rbbcc 0.11.6 → 0.11.8

data/examples/extract_arg.rb

@@ -1,26 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rbbcc'
-include RbBCC
-
-code = <<CLANG
-#include <uapi/linux/ptrace.h>
-#define ARGSIZE 128
-
-// must be syscall__${the_name} ?
-int syscall__execve(struct pt_regs *ctx,
-    const char __user *filename,
-    const char __user *const __user *__argv,
-    const char __user *const __user *__envp)
-{
-  char buf[ARGSIZE] = {};
-  bpf_probe_read(buf, sizeof(buf), (void *)filename);
-  bpf_trace_printk("execve: %s\\n", &buf);
-
-  return 0;
-}
-CLANG
-
-b = BCC.new(text: code)
-b.attach_kprobe(event: b.get_syscall_fnname("execve"), fn_name: "syscall__execve")
-b.trace_print

data/examples/hello_fields.rb

@@ -1,32 +0,0 @@
-#!/usr/bin/env ruby
-#
-# This is a Hello World example that formats output as fields.
-
-require 'rbbcc'
-include RbBCC
-
-# define BPF program
-prog = <<CLANG
-int hello(void *ctx) {
-    bpf_trace_printk("Hello, World!\\n");
-    return 0;
-}
-CLANG
-
-# load BPF program
-b = BCC.new(text: prog)
-b.attach_kprobe(event: b.get_syscall_fnname("clone"), fn_name: "hello")
-
-# header
-puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "MESSAGE"])
-
-# format output
-loop do
-  begin
-    b.trace_fields do |task, pid, cpu, flags, ts, msg|
-      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
-    end
-  rescue Interrupt
-    exit
-  end
-end

data/examples/hello_perf_output.rb

@@ -1,64 +0,0 @@
-#!/usr/bin/env ruby
-#
-# This is a Hello World example that uses BPF_PERF_OUTPUT.
-# Ported from hello_perf_output.py
-
-require 'rbbcc'
-include RbBCC
-
-# define BPF program
-prog = """
-#include <linux/sched.h>
-
-// define output data structure in C
-struct data_t {
-    u32 pid;
-    u64 ts;
-    char comm[TASK_COMM_LEN];
-};
-BPF_PERF_OUTPUT(events);
-
-int hello(struct pt_regs *ctx) {
-    struct data_t data = {};
-
-    data.pid = bpf_get_current_pid_tgid();
-    data.ts = bpf_ktime_get_ns();
-    bpf_get_current_comm(&data.comm, sizeof(data.comm));
-
-    events.perf_submit(ctx, &data, sizeof(data));
-
-    return 0;
-}
-"""
-
-# load BPF program
-b = BCC.new(text: prog)
-b.attach_kprobe(event: b.get_syscall_fnname("clone"), fn_name: "hello")
-
-# header
-puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "MESSAGE"])
-
-# process event
-start = 0
-print_event = lambda { |cpu, data, size|
-  event = b["events"].event(data)
-  if start == 0
-    start = event.ts
-  end
-
-  time_s = ((event.ts - start).to_f) / 1000000000
-  # event.comm.pack("c*").sprit
-  puts("%-18.9f %-16s %-6d %s" % [time_s, event.comm, event.pid,
-                                  "Hello, perf_output!"])
-}
-
-# loop with callback to print_event
-b["events"].open_perf_buffer(&print_event)
-
-loop do
-  begin
-    b.perf_buffer_poll()
-  rescue Interrupt
-    exit()
-  end
-end

data/examples/hello_ring_buffer.rb

@@ -1,64 +0,0 @@
-#!/usr/bin/env ruby
-#
-# This is a Hello World example that uses BPF_PERF_OUTPUT.
-# Ported from hello_perf_output.py
-
-require 'rbbcc'
-include RbBCC
-
-# define BPF program
-prog = """
-#include <linux/sched.h>
-
-struct data_t {
-    u32 pid;
-    u64 ts;
-    char comm[TASK_COMM_LEN];
-};
-BPF_RINGBUF_OUTPUT(buffer, 1 << 4);
-
-int hello(struct pt_regs *ctx) {
-    struct data_t data = {};
-
-    data.pid = bpf_get_current_pid_tgid();
-    data.ts = bpf_ktime_get_ns();
-    bpf_get_current_comm(&data.comm, sizeof(data.comm));
-
-    buffer.ringbuf_output(&data, sizeof(data), 0);
-
-    return 0;
-}
-"""
-
-# load BPF program
-b = BCC.new(text: prog)
-b.attach_kprobe(event: b.get_syscall_fnname("clone"), fn_name: "hello")
-
-# header
-puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "MESSAGE"])
-
-# process event
-start = 0
-print_event = lambda { |ctx, data, size|
-  event = b["buffer"].event(data)
-  if start == 0
-    start = event.ts
-  end
-
-  time_s = ((event.ts - start).to_f) / 1000000000
-  # event.comm.pack("c*").sprit
-  puts("%-18.9f %-16s %-6d %s" % [time_s, event.comm, event.pid,
-                                  "Hello, ringbuf!"])
-}
-
-# loop with callback to print_event
-b["buffer"].open_ring_buffer(&print_event)
-
-loop do
-  begin
-    b.ring_buffer_poll()
-    sleep(0.5)
-  rescue Interrupt
-    exit()
-  end
-end

