patrick.sirref.org / opentrace
this repo has no description
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

static

Patrick Ferris 7deffaac 30dcc2f4

+124 -9
+2
.dockerignore
··· 1 + .git 2 + _build
+23
Dockerfile
··· 1 + FROM ocaml/opam:alpine-ocaml-5.3 as build 2 + 3 + RUN sudo apk add --no-cache \ 4 + build-base \ 5 + git \ 6 + pkgconf \ 7 + clang \ 8 + libffi-dev \ 9 + libbpf-dev \ 10 + musl-dev 11 + 12 + WORKDIR /src 13 + 14 + COPY opentrace.opam /src 15 + RUN opam install . --deps-only 16 + 17 + COPY . /src 18 + RUN git apply static.patch 19 + RUN opam exec -- dune build --profile=release 20 + 21 + FROM alpine 22 + COPY --from=build /src/_build/default/install/opentrace /opentrace 23 +
+2
dune
··· 1 1 (executable 2 2 (name opentrace) 3 + (public_name opentrace) 4 + (flags (:standard -cclib -static -cclib -no-pie)) 3 5 (libraries unix libbpf libbpf_maps)) 4 6 5 7 (rule
+64 -1
opentrace.bpf.c
··· 12 12 13 13 #define FILE_NAME_LEN 1024 14 14 15 + #define OPEN_KIND 0 16 + #define OPENAT_KIND 1 17 + #define OPENAT2_KIND 2 18 + 15 19 // An open event 16 20 struct open_event 17 21 { 18 22 uint32_t e_pid; 23 + int e_kind; 19 24 int e_flags; 20 25 uint32_t e_mode; 21 26 char e_filename[FILE_NAME_LEN]; ··· 38 43 return false; 39 44 40 45 // Fill the open event 41 - oet->e_pid = bpf_get_current_pid_tgid(); 46 + oet->e_pid = id; 47 + oet->e_kind = OPENAT_KIND; 42 48 oet->e_flags = (int)ctx->args[2]; 43 49 oet->e_mode = (__u32)ctx->args[3]; 44 50 bpf_probe_read(oet->e_filename, sizeof(filename), (char *) ctx->args[1]); ··· 47 53 return 0; 48 54 } 49 55 56 + SEC("tracepoint/syscalls/sys_enter_openat2") 57 + int tracepoint__syscalls__sys_enter_openat2(struct trace_event_raw_sys_enter* ctx) 58 + { 59 + u64 id = bpf_get_current_pid_tgid(); 60 + u32 pid = id >> 32; 61 + 62 + char filename[FILE_NAME_LEN]; 63 + struct open_event *oet; 64 + 65 + oet = bpf_ringbuf_reserve(&rb, sizeof(struct open_event), 0); 66 + if (!oet) 67 + return 0; 68 + 69 + if (pid_target && pid_target != pid) 70 + return false; 71 + 72 + struct open_how how = {}; 73 + bpf_probe_read_user(&how, sizeof(how), (void *)ctx->args[2]); 74 + oet->e_flags = (int)how.flags; 75 + oet->e_mode = (__u32)how.mode; 76 + oet->e_kind = OPENAT2_KIND; 77 + // Fill the open event 78 + oet->e_pid = id; 79 + 80 + bpf_probe_read(oet->e_filename, sizeof(filename), (char *) ctx->args[1]); 81 + 82 + bpf_ringbuf_submit(oet, 0); 83 + return 0; 84 + } 85 + 86 + SEC("tracepoint/syscalls/sys_enter_open") 87 + int tracepoint__syscalls__sys_enter_open(struct trace_event_raw_sys_enter* ctx) 88 + { 89 + u64 id = bpf_get_current_pid_tgid(); 90 + u32 pid = id >> 32; 91 + 92 + char filename[FILE_NAME_LEN]; 93 + struct open_event *oet; 94 + 95 + oet = bpf_ringbuf_reserve(&rb, sizeof(struct open_event), 0); 96 + if (!oet) 97 + return 0; 98 + 99 + if (pid_target && pid_target != pid) 100 + return false; 101 + 102 + oet->e_flags = (int)ctx->args[2]; 103 + oet->e_mode = (__u32)ctx->args[3]; 104 + oet->e_kind = OPEN_KIND; 105 + // Fill the open event 106 + oet->e_pid = id; 107 + 108 + bpf_probe_read(oet->e_filename, sizeof(filename), (char *) ctx->args[1]); 109 + 110 + bpf_ringbuf_submit(oet, 0); 111 + return 0; 112 + }
