Commit | Line | Data |
---|---|---|
d822a192 AS |
1 | /* Copyright (c) 2013-2015 PLUMgrid, http://plumgrid.com |
2 | * | |
3 | * This program is free software; you can redistribute it and/or | |
4 | * modify it under the terms of version 2 of the GNU General Public | |
5 | * License as published by the Free Software Foundation. | |
6 | */ | |
7 | #include <linux/skbuff.h> | |
8 | #include <linux/netdevice.h> | |
9 | #include <linux/version.h> | |
10 | #include <uapi/linux/bpf.h> | |
11 | #include "bpf_helpers.h" | |
12 | ||
13 | struct bpf_map_def SEC("maps") my_map = { | |
14 | .type = BPF_MAP_TYPE_HASH, | |
15 | .key_size = sizeof(long), | |
16 | .value_size = sizeof(long), | |
17 | .max_entries = 1024, | |
18 | }; | |
19 | ||
20 | /* kprobe is NOT a stable ABI. If kernel internals change this bpf+kprobe | |
21 | * example will no longer be meaningful | |
22 | */ | |
23 | SEC("kprobe/kfree_skb") | |
24 | int bpf_prog2(struct pt_regs *ctx) | |
25 | { | |
26 | long loc = 0; | |
27 | long init_val = 1; | |
28 | long *value; | |
29 | ||
d912557b | 30 | /* x64/s390x specific: read ip of kfree_skb caller. |
d822a192 AS |
31 | * non-portable version of __builtin_return_address(0) |
32 | */ | |
d912557b | 33 | bpf_probe_read(&loc, sizeof(loc), (void *)PT_REGS_RET(ctx)); |
d822a192 AS |
34 | |
35 | value = bpf_map_lookup_elem(&my_map, &loc); | |
36 | if (value) | |
37 | *value += 1; | |
38 | else | |
39 | bpf_map_update_elem(&my_map, &loc, &init_val, BPF_ANY); | |
40 | return 0; | |
41 | } | |
42 | ||
43 | static unsigned int log2(unsigned int v) | |
44 | { | |
45 | unsigned int r; | |
46 | unsigned int shift; | |
47 | ||
48 | r = (v > 0xFFFF) << 4; v >>= r; | |
49 | shift = (v > 0xFF) << 3; v >>= shift; r |= shift; | |
50 | shift = (v > 0xF) << 2; v >>= shift; r |= shift; | |
51 | shift = (v > 0x3) << 1; v >>= shift; r |= shift; | |
52 | r |= (v >> 1); | |
53 | return r; | |
54 | } | |
55 | ||
56 | static unsigned int log2l(unsigned long v) | |
57 | { | |
58 | unsigned int hi = v >> 32; | |
59 | if (hi) | |
60 | return log2(hi) + 32; | |
61 | else | |
62 | return log2(v); | |
63 | } | |
64 | ||
ffeedafb AS |
65 | struct hist_key { |
66 | char comm[16]; | |
67 | u64 pid_tgid; | |
68 | u64 uid_gid; | |
69 | u32 index; | |
70 | }; | |
71 | ||
d822a192 | 72 | struct bpf_map_def SEC("maps") my_hist_map = { |
ffeedafb AS |
73 | .type = BPF_MAP_TYPE_HASH, |
74 | .key_size = sizeof(struct hist_key), | |
d822a192 | 75 | .value_size = sizeof(long), |
ffeedafb | 76 | .max_entries = 1024, |
d822a192 AS |
77 | }; |
78 | ||
79 | SEC("kprobe/sys_write") | |
80 | int bpf_prog3(struct pt_regs *ctx) | |
81 | { | |
d912557b | 82 | long write_size = PT_REGS_PARM3(ctx); |
d822a192 AS |
83 | long init_val = 1; |
84 | long *value; | |
ffeedafb AS |
85 | struct hist_key key = {}; |
86 | ||
87 | key.index = log2l(write_size); | |
88 | key.pid_tgid = bpf_get_current_pid_tgid(); | |
89 | key.uid_gid = bpf_get_current_uid_gid(); | |
90 | bpf_get_current_comm(&key.comm, sizeof(key.comm)); | |
d822a192 | 91 | |
ffeedafb | 92 | value = bpf_map_lookup_elem(&my_hist_map, &key); |
d822a192 AS |
93 | if (value) |
94 | __sync_fetch_and_add(value, 1); | |
ffeedafb AS |
95 | else |
96 | bpf_map_update_elem(&my_hist_map, &key, &init_val, BPF_ANY); | |
d822a192 AS |
97 | return 0; |
98 | } | |
99 | char _license[] SEC("license") = "GPL"; | |
100 | u32 _version SEC("version") = LINUX_VERSION_CODE; |