data/examples/hello_world.rb

@@ -1,6 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rbbcc'
-include RbBCC
-
-BCC.new(text: 'int kprobe__sys_clone(void *ctx) { bpf_trace_printk("Hello, World!\\n"); return 0; }').trace_print

data/examples/kvm_hypercall.rb

@@ -1,69 +0,0 @@
-#!/usr/bin/python
-#
-# kvm_hypercall.rb - TODO: it is still not tested
-# See original kvm_hypercall.py and txt
-#
-# Demonstrates stateful kvm_entry and kvm_exit recording along with the
-# associated hypercall when exit_reason is VMCALL. See kvm_hypercall.txt
-# for usage
-#
-# REQUIRES: Linux 4.7+ (BPF_PROG_TYPE_TRACEPOINT support)
-#
-# Copyright (c) 2017 ShiftLeft Inc.
-#
-# Author(s):
-#   Suchakrapani Sharma <suchakra@shiftleft.io>
-
-require 'rbbcc'
-include RbBCC
-
-# load BPF program
-b = BCC.new(text: <<CLANG)
-#define EXIT_REASON 18
-BPF_HASH(start, u8, u8);
-
-TRACEPOINT_PROBE(kvm, kvm_exit) {
-    u8 e = EXIT_REASON;
-    u8 one = 1;
-    if (args->exit_reason == EXIT_REASON) {
-        bpf_trace_printk("KVM_EXIT exit_reason : %d\\n", args->exit_reason);
-        start.update(&e, &one);
-    }
-    return 0;
-}
-
-TRACEPOINT_PROBE(kvm, kvm_entry) {
-    u8 e = EXIT_REASON;
-    u8 zero = 0;
-    u8 *s = start.lookup(&e);
-    if (s != NULL && *s == 1) {
-        bpf_trace_printk("KVM_ENTRY vcpu_id : %u\\n", args->vcpu_id);
-        start.update(&e, &zero);
-    }
-    return 0;
-}
-
-TRACEPOINT_PROBE(kvm, kvm_hypercall) {
-    u8 e = EXIT_REASON;
-    u8 zero = 0;
-    u8 *s = start.lookup(&e);
-    if (s != NULL && *s == 1) {
-        bpf_trace_printk("HYPERCALL nr : %d\\n", args->nr);
-    }
-    return 0;
-};
-CLANG
-
-# header
-puts("%-18s %-16s %-6s %s" % ["TIME(s)", "COMM", "PID", "EVENT"])
-
-# format output
-loop do
-  begin
-    b.trace_fields do |task, pid, cpu, flags, ts, msg|
-      puts("%-18.9f %-16s %-6d %s" % [ts, task, pid, msg])
-    end
-  rescue Interrupt
-    exit
-  end
-end

