rbbcc 0.3.1 → 0.6.0

data/examples/networking/http_filter/http-parse-simple.c

@@ -0,0 +1,114 @@
+#include <uapi/linux/ptrace.h>
+#include <net/sock.h>
+#include <bcc/proto.h>
+
+#define IP_TCP  6
+#define ETH_HLEN 14
+
+/*eBPF program.
+  Filter IP and TCP packets, having payload not empty
+  and containing "HTTP", "GET", "POST" ... as first bytes of payload
+  if the program is loaded as PROG_TYPE_SOCKET_FILTER
+  and attached to a socket
+  return  0 -> DROP the packet
+  return -1 -> KEEP the packet and return it to user space (userspace can read it from the socket_fd )
+*/
+int http_filter(struct __sk_buff *skb) {
+
+  u8 *cursor = 0;
+
+  struct ethernet_t *ethernet = cursor_advance(cursor, sizeof(*ethernet));
+  //filter IP packets (ethernet type = 0x0800)
+  if (!(ethernet->type == 0x0800)) {
+    goto DROP;
+  }
+
+  struct ip_t *ip = cursor_advance(cursor, sizeof(*ip));
+  //filter TCP packets (ip next protocol = 0x06)
+  if (ip->nextp != IP_TCP) {
+    goto DROP;
+  }
+
+  u32  tcp_header_length = 0;
+  u32  ip_header_length = 0;
+  u32  payload_offset = 0;
+  u32  payload_length = 0;
+
+  //calculate ip header length
+  //value to multiply * 4
+  //e.g. ip->hlen = 5 ; IP Header Length = 5 x 4 byte = 20 byte
+  ip_header_length = ip->hlen << 2;    //SHL 2 -> *4 multiply
+
+        //check ip header length against minimum
+  if (ip_header_length < sizeof(*ip)) {
+    goto DROP;
+  }
+
+        //shift cursor forward for dynamic ip header size
+        void *_ = cursor_advance(cursor, (ip_header_length-sizeof(*ip)));
+
+  struct tcp_t *tcp = cursor_advance(cursor, sizeof(*tcp));
+
+  //calculate tcp header length
+  //value to multiply *4
+  //e.g. tcp->offset = 5 ; TCP Header Length = 5 x 4 byte = 20 byte
+  tcp_header_length = tcp->offset << 2; //SHL 2 -> *4 multiply
+
+  //calculate payload offset and length
+  payload_offset = ETH_HLEN + ip_header_length + tcp_header_length;
+  payload_length = ip->tlen - ip_header_length - tcp_header_length;
+
+  //http://stackoverflow.com/questions/25047905/http-request-minimum-size-in-bytes
+  //minimum length of http request is always geater than 7 bytes
+  //avoid invalid access memory
+  //include empty payload
+  if(payload_length < 7) {
+    goto DROP;
+  }
+
+  //load first 7 byte of payload into p (payload_array)
+  //direct access to skb not allowed
+  unsigned long p[7];
+  int i = 0;
+  for (i = 0; i < 7; i++) {
+    p[i] = load_byte(skb , payload_offset + i);
+  }
+
+  //find a match with an HTTP message
+  //HTTP
+  if ((p[0] == 'H') && (p[1] == 'T') && (p[2] == 'T') && (p[3] == 'P')) {
+    goto KEEP;
+  }
+  //GET
+  if ((p[0] == 'G') && (p[1] == 'E') && (p[2] == 'T')) {
+    goto KEEP;
+  }
+  //POST
+  if ((p[0] == 'P') && (p[1] == 'O') && (p[2] == 'S') && (p[3] == 'T')) {
+    goto KEEP;
+  }
+  //PUT
+  if ((p[0] == 'P') && (p[1] == 'U') && (p[2] == 'T')) {
+    goto KEEP;
+  }
+  //DELETE
+  if ((p[0] == 'D') && (p[1] == 'E') && (p[2] == 'L') && (p[3] == 'E') && (p[4] == 'T') && (p[5] == 'E')) {
+    goto KEEP;
+  }
+  //HEAD
+  if ((p[0] == 'H') && (p[1] == 'E') && (p[2] == 'A') && (p[3] == 'D')) {
+    goto KEEP;
+  }
+
+  //no HTTP match
+  goto DROP;
+
+  //keep the packet and send it to userspace retruning -1
+  KEEP:
+  return -1;
+
+  //drop the packet returning 0
+  DROP:
+  return 0;
+
+}

