forked from DataDog/ebpf
-
Notifications
You must be signed in to change notification settings - Fork 0
/
example_program_test.go
129 lines (112 loc) · 3.3 KB
/
example_program_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
// +build linux
package ebpf_test
import (
"context"
"fmt"
"io/ioutil"
"os"
"strconv"
"time"
"strings"
"github.com/ismhong/ebpf"
"github.com/ismhong/ebpf/asm"
"github.com/ismhong/ebpf/perf"
"golang.org/x/sys/unix"
)
// getTracepointID returns the system specific ID for the tracepoint sys_enter_open.
func getTracepointID() (uint64, error) {
data, err := ioutil.ReadFile("/sys/kernel/debug/tracing/events/syscalls/sys_enter_open/id")
if err != nil {
return 0, fmt.Errorf("failed to read tracepoint ID for 'sys_enter_open': %v", err)
}
tid := strings.TrimSuffix(string(data), "\n")
return strconv.ParseUint(tid, 10, 64)
}
// Example_program demonstrates how to attach an eBPF program to a tracepoint.
// The program will be attached to the sys_enter_open syscall and print out the integer
// 123 everytime the sycall is used.
func Example_program() {
ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
defer cancel()
events, err := ebpf.NewMap(&ebpf.MapSpec{
Type: ebpf.PerfEventArray,
Name: "pureGo",
})
if err != nil {
panic(fmt.Errorf("could not create event map: %v\n", err))
}
defer events.Close()
rd, err := perf.NewReader(events, os.Getpagesize())
if err != nil {
panic(fmt.Errorf("could not create event reader: %v", err))
}
defer rd.Close()
go func() {
for {
select {
case <-ctx.Done():
return
default:
}
record, err := rd.Read()
if err != nil {
if perf.IsClosed(err) {
return
}
panic(fmt.Errorf("could not read from reader: %v", err))
}
fmt.Println(record)
}
}()
ins := asm.Instructions{
// store the integer 123 at FP[-8]
asm.Mov.Imm(asm.R2, 123),
asm.StoreMem(asm.RFP, -8, asm.R2, asm.Word),
// load registers with arguments for call of FnPerfEventOutput
asm.LoadMapPtr(asm.R2, events.FD()),
asm.LoadImm(asm.R3, 0xffffffff, asm.DWord),
asm.Mov.Reg(asm.R4, asm.RFP),
asm.Add.Imm(asm.R4, -8),
asm.Mov.Imm(asm.R5, 4),
// call FnPerfEventOutput
asm.FnPerfEventOutput.Call(),
// set exit code to 0
asm.Mov.Imm(asm.R0, 0),
asm.Return(),
}
prog, err := ebpf.NewProgram(&ebpf.ProgramSpec{
Name: "sys_enter_open",
Type: ebpf.TracePoint,
License: "GPL",
Instructions: ins,
})
if err != nil {
panic(fmt.Errorf("could not create new ebpf program: %v", err))
}
defer prog.Close()
tid, err := getTracepointID()
if err != nil {
panic(fmt.Errorf("could not get tracepoint id: %v", err))
}
attr := unix.PerfEventAttr{
Type: unix.PERF_TYPE_TRACEPOINT,
Config: tid,
Sample_type: unix.PERF_SAMPLE_RAW,
Sample: 1,
Wakeup: 1,
}
pfd, err := unix.PerfEventOpen(&attr, -1, 0, -1, unix.PERF_FLAG_FD_CLOEXEC)
if err != nil {
panic(fmt.Errorf("unable to open perf events: %v", err))
}
if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(pfd), unix.PERF_EVENT_IOC_ENABLE, 0); errno != 0 {
panic(fmt.Errorf("unable to enable perf events: %v", err))
}
if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(pfd), unix.PERF_EVENT_IOC_SET_BPF, uintptr(prog.FD())); errno != 0 {
panic(fmt.Errorf("unable to attach bpf program to perf events: %v", err))
}
<-ctx.Done()
if _, _, errno := unix.Syscall(unix.SYS_IOCTL, uintptr(pfd), unix.PERF_EVENT_IOC_DISABLE, 0); errno != 0 {
panic(fmt.Errorf("unable to disable perf events: %v", err))
}
}