data/examples/lsm_sockblock.rb

@@ -1,141 +0,0 @@
-#!/usr/bin/env ruby
-#
-# lsm_sockblock.rb  Monitor/block AF_ALG socket_create via BPF LSM.
-#
-# This example uses LSM_PROBE(socket_create) and a BPF_ARRAY map for mode:
-#   0 = preview (log only)
-#   1 = block   (return -EPERM)
-#
-# The config map is pinned to bpffs so mode can be changed externally.
-#
-# Usage:
-#   sudo ruby examples/lsm_sockblock.rb
-#   sudo ruby examples/lsm_sockblock.rb --mode block
-#   sudo ruby examples/lsm_sockblock.rb --pin-path /sys/fs/bpf/my_config_map
-
-require 'optparse'
-require 'socket'
-require 'rbbcc'
-
-include RbBCC
-
-PROGRAM = <<~CLANG
-  #include <linux/socket.h>
-  #include <uapi/asm-generic/errno-base.h>
-
-  struct data_t {
-      u32 pid;
-      int family;
-      int type;
-      int is_warning;
-      int is_blocked;
-      char comm[16];
-  };
-
-  BPF_PERF_OUTPUT(events);
-  BPF_ARRAY(config_map, u32, 1);
-
-  LSM_PROBE(socket_create, int family, int type, int protocol, int kern)
-  {
-      u32 pid = bpf_get_current_pid_tgid() >> 32;
-      struct data_t data = {};
-
-      u32 key = 0;
-      u32 *mode = config_map.lookup(&key);
-      int is_block_mode = (mode && *mode == 1);
-
-      data.pid = pid;
-      data.family = family;
-      data.type = type;
-      bpf_get_current_comm(&data.comm, sizeof(data.comm));
-
-      if (family == AF_ALG) {
-          data.is_blocked = is_block_mode;
-          data.is_warning = 1;
-          events.perf_submit(ctx, &data, sizeof(data));
-
-          if (is_block_mode) {
-              return -EPERM;
-          }
-      } else {
-          data.is_blocked = 0;
-          data.is_warning = 0;
-          events.perf_submit(ctx, &data, sizeof(data));
-      }
-
-      return 0;
-  }
-CLANG
-
-options = {
-  mode: "preview",
-  pin_path: "/sys/fs/bpf/rbbcc_lsm_config_map"
-}
-
-OptionParser.new do |opts|
-  opts.banner = "Usage: #{$0} [--mode preview|block] [--pin-path PATH]"
-
-  opts.on("--mode MODE", ["preview", "block"], "Operation mode (default: preview)") do |v|
-    options[:mode] = v
-  end
-
-  opts.on("--pin-path PATH", "bpffs pin path (default: /sys/fs/bpf/rbbcc_lsm_config_map)") do |v|
-    options[:pin_path] = v
-  end
-end.parse!
-
-mode_value = (options[:mode] == "block") ? 1 : 0
-
-families = Socket.constants.grep(/^AF_/).each_with_object({}) do |name, h|
-  begin
-    v = Socket.const_get(name)
-    h[v] = name.to_s if v.is_a?(Integer)
-  rescue NameError
-    next
-  end
-end
-
-types = Socket.constants.grep(/^SOCK_/).each_with_object({}) do |name, h|
-  begin
-    v = Socket.const_get(name)
-    h[v] = name.to_s if v.is_a?(Integer)
-  rescue NameError
-    next
-  end
-end
-
-begin
-  b = BCC.new(text: PROGRAM)
-
-  config = b["config_map"]
-  config[0] = mode_value
-
-  File.unlink(options[:pin_path]) if File.exist?(options[:pin_path])
-  BCC.pin!(config.map_fd, options[:pin_path])
-
-  puts "LSM BPF started in #{options[:mode].upcase} mode."
-  puts "Pinned config map: #{options[:pin_path]}"
-  puts "Tracing AF_ALG socket_create... Press Ctrl-C to exit."
-
-  b["events"].open_perf_buffer do |cpu, data, size|
-    event = b["events"].event(data)
-    family = families.fetch(event.family, "AF_UNKNOWN(#{event.family})")
-    stype = types.fetch(event.type, "SOCK_UNKNOWN(#{event.type})")
-
-    puts "PID: #{event.pid.to_s.ljust(7)} | COMM: #{event.comm.to_s.ljust(15)} | FAMILY: #{family.ljust(14)} | TYPE: #{stype}"
-
-    next if event.is_warning == 0
-
-    mode_str = (event.is_blocked == 1) ? "BLOCK" : "PREVIEW"
-    status = (event.is_blocked == 1) ? "REJECTED" : "WARNING"
-    puts "\e[1;31m[#{mode_str}] #{status}: PID #{event.pid} (#{event.comm}) tried AF_ALG socket creation.\e[0m"
-  end
-
-  loop do
-    b.perf_buffer_poll
-  end
-rescue Interrupt
-  puts "\nStopping..."
-ensure
-  File.unlink(options[:pin_path]) if File.exist?(options[:pin_path])
-end