data/examples/networking/http_filter/http-parse-simple.rb

@@ -0,0 +1,85 @@
+#!/usr/bin/env ruby
+#
+#Original http-parse-simple.py in invisor/bcc
+#Bertrone Matteo - Polytechnic of Turin
+#November 2015
+#Ruby version by Uchio Kondo, License follows
+#
+#eBPF application that parses HTTP packets
+#and extracts (and prints on screen) the URL contained in the GET/POST request.
+#
+#eBPF program http_filter is used as SOCKET_FILTER attached to eth0 interface.
+#only packet of type ip and tcp containing HTTP GET/POST are returned to userspace, others dropped
+#
+#python script uses bcc BPF Compiler Collection by iovisor (https://github.com/iovisor/bcc)
+#and prints on stdout the first line of the HTTP GET/POST request containing the url
+
+require 'rbbcc'
+require 'socket'
+require 'io/nonblock'
+include RbBCC
+
+def usage
+  puts <<-USAGE
+USAGE: #{$0} [-i <if_name>]
+  USAGE
+  exit
+end
+
+interface = "eth0"
+
+if ARGV.size == 2
+  if ARGV[0] == '-i'
+    interface = ARGV[1]
+  else
+    usage
+  end
+elsif ARGV.size != 0
+  usage
+end
+
+puts("binding socket to '%s'" % interface)
+
+bpf = BCC.new(src_file: "http-parse-simple.c")
+
+function_http_filter = bpf.load_func("http_filter", BPF::SOCKET_FILTER)
+
+BCC.attach_raw_socket(function_http_filter, interface)
+
+socket_fd = function_http_filter[:sock]
+
+sock = Socket.for_fd socket_fd
+sock.nonblock = false
+
+ETH_HLEN = 14
+loop do
+  packet_str = sock.sysread(2048)
+  packet_bytearray = packet_str.bytes
+
+  # See original comment...
+  #calculate packet total length
+  total_length = packet_bytearray[ETH_HLEN + 2]                #load MSB
+  total_length = total_length << 8                             #shift MSB
+  total_length = total_length + packet_bytearray[ETH_HLEN + 3] #add LSB
+
+  #calculate ip header length
+  ip_header_length = packet_bytearray[ETH_HLEN]               #load Byte
+  ip_header_length = ip_header_length & 0x0F                  #mask bits 0..3
+  ip_header_length = ip_header_length << 2                    #shift to obtain length
+
+  tcp_header_length = packet_bytearray[ETH_HLEN + ip_header_length + 12]  #load Byte
+  tcp_header_length = tcp_header_length & 0xF0                            #mask bit 4..7
+  tcp_header_length = tcp_header_length >> 2                              #SHR 4 ; SHL 2 -> SHR 2
+
+  payload_offset = ETH_HLEN + ip_header_length + tcp_header_length
+
+  ((payload_offset-1)..(packet_bytearray.size-1)).each do |i|
+    if packet_bytearray[i] == 0x0A
+      if packet_bytearray[i-1] == 0x0D
+        break
+      end
+    end
+    print(packet_bytearray[i].chr)
+  end
+  puts
+end

data/examples/ruby_usdt.rb

@@ -0,0 +1,105 @@
+#!/usr/bin/env ruby
+# To run this example, please build the target ruby with an `--enable-dtrace` option in advance.
+# To build via rbenv, sample command is:
+#     $ RUBY_CONFIGURE_OPTS='--enable-dtrace' rbenv install 2.7.0
+#
+# Example autput:
+#     # bundle exec ruby examples/ruby_usdt.rb $(pidof irb)
+#     TIME(s)            COMM   KLASS                    PATH
+#     0.000000000        irb    Struct::Key              /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline.rb
+#     0.000055206        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.000088588        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000117740        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000126697        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000213388        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.000225678        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000243638        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.000254680        irb    Range                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/ruby-lex.rb
+#     0.000264707        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000275579        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000282438        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.000326136        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb.rb
+#     0.001353621        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.001385320        irb    IRB::Color::SymbolState  /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/color.rb
+#     0.001397043        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/color.rb
+#     0.001416420        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001423861        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001462010        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001478995        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.001487499        irb    Range                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb/ruby-lex.rb
+#     0.001496666        irb    Ripper::Lexer            /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001508224        irb    Ripper::Lexer::Elem      /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001515143        irb    Ripper::Lexer::State     /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/ripper/lexer.rb
+#     0.001556170        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/irb.rb
+#     0.001726273        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.001946948        irb    Array                    /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline/line_editor.rb
+#     0.001956585        irb    String                   /root/.rbenv/versions/2.7.0/lib/ruby/2.7.0/reline.rb
+
+require 'rbbcc'
+include RbBCC
+
+pid = ARGV[0] || begin
+  puts("USAGE: #{$0} PID")
+  exit()
+end
+debug = !!ENV['DEBUG']
+
+bpf_text = <<BPF
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+
+struct data_t {
+    u64 ts;
+    char comm[TASK_COMM_LEN];
+    char klass[64];
+    char path[256];
+};
+BPF_PERF_OUTPUT(events);
+
+int do_trace_create_object(struct pt_regs *ctx) {
+    struct data_t data = {};
+    uint64_t addr, addr2;
+
+    data.ts = bpf_ktime_get_ns();
+
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+    bpf_usdt_readarg_p(1, ctx, &data.klass, sizeof(data.klass));
+    bpf_usdt_readarg_p(2, ctx, &data.path, sizeof(data.path));
+
+    events.perf_submit(ctx, &data, sizeof(data));
+
+    return 0;
+};
+BPF
+
+u = USDT.new(pid: pid.to_i)
+u.enable_probe(probe: "object__create", fn_name: "do_trace_create_object")
+if debug
+  puts(u.get_text)
+  puts(bpf_text)
+end
+
+# initialize BPF
+b = BCC.new(text: bpf_text, usdt_contexts: [u])
+
+puts("%-18s %-6s %-24s %s" % ["TIME(s)", "COMM", "KLASS", "PATH"])
+
+# process event
+start = 0
+b["events"].open_perf_buffer do |cpu, data, size|
+  event = b["events"].event(data)
+  if start == 0
+    start = event.ts
+  end
+
+  time_s = ((event.ts - start).to_f) / 1000000000
+  puts(
+    "%-18.9f %-6s %-24s %s" %
+    [time_s, event.comm, event.klass, event.path]
+  )
+end
+
+Signal.trap(:INT) { puts "\nDone."; exit }
+loop do
+  b.perf_buffer_poll()
+end

