write_expaned

Signed-off-by: shangfan <45649554+sf1999817@users.noreply.github.com>
linuxkerneltravel · Jul 9, 2024 · 8acf979 · 8acf979
1 parent 4c17797
commit 8acf979
Show file tree

Hide file tree

Showing 3 changed files with 174 additions and 0 deletions.
diff --git a/eBPF_Supermarket/Filesystem_Subsystem/old_project/write.bpf.c b/eBPF_Supermarket/Filesystem_Subsystem/old_project/write.bpf.c
@@ -0,0 +1,62 @@
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+#include "write.h"
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
+#define PATH_MAX 256
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1024);
+	__type(key, pid_t);
+	__type(value, int);
+} data SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_RINGBUF);
+	__uint(max_entries,256 * 1024);
+} rb SEC(".maps");
+
+
+SEC("kprobe/vfs_write")
+int kprobe_vfs_write(struct pt_regs *ctx)
+{
+  pid_t pid;
+  struct fs_t *e;
+  unsigned long inode_number;//定义用于存储inode号码的变量
+
+   //探测的是第一个参数，文件指针,读取inode_number
+  struct file *filp = (struct file *)PT_REGS_PARM1(ctx);  
+  struct dentry *dentry = BPF_CORE_READ(filp,f_path.dentry);
+  if(!dentry){
+		bpf_printk("Failed to read dentry\n");
+		return 0;
+	}
+  struct inode *inode = BPF_CORE_READ(dentry,d_inode);
+  if(!inode){
+    bpf_printk("Failed to read inode\n");
+    return 0;
+  }
+  int ret = bpf_probe_read_kernel(&inode_number,sizeof(inode_number),&inode->i_ino);
+
+  //探测的是第三个参数，要写入的字节数
+  size_t count = (size_t)PT_REGS_PARM3(ctx);
+
+  //这是vfs_write的返回值，它是一个实际写入的字节数
+  size_t real_count = PT_REGS_RC(ctx);
+
+  pid = bpf_get_current_pid_tgid() >> 32;
+  e = bpf_ringbuf_reserve(&rb,sizeof(*e),0); 
+  if(!e)
+    return 0;
+
+  e->pid = pid;
+  e->real_count = real_count;
+  e->count = count;
+  e->inode_number = inode_number;
+
+  //这里将获取到的文件指针不为空时
+  bpf_ringbuf_submit(e, 0);
+  return 0;
+}
diff --git a/eBPF_Supermarket/Filesystem_Subsystem/old_project/write.c b/eBPF_Supermarket/Filesystem_Subsystem/old_project/write.c
@@ -0,0 +1,101 @@
+#include <stdio.h>
+#include <signal.h>
+#include <unistd.h>
+#include <sys/resource.h>
+#include <time.h>
+#include <stdlib.h>
+#include "write.h"
+#include "write.skel.h"
+
+#define PATH_MAX 128
+
+static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args)
+{
+	return vfprintf(stderr, format, args);
+}
+
+static volatile bool exiting = false;
+
+static void sig_handler(int sig)
+{
+	exiting = true;
+}
+
+static int write_event(void *ctx, void *data, size_t data_sz)
+{
+    const struct fs_t *e = data;
+    struct tm *tm;
+    char ts[32];
+    time_t t;
+    time(&t);
+    tm = localtime(&t);
+    strftime(ts, sizeof(ts), "%H:%M:%S", tm);
+	printf("ts:%-8s  pid:%-7ld  inode_number:%-7ld   cout:%-7ld   real_count:%-7ld\n", ts, e->pid,e->inode_number,e->count,e->real_count);
+    return 0;
+}
+
+int main(int argc, char **argv)
+{
+    struct ring_buffer *rb = NULL;
+    struct write_bpf *skel;
+	int err;
+
+    /* Set up libbpf errors and debug info callback */
+	libbpf_set_print(libbpf_print_fn);
+
+
+	/* Cleaner handling of Ctrl-C */
+	signal(SIGINT, sig_handler);
+	signal(SIGTERM, sig_handler);
+
+    /* Open BPF application */
+	skel = write_bpf__open();
+	if (!skel) {
+		fprintf(stderr, "Failed to open BPF skeleton\n");
+		return 1;
+	}
+
+	/* Load & verify BPF programs */
+	err = write_bpf__load(skel);
+	if (err) {
+		fprintf(stderr, "Failed to load and verify BPF skeleton\n");
+		goto cleanup;
+	}
+
+    /* Attach tracepoints */
+	err = write_bpf__attach(skel);
+	if (err) {
+		fprintf(stderr, "Failed to attach BPF skeleton\n");
+		goto cleanup;
+	}
+
+    /* Set up ring buffer polling */
+	rb = ring_buffer__new(bpf_map__fd(skel->maps.rb), write_event, NULL, NULL);
+	if (!rb) {
+		err = -1;
+		fprintf(stderr, "Failed to create ring buffer\n");
+		goto cleanup;
+	}
+
+    /* Process events */
+	while (!exiting) {
+		err = ring_buffer__poll(rb, 100 /* timeout, ms */);
+		/* Ctrl-C will cause -EINTR */
+		if (err == -EINTR) {
+			err = 0;
+			break;
+		}
+
+		if (err < 0) {
+			printf("Error polling perf buffer: %d\n", err);
+			break;
+		}
+	}
+
+cleanup:
+	/* Clean up */
+	ring_buffer__free(rb);
+	write_bpf__destroy(skel);
+
+	return err < 0 ? -err : 0;
+}
diff --git a/eBPF_Supermarket/Filesystem_Subsystem/old_project/write.h b/eBPF_Supermarket/Filesystem_Subsystem/old_project/write.h
@@ -0,0 +1,11 @@
+#ifndef __WRITE_H
+#define __WRITE_H
+
+struct fs_t {
+    unsigned long inode_number;
+    pid_t pid;
+    size_t real_count;
+    size_t count;
+};
+
+#endif /* __WRITE_H */