refact: move to libbpfgo

Signed-off-by: Alessio Greggi <ale_grey_91@hotmail.it>

.gitignore

@@ -1 +1,2 @@
 bin/
+ebpf.o

Makefile

@@ -1,19 +1,29 @@
 BINARY_NAME=harpoon
 BINARY_DIR=./bin
 
-build: create-bin-dir
+vmlinux.h:
+	bpftool btf dump file /sys/kernel/btf/vmlinux format c > ebpf/vmlinux.h
+
+build-bpf:
+	clang -g -O2 -c -target bpf -o ebpf.o ebpf/ebpf.c
+
+build: create-bin-dir vmlinux.h build-bpf
 	go mod download
+	CC=gcc CGO_CFLAGS="-I /usr/include/bpf" CGO_LDFLAGS="-lelf -lz /usr/lib64/libbpf.a" \
 	go build \
+		-tags core,ebpf \
 		-v \
 		-o ${BINARY_DIR}/${BINARY_NAME} \
 		.
 
-build-gh: create-bin-dir
+build-gh: create-bin-dir vmlinux.h build-bpf
 ifndef GITHUB_REF_NAME
 	$(error GITHUB_REF_NAME is undefined)
 endif
 	go mod download
+	CC=gcc CGO_CFLAGS="-I /usr/include/bpf" CGO_LDFLAGS="-lelf -lz /usr/lib64/libbpf.a" \
 	go build \
+		-tags core,ebpf \
 		-v \
 		-ldflags="-s -w -X 'main.version=${GITHUB_REF_NAME}'" \
 		-o ${BINARY_DIR}/${BINARY_NAME} \

ebpf/ebpf.c

@@ -1,14 +1,20 @@
-#include <uapi/linux/ptrace.h>
-#include <linux/string.h>
-#include <linux/tracepoint.h>
+// SPDX-License-Identifier: GPL-2.0
+// Copyright (c) 2024 Alessio Greggi
+#include "vmlinux.h"
 
-BPF_PERF_OUTPUT(events);
+#include <bpf/bpf_helpers.h>       /* most used helpers: SEC, __always_inline, etc */
+#include <bpf/bpf_core_read.h>     /* for BPF CO-RE helpers */
+#include <bpf/bpf_tracing.h>       /* for getting kprobe arguments */
+
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(u32));
+    __uint(value_size, sizeof(u32));
+} events SEC(".maps");
 
 // data_t used to store the data received from the event
 struct syscall_data {
-	// the syscall number
 	u32 syscall_id;
-	// tracing status (1 start, 2 stop)
 	u32 tracingStatus;
 };
 
@@ -30,37 +36,42 @@ __bpf_strncmp(const void *x, const void *y, __u64 len) {
 // enter_function submit the value 1 to advice 
 // the frontend app that the function started its
 // execution
+SEC("uprobe/enter_function")
 inline int enter_function(struct pt_regs *ctx) {
 	struct syscall_data data = {};
 	data.tracingStatus = 1;
-	events.perf_submit(ctx, &data, sizeof(data));
+	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
 	return 0;
 }
 
 // exit_function submit the value 2 to advice 
 // the frontend app that the function finished its
 // execution
+SEC("uprobe/exit_function")
 inline int exit_function(struct pt_regs *ctx) {
 	struct syscall_data data = {};
 	data.tracingStatus = 2;
-	events.perf_submit(ctx, &data, sizeof(data));
+	bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
 	return 0;
 }
 
-int start_trace(struct tracepoint__raw_syscalls__sys_enter* args) {
+SEC("tracepoint/raw_syscalls/sys_enter")
+int start_trace(struct trace_event_raw_sys_enter* args) {
 	struct syscall_data data = {};
 
 	char comm[16];
 	bpf_get_current_comm(&comm, sizeof(comm));
 	// skip if the command is not the one we want to trace
-	if (__bpf_strncmp(comm, "$CMD", sizeof(comm)) != 0) {
-		//bpf_trace_printk("command doesn't match: %s\n", comm);
+	if (__bpf_strncmp(comm, "ps", sizeof(comm)) != 0) {
+		// this is for debugging purposes, check output with:
+		// sudo cat /sys/kernel/debug/tracing/trace_pipe
+		//bpf_printk("command doesn't match: %s\n", comm)
 		return 1;
 	}
 
 	int id = (int)args->id;
 	data.syscall_id = id;
-	events.perf_submit(args, &data, sizeof(data));
+	bpf_perf_event_output(args, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
 	return 0;
 }