apache · mrproliu · Nov 21, 2024 · Nov 20, 2024 · Nov 21, 2024
diff --git a/bpf/accesslog/l24/read_l2.c b/bpf/accesslog/l24/read_l2.c
@@ -17,14 +17,15 @@
 
 #include "l24.h"
 #include "../common/data_args.h"
+#include "api.h"
 
-struct netif_receive_skb {
-	unsigned long long pad;
-	void * skbaddr;
-};
+struct trace_event_raw_net_dev_template {
+    struct trace_entry ent;
+    void *skbaddr;
+} __attribute__((preserve_access_index)) ;
 
 SEC("tracepoint/net/netif_receive_skb")
-int tracepoint_netif_receive_skb(struct netif_receive_skb *ctx) {
+int tracepoint_netif_receive_skb(struct trace_event_raw_net_dev_template *ctx) {
     struct sk_buff * skb = (struct sk_buff *)ctx->skbaddr;
 
     struct net_device *device = _(skb->dev);

diff --git a/bpf/accesslog/l24/write_l2.c b/bpf/accesslog/l24/write_l2.c
@@ -18,18 +18,19 @@
 #include "l24.h"
 #include "../common/data_args.h"
 
-struct net_dev_start_xmit_args {
-  unsigned long pad0;
-  unsigned long pad1;
+struct trace_event_raw_net_dev_start_xmit {
+        struct trace_entry ent;
+        __u32 __data_loc_name;
+        __u16 queue_mapping;
+        const void *skbaddr;
+} __attribute__((aligned(8))) __attribute__((preserve_access_index)) ;
 
-  void *skb;
-};
 
-struct net_dev_xmit_args {
-  unsigned long pad0;
+struct trace_event_raw_net_dev_xmit {
+    struct trace_entry ent;
+    void *skbaddr;
+} __attribute__((preserve_access_index));
 
-  void *skb;
-};
 
 SEC("kprobe/__dev_queue_xmit")
 int dev_queue_emit(struct pt_regs * ctx){
@@ -52,8 +53,8 @@ int dev_queue_emit_ret(struct pt_regs * ctx){
 }
 
 SEC("tracepoint/net/net_dev_start_xmit")
-int tracepoint_net_dev_start_xmit(struct net_dev_start_xmit_args *args) {
-    struct sk_buff * skb = args->skb;
+int tracepoint_net_dev_start_xmit(struct trace_event_raw_net_dev_start_xmit *args) {
+    struct sk_buff * skb = (struct sk_buff *)args->skbaddr;
     struct skb_transmit_detail *detail = bpf_map_lookup_elem(&sk_buff_transmit_detail_map, &skb);
     if (detail != NULL) {
         detail->l2_start_xmit_time = bpf_ktime_get_ns();
@@ -62,8 +63,8 @@ int tracepoint_net_dev_start_xmit(struct net_dev_start_xmit_args *args) {
 }
 
 SEC("tracepoint/net/net_dev_xmit")
-int tracepoint_net_dev_xmit(struct net_dev_xmit_args *args) {
-    struct sk_buff * skb = args->skb;
+int tracepoint_net_dev_xmit(struct trace_event_raw_net_dev_xmit *args) {
+    struct sk_buff * skb = (struct sk_buff *)args->skbaddr;
     struct skb_transmit_detail *detail = bpf_map_lookup_elem(&sk_buff_transmit_detail_map, &skb);
     if (detail != NULL) {
         detail->l2_finish_xmit_time = bpf_ktime_get_ns();

diff --git a/bpf/accesslog/l24/write_l4.c b/bpf/accesslog/l24/write_l4.c
@@ -19,12 +19,11 @@
 #include "../common/data_args.h"
 #include "../common/sock.h"
 
-struct kfree_skb_args {
-  unsigned long pad;
-
-  void *skb;
-  void *location;
-};
+struct trace_event_raw_kfree_skb {
+    struct trace_entry ent;
+    void *skbaddr;
+    void *location;
+} __attribute__((preserve_access_index));
 
 SEC("kprobe/tcp_sendmsg")
 int tcp_sendmsg(struct pt_regs* ctx) {
@@ -83,8 +82,8 @@ int tracepoint_tcp_retransmit_skb() {
     }
 
 SEC("tracepoint/skb/kfree_skb")
-int kfree_skb(struct kfree_skb_args *args) {
-    struct sk_buff *skb = args->skb;
+int kfree_skb(struct trace_event_raw_kfree_skb *args) {
+    struct sk_buff *skb = (struct sk_buff *)args->skbaddr;
     if (skb == NULL) {
         return 0;
     }

diff --git a/bpf/accesslog/process/process.c b/bpf/accesslog/process/process.c
@@ -26,19 +26,17 @@ struct process_execute_event {
     __u32 pid;
 };
 
-struct sched_comm_fork_ctx {
-    unsigned short common_type;
-    unsigned char common_flags;
-    unsigned char common_preempt_count;
-    int common_pid;
-	char parent_comm[16];
-	pid_t parent_pid;
-	char child_comm[16];
-	pid_t child_pid;
-};
+struct trace_event_raw_sched_process_fork {
+        struct trace_entry ent;
+        char parent_comm[16];
+        __u32 parent_pid;
+        char child_comm[16];
+        __u32 child_pid;
+        char __data[0];
+}  __attribute__((preserve_access_index)) ;
 
 SEC("tracepoint/sched/sched_process_fork")
-int tracepoint_sched_process_fork(struct sched_comm_fork_ctx* ctx) {
+int tracepoint_sched_process_fork(struct trace_event_raw_sched_process_fork* ctx) {
     __u32 tgid = ctx->parent_pid;
     // adding to the monitor
     __u32 v = 1;

diff --git a/bpf/accesslog/syscalls/close.c b/bpf/accesslog/syscalls/close.c
@@ -21,19 +21,6 @@
 #include "../process/process.h"
 #include "../common/connection.h"
 