data/examples/sbrk_trace.rb

@@ -0,0 +1,204 @@
+#!/usr/bin/env ruby
+# Trace example for libc's USDT:
+# - memory_sbrk_more
+# - memory_sbrk_less
+# - memory_mallopt_free_dyn_thresholds
+# Description is here: https://www.gnu.org/software/libc/manual/html_node/Memory-Allocation-Probes.html
+#
+# Example output:
+# bundle exec ruby examples/sbrk_trace.rb -c ruby
+# !! Trace start.
+# [       0.000000000] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x55f34b979000 size=135168
+# [       0.036549804] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9760000 size=135168
+# [       0.036804183] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9781000 size=143360
+# [       0.036855378] pid=32756 comm=ruby probe=memory_sbrk_less addr=0x557fd97a0000 size=16384
+# [       0.036931376] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd97a0000 size=147456
+# [       0.036940382] pid=32756 comm=ruby probe=memory_sbrk_less addr=0x557fd97c0000 size=16384
+# [       0.037022971] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd97c0000 size=151552
+# [       0.038602464] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd97e5000 size=204800
+# [       0.039398297] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9817000 size=135168
+# [       0.039909594] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9838000 size=135168
+# [       0.040536005] pid=32756 comm=ruby probe=memory_sbrk_more addr=0x557fd9859000 size=163840
+# ...
+
+require 'rbbcc'
+include RbBCC
+
+def usage
+  puts("USAGE: #{$0} [-p PID|-c COMM]")
+  exit()
+end
+
+def find_libc_location
+  if File.exist?('/lib/x86_64-linux-gnu/libc.so.6')
+    '/lib/x86_64-linux-gnu/libc.so.6'
+  else
+    `find /lib -name 'libc.so*' | grep -v musl | head -1`.chomp
+  end
+end
+
+usage if ARGV.size != 0 && ARGV.size != 2
+
+pid = comm = nil
+path = find_libc_location
+case ARGV[0]
+when '-p', '--pid'
+  pid = ARGV[1].to_i
+when '-c', '--comm'
+  comm = ARGV[1]
+when nil
+  # nop
+else
+  usage
+end
+
+debug = !!ENV['DEBUG']
+
+bpf_text = <<BPF
+#include <uapi/linux/ptrace.h>
+#include <linux/sched.h>
+
+struct data_t {
+    u32 type;
+    u64 ts;
+    u32 pid;
+    char comm[TASK_COMM_LEN];
+    u64 addr;
+    u32 sbrk_size;
+    u32 adjusted_mmap;
+    u32 trim_thresholds;
+};
+BPF_PERF_OUTPUT(events);
+
+static inline bool streq(uintptr_t str) {
+    char needle[] = "{{NEEDLE}}";
+    char haystack[sizeof(needle)];
+    bpf_probe_read(&haystack, sizeof(haystack), (void *)str);
+    for (int i = 0; i < sizeof(needle) - 1; ++i) {
+        if (needle[i] != haystack[i]) {
+            return false;
+        }
+    }
+    return true;
+}
+
+#define PROBE_TYPE_more 1
+#define PROBE_TYPE_less 2
+#define PROBE_TYPE_free 3
+
+{{FUNC_MORE}}
+
+{{FUNC_LESS}}
+
+int trace_memory_free(struct pt_regs *ctx) {
+    struct data_t data = {};
+    long buf;
+
+    data.type = PROBE_TYPE_free;
+    data.ts = bpf_ktime_get_ns();
