Skip to content

Commit 587ee14

Browse files
bigwhitebigwhite
committed
add execve-counter examples
1 parent 4cae7e7 commit 587ee14

File tree

9 files changed

+892
-0
lines changed

9 files changed

+892
-0
lines changed

ebpf-examples/execve-counter-go/Makefile

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
CLANG ?= clang-10
2+
CFLAGS ?= -O2 -g -Wall -Werror
3+
4+
LIBEBPF_TOP = /home/tonybai/go/src/github.com/cilium/ebpf
5+
EXAMPLES_HEADERS = $(LIBEBPF_TOP)/examples/headers
6+
7+
all: generate
8+
9+
generate: export BPF_CLANG=$(CLANG)
10+
generate: export BPF_CFLAGS=$(CFLAGS)
11+
generate: export BPF_HEADERS=$(EXAMPLES_HEADERS)
12+
generate:
13+
go generate ./...

ebpf-examples/execve-counter-go/bpf_bpfeb.go

Lines changed: 121 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ebpf-examples/execve-counter-go/bpf_bpfel.go

Lines changed: 121 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

ebpf-examples/execve-counter-go/execve_counter.bpf.c

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
2+
#include "common.h"
3+
4+
typedef __u64 u64;
5+
typedef char stringkey[64];
6+
7+
struct {
8+
__uint(type, BPF_MAP_TYPE_HASH);
9+
__uint(max_entries, 128);
10+
stringkey* key;
11+
__type(value, u64);
12+
} execve_counter SEC(".maps");
13+
14+
SEC("tracepoint/syscalls/sys_enter_execve")
15+
int bpf_prog(void *ctx) {
16+
stringkey key = "execve_counter";
17+
u64 *v = NULL;
18+
v = bpf_map_lookup_elem(&execve_counter, &key);
19+
if (v != NULL) {
20+
*v += 1;
21+
//bpf_map_update_elem(&execve_counter, &key, v, BPF_ANY);
22+
//bpf_printk("map value: %d\n", *v);
23+
}
24+
return 0;
25+
}
26+
27+
char LICENSE[] SEC("license") = "Dual BSD/GPL";

ebpf-examples/execve-counter-go/main.go

Lines changed: 68 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,68 @@
1+
//go:build linux
2+
// +build linux
3+
4+
package main
5+
6+
import (
7+
"log"
8+
"os"
9+
"os/signal"
10+
"syscall"
11+
"time"
12+
13+
"github.com/cilium/ebpf/link"
14+
"github.com/cilium/ebpf/rlimit"
15+
)
16+
17+
// $BPF_CLANG, $BPF_CFLAGS and $BPF_HEADERS are set by the Makefile.
18+
//go:generate bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS -target bpfel,bpfeb bpf execve_counter.bpf.c -- -I $BPF_HEADERS
19+
func main() {
20+
stopper := make(chan os.Signal, 1)
21+
signal.Notify(stopper, os.Interrupt, syscall.SIGTERM)
22+
23+
// Allow the current process to lock memory for eBPF resources.
24+
if err := rlimit.RemoveMemlock(); err != nil {
25+
log.Fatal(err)
26+
}
27+
28+
// Load pre-compiled programs and maps into the kernel.
29+
objs := bpfObjects{}
30+
if err := loadBpfObjects(&objs, nil); err != nil {
31+
log.Fatalf("loading objects: %s", err)
32+
}
33+
defer objs.Close()
34+
35+
// init the map element
36+
var key [64]byte
37+
copy(key[:], []byte("execve_counter"))
38+
var val int64 = 0
39+
if err := objs.bpfMaps.ExecveCounter.Put(key, val); err != nil {
40+
log.Fatalf("init map key error: %s", err)
41+
}
42+
43+
// attach to xxx
44+
kp, err := link.Tracepoint("syscalls", "sys_enter_execve", objs.BpfProg, nil)
45+
if err != nil {
46+
log.Fatalf("opening tracepoint: %s", err)
47+
}
48+
defer kp.Close()
49+
50+
ticker := time.NewTicker(5 * time.Second)
51+
defer ticker.Stop()
52+
53+
for {
54+
select {
55+
case <-ticker.C:
56+
if err := objs.bpfMaps.ExecveCounter.Lookup(key, &val); err != nil {
57+
log.Fatalf("reading map error: %s", err)
58+
}
59+
log.Printf("execve_counter: %d\n", val)
60+
61+
case <-stopper:
62+
// Wait for a signal and close the perf reader,
63+
// which will interrupt rd.Read() and make the program exit.
64+
log.Println("Received signal, exiting program..")
65+
return
66+
}
67+
}
68+
}

ebpf-examples/execve-counter/Makefile

Lines changed: 32 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,32 @@
1+
CLANG ?= clang-10
2+
LLVM_STRIP ?= llvm-strip-10
3+
ARCH := $(shell uname -m | sed 's/x86_64/x86/' | sed 's/aarch64/arm64/' | sed 's/ppc64le/powerpc/' | sed 's/mips.*/mips/')
4+
BPFTOOL ?= /usr/local/sbin/bpftool
5+
ARCH := $(shell uname -m | sed 's/x86_64/x86/' | sed 's/aarch64/arm64/' | sed 's/ppc64le/powerpc/' | sed 's/mips.*/mips/')
6+
7+
LIBBPF_TOP = /home/tonybai/test/ebpf/libbpf
8+
9+
LIBBPF_UAPI_INCLUDES = -I $(LIBBPF_TOP)/include/uapi
10+
LIBBPF_INCLUDES = -I /usr/local/bpf/include
11+
LIBBPF_LIBS = -L /usr/local/bpf/lib64 -lbpf
12+
13+
INCLUDES=$(LIBBPF_UAPI_INCLUDES) $(LIBBPF_INCLUDES)
14+
15+
CLANG_BPF_SYS_INCLUDES = $(shell $(CLANG) -v -E - </dev/null 2>&1 | sed -n '/<...> search starts here:/,/End of search list./{ s| \(/.*\)|-idirafter \1|p }')
16+
17+
18+
all: build
19+
20+
build: execve_counter
21+
22+
execve_counter.bpf.o: execve_counter.bpf.c
23+
$(CLANG) -g -O2 -target bpf -D__TARGET_ARCH_$(ARCH) $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) -c execve_counter.bpf.c
24+
25+
execve_counter.skel.h: execve_counter.bpf.o
26+
$(BPFTOOL) gen skeleton execve_counter.bpf.o > execve_counter.skel.h
27+
28+
execve_counter: execve_counter.skel.h execve_counter.c
29+
$(CLANG) -g -O2 -D__TARGET_ARCH_$(ARCH) $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) -o execve_counter execve_counter.c $(LIBBPF_LIBS) -lbpf -lelf -lz
30+
31+
clean:
32+
rm -fr execve_counter.bpf.o execve_counter

0 commit comments

Comments
 (0)