data/examples/mallocstack.rb

@@ -1,63 +0,0 @@
-#!/usr/bin/env ruby
-#
-# mallocstacks  Trace malloc() calls in a process and print the full
-#               stack trace for all callsites.
-#               For Linux, uses BCC, eBPF. Embedded C.
-#
-# This script is a basic example of the new Linux 4.6+ BPF_STACK_TRACE
-# table API.
-#
-# Copyright 2016 GitHub, Inc.
-# Licensed under the Apache License, Version 2.0 (the "License")
-
-require 'rbbcc'
-include RbBCC
-
-if ARGV.size == 0
-  $stderr.puts("USAGE: mallocstacks PID")
-  exit
-end
-pid = ARGV[0].to_i
-
-# load BPF program
-b = BCC.new(text: <<CLANG)
-#include <uapi/linux/ptrace.h>
-
-BPF_HASH(calls, int);
-BPF_STACK_TRACE(stack_traces, 1024);
-
-int alloc_enter(struct pt_regs *ctx, size_t size) {
-    int key = stack_traces.get_stackid(ctx,
-        BPF_F_USER_STACK|BPF_F_REUSE_STACKID);
-    if (key < 0)
-        return 0;
-
-    // could also use `calls.increment(key, size);`
-    u64 zero = 0, *val;
-    val = calls.lookup_or_init(&key, &zero);
-    if (val)
-      (*val) += size;
-    return 0;
-};
-CLANG
-
-b.attach_uprobe(name: "c", sym: "malloc", fn_name: "alloc_enter", pid: pid)
-puts("Attaching to malloc in pid %d, Ctrl+C to quit." % pid)
-
-# sleep until Ctrl-C
-loop do
-  begin
-    sleep 1
-  rescue Interrupt
-    break # pass
-  end
-end
-calls = b.get_table("calls")
-stack_traces = b.get_table("stack_traces")
-
-calls.items.sort_by{|k, v| v.to_bcc_value }.reverse.each do |(k, v)|
-  puts("%d bytes allocated at:" % v.to_bcc_value)
-  stack_traces.walk(k) do |addr|
-    puts("\t%s" % BCC.sym(addr, pid, show_offset: true))
-  end
-end

data/examples/networking/http_filter/http-parse-simple.c

@@ -1,114 +0,0 @@
-#include <uapi/linux/ptrace.h>
-#include <net/sock.h>
-#include <bcc/proto.h>
-
-#define IP_TCP  6
-#define ETH_HLEN 14
-
-/*eBPF program.
-  Filter IP and TCP packets, having payload not empty
-  and containing "HTTP", "GET", "POST" ... as first bytes of payload
-  if the program is loaded as PROG_TYPE_SOCKET_FILTER
-  and attached to a socket
-  return  0 -> DROP the packet
-  return -1 -> KEEP the packet and return it to user space (userspace can read it from the socket_fd )
-*/
-int http_filter(struct __sk_buff *skb) {
-
-  u8 *cursor = 0;
-
-  struct ethernet_t *ethernet = cursor_advance(cursor, sizeof(*ethernet));
-  //filter IP packets (ethernet type = 0x0800)
-  if (!(ethernet->type == 0x0800)) {
-    goto DROP;
-  }
-
-  struct ip_t *ip = cursor_advance(cursor, sizeof(*ip));
-  //filter TCP packets (ip next protocol = 0x06)
-  if (ip->nextp != IP_TCP) {
-    goto DROP;
-  }
-
-  u32  tcp_header_length = 0;
-  u32  ip_header_length = 0;
-  u32  payload_offset = 0;
-  u32  payload_length = 0;
-
-  //calculate ip header length
-  //value to multiply * 4
-  //e.g. ip->hlen = 5 ; IP Header Length = 5 x 4 byte = 20 byte
-  ip_header_length = ip->hlen << 2;    //SHL 2 -> *4 multiply
-
-        //check ip header length against minimum
-  if (ip_header_length < sizeof(*ip)) {
-    goto DROP;
-  }
-
-        //shift cursor forward for dynamic ip header size
-        void *_ = cursor_advance(cursor, (ip_header_length-sizeof(*ip)));
-
-  struct tcp_t *tcp = cursor_advance(cursor, sizeof(*tcp));
-
-  //calculate tcp header length
-  //value to multiply *4
-  //e.g. tcp->offset = 5 ; TCP Header Length = 5 x 4 byte = 20 byte
-  tcp_header_length = tcp->offset << 2; //SHL 2 -> *4 multiply
-
-  //calculate payload offset and length
-  payload_offset = ETH_HLEN + ip_header_length + tcp_header_length;
-  payload_length = ip->tlen - ip_header_length - tcp_header_length;
-
-  //http://stackoverflow.com/questions/25047905/http-request-minimum-size-in-bytes
-  //minimum length of http request is always geater than 7 bytes
-  //avoid invalid access memory
-  //include empty payload
-  if(payload_length < 7) {
-    goto DROP;
-  }
-
-  //load first 7 byte of payload into p (payload_array)
-  //direct access to skb not allowed
-  unsigned long p[7];
-  int i = 0;
-  for (i = 0; i < 7; i++) {
-    p[i] = load_byte(skb , payload_offset + i);
-  }
-
-  //find a match with an HTTP message
-  //HTTP
-  if ((p[0] == 'H') && (p[1] == 'T') && (p[2] == 'T') && (p[3] == 'P')) {
-    goto KEEP;
-  }
-  //GET
-  if ((p[0] == 'G') && (p[1] == 'E') && (p[2] == 'T')) {
-    goto KEEP;
-  }
-  //POST
-  if ((p[0] == 'P') && (p[1] == 'O') && (p[2] == 'S') && (p[3] == 'T')) {
-    goto KEEP;
-  }
-  //PUT
-  if ((p[0] == 'P') && (p[1] == 'U') && (p[2] == 'T')) {
-    goto KEEP;
-  }
-  //DELETE
-  if ((p[0] == 'D') && (p[1] == 'E') && (p[2] == 'L') && (p[3] == 'E') && (p[4] == 'T') && (p[5] == 'E')) {
-    goto KEEP;
-  }
-  //HEAD
-  if ((p[0] == 'H') && (p[1] == 'E') && (p[2] == 'A') && (p[3] == 'D')) {
-    goto KEEP;
-  }
-
-  //no HTTP match
-  goto DROP;
-
-  //keep the packet and send it to userspace retruning -1
-  KEEP:
-  return -1;
-
-  //drop the packet returning 0
-  DROP:
-  return 0;
-
-}