+    data.pid = bpf_get_current_pid_tgid();
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+    {{NEEDLE_START}}
+    bpf_usdt_readarg(1, ctx, &buf);
+    data.adjusted_mmap = buf;
+
+    bpf_usdt_readarg(2, ctx, &buf);
+    data.trim_thresholds = buf;
+
+    events.perf_submit(ctx, &data, sizeof(data));
+    {{NEEDLE_END}}
+
+    return 0;
+};
+
+BPF
+
+trace_fun_sbrk = <<FUNC
+int trace_memory_sbrk_{{TYPE}}(struct pt_regs *ctx) {
+    struct data_t data = {};
+    long buf;
+
+    data.type = PROBE_TYPE_{{TYPE}};
+    data.ts = bpf_ktime_get_ns();
+    data.pid = bpf_get_current_pid_tgid();
+    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+
+    {{NEEDLE_START}}
+    bpf_usdt_readarg(1, ctx, &buf);
+    data.addr = buf;
+
+    bpf_usdt_readarg(2, ctx, &buf);
+    data.sbrk_size = buf;
+
+    events.perf_submit(ctx, &data, sizeof(data));
+    {{NEEDLE_END}}
+
+    return 0;
+};
+FUNC
+
+PROBE_TYPE_more = 1
+PROBE_TYPE_less = 2
+PROBE_TYPE_free = 3
+PROBE_MAP = {
+  PROBE_TYPE_more => 'memory_sbrk_more',
+  PROBE_TYPE_less => 'memory_sbrk_less',
+  PROBE_TYPE_free => 'memory_mallopt_free_dyn_thresholds'
+}
+
+bpf_text.sub!('{{FUNC_MORE}}', trace_fun_sbrk.gsub('{{TYPE}}', 'more'))
+bpf_text.sub!('{{FUNC_LESS}}', trace_fun_sbrk.gsub('{{TYPE}}', 'less'))
+
+if comm
+  bpf_text.sub!('{{NEEDLE}}', comm)
+  bpf_text.gsub!('{{NEEDLE_START}}', "if(streq((uintptr_t)data.comm)) {")
+  bpf_text.gsub!('{{NEEDLE_END}}', "}")
+else
+  bpf_text.sub!('{{NEEDLE}}', "")
+  bpf_text.gsub!('{{NEEDLE_START}}', "")
+  bpf_text.gsub!('{{NEEDLE_END}}', "")
+end
+
+u = USDT.new(pid: pid, path: path)
+u.enable_probe(probe: "memory_sbrk_more", fn_name: "trace_memory_sbrk_more")
+u.enable_probe(probe: "memory_sbrk_less", fn_name: "trace_memory_sbrk_less")
+if pid
+  # FIXME: Only available when PID is specified
+  # otherwise got an error:
+  #     bpf: Failed to load program: Invalid argument
+  #     last insn is not an exit or jmp
+  # It seems libbcc won't generate proper readarg helper
+  u.enable_probe(probe: "memory_mallopt_free_dyn_thresholds", fn_name: "trace_memory_free")
+end
+
+# initialize BPF
+b = BCC.new(text: bpf_text, usdt_contexts: [u])
+
+puts "!! Trace start."
+# process event
+start = 0
+b["events"].open_perf_buffer do |cpu, data, size|
+  event = b["events"].event(data)
+  if start == 0
+    start = event.ts
+  end
+
+  time_s = ((event.ts - start).to_f) / 1000000000
+  if [PROBE_TYPE_more, PROBE_TYPE_less].include?(event.type)
+    puts(
+      "[%18.9f] pid=%d comm=%s probe=%s addr=%#x size=%d" %
+      [time_s, event.pid, event.comm, PROBE_MAP[event.type], event.addr, event.sbrk_size]
+    )
+  else
+    puts(
+      "[%18.9f] pid=%d comm=%s probe=%s adjusted_mmap=%d trim_thresholds=%d" %
+      [time_s, event.pid, event.comm, PROBE_MAP[event.type], event.adjusted_mmap, event.trim_thresholds]
+    )
+  end
+end
+
+Signal.trap(:INT) { puts "\n!! Done."; exit }
+loop do
+  b.perf_buffer_poll()
+end