG,
+	BPF_PROG_TYPE_RAW_TRACEPOINT,
+	BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
+	BPF_PROG_TYPE_LWT_SEG6LOCAL,
+	BPF_PROG_TYPE_LIRC_MODE2,
+	BPF_PROG_TYPE_SK_REUSEPORT,
+	BPF_PROG_TYPE_FLOW_DISSECTOR,
+	BPF_PROG_TYPE_CGROUP_SYSCTL,
+	BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE,
+	BPF_PROG_TYPE_CGROUP_SOCKOPT,
+	BPF_PROG_TYPE_TRACING,
+	BPF_PROG_TYPE_STRUCT_OPS,
+	BPF_PROG_TYPE_EXT,
+	BPF_PROG_TYPE_LSM,
+	BPF_PROG_TYPE_SK_LOOKUP,
+	BPF_PROG_TYPE_SYSCALL, /* a program that can execute syscalls */
+	BPF_PROG_TYPE_NETFILTER,
+};
+
 extern const shm_open_type global_shm_open_type;
 
 bpftime::agent_config &bpftime_get_agent_config();
@@ -81,7 +179,7 @@ int bpftime_maps_create(int fd, const char *name, bpftime::bpf_map_attr attr);
 
 // get the bpf map info from the global shared memory
 int bpftime_map_get_info(int fd, bpftime::bpf_map_attr *out_attr,
-			 const char **out_name, int *type);
+			 const char **out_name, bpftime::bpf_map_type *type);
 
 // get the map value size from the global shared memory by fd
 uint32_t bpftime_map_value_size_from_syscall(int fd);

diff --git a/runtime/src/attach/bpf_attach_ctx.cpp b/runtime/src/attach/bpf_attach_ctx.cpp
@@ -73,7 +73,7 @@ bool bpf_attach_ctx::check_exist_syscall_trace_program(
 					std::get<bpf_perf_event_handler>(
 						handler);
 				if (perf_event_handler.type ==
-				    bpf_perf_event_handler::bpf_event_type::
+				    bpf_event_type::
 					    PERF_TYPE_TRACEPOINT) {
 					const auto &tp_table =
 						get_global_syscall_tracepoint_table();
@@ -230,13 +230,13 @@ int bpf_attach_ctx::init_attach_ctx_from_handlers(
 				std::get<bpf_perf_event_handler>(handler);
 			void *func_addr = nullptr;
 			switch (event_handler.type) {
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				BPF_TYPE_FILTER:
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				BPF_TYPE_REPLACE:
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				BPF_TYPE_UPROBE:
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				BPF_TYPE_URETPROBE:
 				func_addr =
 					attach_manager
@@ -251,7 +251,7 @@ int bpf_attach_ctx::init_attach_ctx_from_handlers(
 			}
 			// attach base on events
 			switch (event_handler.type) {
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				BPF_TYPE_FILTER: {
 				auto progs = handler_prog_fds[i];
 				if (progs.size() > 1) {
@@ -277,7 +277,7 @@ int bpf_attach_ctx::init_attach_ctx_from_handlers(
 						i, err);
 				break;
 			}
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				BPF_TYPE_REPLACE: {
 				auto progs = handler_prog_fds[i];
 				if (progs.size() > 1) {
@@ -303,7 +303,7 @@ int bpf_attach_ctx::init_attach_ctx_from_handlers(
 						i, err);
 				break;
 			}
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				BPF_TYPE_UPROBE: {
 				spdlog::debug(
 					"Creating uprobe for perf event fd {}",
@@ -328,7 +328,7 @@ int bpf_attach_ctx::init_attach_ctx_from_handlers(
 						i, err);
 				break;
 			}
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				BPF_TYPE_URETPROBE: {
 				spdlog::debug(
 					"Creating uretprobe for perf event fd {}",
@@ -353,7 +353,7 @@ int bpf_attach_ctx::init_attach_ctx_from_handlers(
 						i, err);
 				break;
 			}
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				PERF_TYPE_TRACEPOINT: {
 				err = create_tracepoint(
 					event_handler.tracepoint_id, i,
@@ -366,7 +366,7 @@ int bpf_attach_ctx::init_attach_ctx_from_handlers(
 				assert(err >= 0);
 				break;
 			}
-			case bpf_perf_event_handler::bpf_event_type::
+			case bpf_event_type::
 				PERF_TYPE_SOFTWARE: {
 				spdlog::debug(
 					"Attaching software perf event, nothing need to do");