+28 -7
opentrace.ml
··· 2 2 open Libbpf_maps 3 3 4 4 let obj_path = "opentrace.bpf.o" 5 - let program_names = [ "tracepoint__syscalls__sys_enter_openat" ] 5 + 6 + let program_names = 7 + [ 8 + "tracepoint__syscalls__sys_enter_openat"; 9 + "tracepoint__syscalls__sys_enter_openat2"; 10 + "tracepoint__syscalls__sys_enter_open"; 11 + ] 6 12 7 13 module Open_event = struct 8 14 open Ctypes 9 15 10 16 type t 17 + type kind = Open_ | Openat | Openat2 18 + 19 + let kind_to_string = function 20 + | Open_ -> "open" 21 + | Openat -> "openat" 22 + | Openat2 -> "openat2" 23 + 24 + let kind_of_int = function 25 + | 0 -> Open_ 26 + | 1 -> Openat 27 + | 2 -> Openat2 28 + | n -> failwith ("Invalid kind of open syscall: " ^ string_of_int n) 11 29 12 30 let t : t structure typ = Ctypes.structure "event" 13 31 let ( -: ) ty label = Ctypes.field t label ty 14 - let pid = int -: "e_pid" 32 + let pid = uint32_t -: "e_pid" 33 + let kind = int -: "e_kind" 15 34 let flags = int -: "e_flags" 16 - let mode = int -: "e_mode" 35 + let mode = uint32_t -: "e_mode" 17 36 let filename = array 256 char -: "e_filename" 18 37 let () = seal t 19 38 ··· 28 47 Buffer.contents b 29 48 with Exit -> Buffer.contents b 30 49 31 - let get_pid s = getf s pid 50 + let get_pid s = getf s pid |> Unsigned.UInt32.to_int 32 51 let get_flags s = getf s flags 33 - let get_mode s = getf s mode 52 + let get_mode s = getf s mode |> Unsigned.UInt32.to_int 34 53 let get_fname s = getf s filename |> char_array_as_string 54 + let get_kind s = getf s kind |> kind_of_int 35 55 end 36 56 37 57 let () = ··· 43 63 Sys.(set_signal sigterm sig_handler); 44 64 45 65 (* Print header *) 46 - Format.printf "pid,flags,mode,filename\n"; 66 + Format.printf "pid,kind,flags,mode,filename\n"; 47 67 48 68 let map = Libbpf.bpf_object_find_map_by_name obj "rb" in 49 69 let callback : RingBuffer.callback = 50 70 fun _ data _ -> 51 71 let event = Ctypes.(!@(from_voidp Open_event.t data)) in 52 - Format.printf "%i,%i,%i,\"%s\"\n%!" (Open_event.get_pid event) 72 + Format.printf "%i,%s,%i,%i,\"%s\"\n%!" (Open_event.get_pid event) 73 + (Open_event.get_kind event |> Open_event.kind_to_string) 53 74 (Open_event.get_flags event) 54 75 (Open_event.get_mode event) 55 76 (Open_event.get_fname event);
+5 -1
opentrace.opam
··· 9 9 "dune" {>= "3.17"} 10 10 "ocaml" 11 11 "libbpf" 12 - "libbpg_map" 12 + "libbpf_maps" 13 13 "odoc" {with-doc} 14 14 ] 15 15 build: [ ··· 27 27 ] 28 28 ] 29 29 homepage: "https://tangled.sh/@patrick.sirref.org/opentrace" 30 + pin-depends:[ 31 + [ "libbpf.dev" "git+https://github.com/patricoferris/ocaml-libbpf#alpine" ] 32 + [ "libbpf_maps.dev" "git+https://github.com/patricoferris/ocaml-libbpf#alpine" ] 33 + ]