data/examples/networking/http_filter/http-parse-simple.rb

@@ -1,85 +0,0 @@
-#!/usr/bin/env ruby
-#
-#Original http-parse-simple.py in invisor/bcc
-#Bertrone Matteo - Polytechnic of Turin
-#November 2015
-#Ruby version by Uchio Kondo, License follows
-#
-#eBPF application that parses HTTP packets
-#and extracts (and prints on screen) the URL contained in the GET/POST request.
-#
-#eBPF program http_filter is used as SOCKET_FILTER attached to eth0 interface.
-#only packet of type ip and tcp containing HTTP GET/POST are returned to userspace, others dropped
-#
-#python script uses bcc BPF Compiler Collection by iovisor (https://github.com/iovisor/bcc)
-#and prints on stdout the first line of the HTTP GET/POST request containing the url
-
-require 'rbbcc'
-require 'socket'
-require 'io/nonblock'
-include RbBCC
-
-def usage
-  puts <<-USAGE
-USAGE: #{$0} [-i <if_name>]
-  USAGE
-  exit
-end
-
-interface = "eth0"
-
-if ARGV.size == 2
-  if ARGV[0] == '-i'
-    interface = ARGV[1]
-  else
-    usage
-  end
-elsif ARGV.size != 0
-  usage
-end
-
-puts("binding socket to '%s'" % interface)
-
-bpf = BCC.new(src_file: "http-parse-simple.c")
-
-function_http_filter = bpf.load_func("http_filter", BPF::SOCKET_FILTER)
-
-BCC.attach_raw_socket(function_http_filter, interface)
-
-socket_fd = function_http_filter[:sock]
-
-sock = Socket.for_fd socket_fd
-sock.nonblock = false
-
-ETH_HLEN = 14
-loop do
-  packet_str = sock.sysread(2048)
-  packet_bytearray = packet_str.bytes
-
-  # See original comment...
-  #calculate packet total length
-  total_length = packet_bytearray[ETH_HLEN + 2]                #load MSB
-  total_length = total_length << 8                             #shift MSB
-  total_length = total_length + packet_bytearray[ETH_HLEN + 3] #add LSB
-
-  #calculate ip header length
-  ip_header_length = packet_bytearray[ETH_HLEN]               #load Byte
-  ip_header_length = ip_header_length & 0x0F                  #mask bits 0..3
-  ip_header_length = ip_header_length << 2                    #shift to obtain length
-
-  tcp_header_length = packet_bytearray[ETH_HLEN + ip_header_length + 12]  #load Byte
-  tcp_header_length = tcp_header_length & 0xF0                            #mask bit 4..7
-  tcp_header_length = tcp_header_length >> 2                              #SHR 4 ; SHL 2 -> SHR 2
-
-  payload_offset = ETH_HLEN + ip_header_length + tcp_header_length
-
-  ((payload_offset-1)..(packet_bytearray.size-1)).each do |i|
-    if packet_bytearray[i] == 0x0A
-      if packet_bytearray[i-1] == 0x0D
-        break
-      end
-    end
-    print(packet_bytearray[i].chr)
-  end
-  puts
-end