-struct trace_point_enter_close {
-    __u64 pad_0;
-    int __syscall_nr;
-    __u32 pad_1;
-    int fd;
-};
-struct trace_point_exit_close {
-    __u64 pad_0;
-    __u32 __syscall_nr;
-    __u32 pad_1;
-    __u64 ret;
-};
-
 static __inline void process_close_sock(void* ctx, __u64 id, struct sock_close_args_t *args, int ret) {
     __u32 tgid = (__u32)(id >> 32);
     if (args->fd < 0) {
@@ -44,25 +31,25 @@ static __inline void process_close_sock(void* ctx, __u64 id, struct sock_close_a
 }
 
 SEC("tracepoint/syscalls/sys_enter_close")
-int tracepoint_enter_close(struct trace_point_enter_close *ctx) {
+int tracepoint_enter_close(struct syscall_trace_enter *ctx) {
     uint64_t id = bpf_get_current_pid_tgid();
     if (tgid_should_trace(id >> 32) == false) {
         return 0;
     }
 
     struct sock_close_args_t close_args = {};
-    close_args.fd = ctx->fd;
+    close_args.fd = (__u32)ctx->args[0];
     close_args.start_nacs = bpf_ktime_get_ns();
     bpf_map_update_elem(&closing_args, &id, &close_args, 0);
 	return 0;
 }
 
 SEC("tracepoint/syscalls/sys_exit_close")
-int tracepoint_exit_close(struct trace_point_exit_close *ctx) {
+int tracepoint_exit_close(struct syscall_trace_exit *ctx) {
     __u64 id = bpf_get_current_pid_tgid();
     struct sock_close_args_t *close_args = bpf_map_lookup_elem(&closing_args, &id);
     if (close_args) {
-        process_close_sock(ctx, id, close_args, ctx->ret);
+        process_close_sock(ctx, id, close_args, (int)ctx->ret);
     }
 
     bpf_map_delete_elem(&closing_args, &id);

diff --git a/bpf/accesslog/syscalls/connect.c b/bpf/accesslog/syscalls/connect.c
@@ -21,34 +21,6 @@
 #include "../process/process.h"
 #include "../common/connection.h"
 
-struct trace_point_enter_connect {
-    __u64 pad_0;
-    int __syscall_nr;
-    __u32 pad_1;
-    int fd;
-    struct sockaddr * uservaddr;
-};
-struct trace_point_exit_connect {
-    __u64 pad_0;
-    __u32 __syscall_nr;
-    __u32 pad_1;
-    __u64 ret;
-};
-
-struct trace_point_enter_accept {
-    __u64 pad_0;
-    int __syscall_nr;
-    __u32 pad_1;
-    int fd;
-    struct sockaddr * upeer_sockaddr;
-};
-struct trace_point_exit_accept {
-    __u64 pad_0;
-    __u32 __syscall_nr;
-    __u32 pad_1;
-    long ret;
-};
-
 static __inline void process_connect(void *ctx, __u64 id, struct connect_args_t *connect_args, long ret) {
     bool success = true;
     if (ret < 0 && ret != -EINPROGRESS) {
@@ -71,22 +43,22 @@ static __inline void process_accept(void *ctx, __u64 id, struct accept_args_t *a
 }
 
 SEC("tracepoint/syscalls/sys_enter_connect")
-int tracepoint_enter_connect(struct trace_point_enter_connect *ctx) {
+int tracepoint_enter_connect(struct syscall_trace_enter *ctx) {
     uint64_t id = bpf_get_current_pid_tgid();
     if (tgid_should_trace(id >> 32) == false) {
         return 0;
     }
 
     struct connect_args_t connect_args = {};
-    connect_args.fd = ctx->fd;
-    connect_args.addr = ctx->uservaddr;
+    connect_args.fd = (__u32)ctx->args[0];
+    connect_args.addr = (struct sockaddr *)ctx->args[1];
     connect_args.start_nacs = bpf_ktime_get_ns();
     bpf_map_update_elem(&conecting_args, &id, &connect_args, 0);
 	return 0;
 }
 
 SEC("tracepoint/syscalls/sys_exit_connect")
-int tracepoint_exit_connect(struct trace_point_exit_connect *ctx) {
+int tracepoint_exit_connect(struct syscall_trace_exit *ctx) {
     __u64 id = bpf_get_current_pid_tgid();
     struct connect_args_t *connect_args;
 
@@ -110,21 +82,21 @@ int tcp_connect(struct pt_regs *ctx) {
 }
 
 SEC("tracepoint/syscalls/sys_enter_accept")
-int tracepoint_enter_accept(struct trace_point_enter_accept *ctx) {
+int tracepoint_enter_accept(struct syscall_trace_enter *ctx) {
     uint64_t id = bpf_get_current_pid_tgid();
     if (tgid_should_trace(id >> 32) == false) {
         return 0;
     }
 
     struct accept_args_t accept_args = {};
-    accept_args.addr = ctx->upeer_sockaddr;
+    accept_args.addr = (struct sockaddr *)ctx->args[1];
     accept_args.start_nacs = bpf_ktime_get_ns();
     bpf_map_update_elem(&accepting_args, &id, &accept_args, 0);
 	return 0;
 }
 
 SEC("tracepoint/syscalls/sys_exit_accept")
-int tracepoint_exit_accept(struct trace_point_exit_accept *ctx) {
+int tracepoint_exit_accept(struct syscall_trace_exit *ctx) {
     __u64 id = bpf_get_current_pid_tgid();
     struct accept_args_t *accept_args = bpf_map_lookup_elem(&accepting_args, &id);
     if (accept_args) {