bpf: use raw_tracepoint instead of tracepoint

bpf/bpf.go

@@ -142,10 +142,12 @@ func (b *BPF) AttachKprobes() error {
 }
 
 func (b *BPF) AttachTracepoints() error {
-	lk, err := link.Tracepoint("sched", "sched_process_exec",
-		b.objs.TracepointSchedSchedProcessExec, nil)
+		lk, err := link.AttachRawTracepoint(link.RawTracepointOptions{
+			"sched_process_exec",
+			b.objs.RawTracepointSchedProcessExec,
+		})
 	if err != nil {
-		return xerrors.Errorf("attach tracepoint/sched/sched_process_exec: %w", err)
+		return xerrors.Errorf("attach raw_tracepoint/sched_process_exec: %w", err)
 	}
 	b.links = append(b.links, lk)
 

bpf/ptcpdump.c

@@ -340,11 +340,16 @@ static __always_inline int process_filter(struct task_struct *task) {
     return -1;
 }
 
-static __always_inline void handle_fork(struct task_struct *parent, struct task_struct *child) {
+static __always_inline void handle_fork(struct bpf_raw_tracepoint_args *ctx) {
     if (filter_follow_forks != 1) {
        return;
     }
 
+    // args: struct task_struct *parent, struct task_struct *child
+    struct task_struct *parent = (struct task_struct *)BPF_CORE_READ(ctx, args[0]);
+    struct task_struct *child = (struct task_struct *)BPF_CORE_READ(ctx, args[1]);
+    u32 child_pid = BPF_CORE_READ(child, tgid);
+
     if (process_filter(parent) == 0) {
         bpf_map_update_elem(&filter_pid_map, &child_pid, &u8_zero, BPF_NOEXIST);
         return;
@@ -357,9 +362,7 @@ static __always_inline void handle_fork(struct task_struct *parent, struct task_
 
 SEC("raw_tracepoint/sched_process_fork")
 int raw_tracepoint__sched_process_fork(struct bpf_raw_tracepoint_args *ctx) {
-    struct task_struct *parent = (struct task_struct *)BPF_CORE_READ(ctx, args[0]);
-    struct task_struct *child = (struct task_struct *)BPF_CORE_READ(ctx, args[1]);
-    handle_fork(parent, child);
+    handle_fork(ctx);
     return 0;
 }
 
@@ -466,8 +469,9 @@ static __always_inline void handle_tc(struct __sk_buff *skb, bool egress) {
     return;
 }
 
-static __always_inline void handle_exec(struct trace_event_raw_sched_process_exec *ctx) {
-    struct task_struct *task = (struct task_struct *)bpf_get_current_task();
+static __always_inline void handle_exec(struct bpf_raw_tracepoint_args *ctx) {
+    // args: struct task_struct *p, pid_t old_pid, struct linux_binprm *bprm
+    struct task_struct *task = (struct task_struct *)BPF_CORE_READ(ctx, args[0]);
     if (process_filter(task) < 0) {
         return;
     }
@@ -481,17 +485,14 @@ static __always_inline void handle_exec(struct trace_event_raw_sched_process_exe
 
     event->pid = bpf_get_current_pid_tgid() >> 32;
 
-    unsigned int filename_loc = BPF_CORE_READ(ctx, __data_loc_filename) & 0xFFFF;
-    int f_ret = bpf_probe_read_str(&event->filename, sizeof(event->filename), (void *)ctx + filename_loc);
+    struct linux_binprm *bprm = (struct linux_binprm *)BPF_CORE_READ(ctx, args[2]);
+    const char *filename_p = BPF_CORE_READ(bprm, filename);
+    int f_ret = bpf_probe_read_str(&event->filename, sizeof(event->filename), filename_p);
     if (f_ret < 0 ) {
         bpf_printk("[ptcpdump] read exec filename failed: %d", f_ret);
     }
     if (f_ret == EXEC_FILENAME_LEN) {
         event->filename_truncated = 1;
-//        char tmp[EXEC_FILENAME_LEN+1];
-//        if (bpf_probe_read_str(&tmp, sizeof(tmp), (void *)ctx + filename_loc) > EXEC_FILENAME_LEN) {
-//            event->filename_truncated = 1;
-//        }
     }
 
     void *arg_start = (void *)BPF_CORE_READ(task, mm, arg_start);
@@ -515,9 +516,8 @@ static __always_inline void handle_exec(struct trace_event_raw_sched_process_exe
     return;
 }
 
-// TODO: change to use raw tracepoint
-SEC("tracepoint/sched/sched_process_exec")
-int tracepoint__sched__sched_process_exec(struct trace_event_raw_sched_process_exec *ctx) {
+SEC("raw_tracepoint/sched_process_exec")
+int raw_tracepoint__sched_process_exec(struct bpf_raw_tracepoint_args *ctx) {
     handle_exec(ctx);
     return 0;
 }