rbbcc 0.11.5 → 0.11.6
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/Gemfile.lock +1 -1
- data/examples/ringbuf_pin_a.rb +51 -0
- data/examples/ringbuf_pin_b.rb +29 -0
- data/lib/rbbcc/consts.rb +5 -1
- data/lib/rbbcc/table.rb +35 -3
- data/lib/rbbcc/version.rb +1 -1
- metadata +3 -1
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA256:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 4bd5c0ae3d72c8e4e931d4ecb48872212c1389dd56897a5c16ca3626a1a7a725
|
|
4
|
+
data.tar.gz: c117a487cbc4c1b5fed3df4eea8813d4b6c16ea3c6dcd306e41b504fb2776bc3
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 1c11515d0a7b919ffaa6c0001cc74b96f0bbc217e07fa46c2fe6b37398499a6cb81fac23425e45f32b8802b6b90a6c107f845ef3b610ea7838d8b29178129adc
|
|
7
|
+
data.tar.gz: 253c500eebc928aa13327496b4cdb96f844a91df06aa5c4bf85561a1958f2c181f792e24262b1ae9d5ac0562796ffb475ae178b2a88a8451f17e50f6c1f7f727
|
data/Gemfile.lock
CHANGED
|
@@ -0,0 +1,51 @@
|
|
|
1
|
+
#!/usr/bin/env ruby
|
|
2
|
+
require 'rbbcc'
|
|
3
|
+
include RbBCC
|
|
4
|
+
|
|
5
|
+
PIN_PATH = "/sys/fs/bpf/pinned_ringbuf"
|
|
6
|
+
|
|
7
|
+
if File.exist?(PIN_PATH)
|
|
8
|
+
puts "Removing old pinned map at #{PIN_PATH}..."
|
|
9
|
+
File.unlink(PIN_PATH)
|
|
10
|
+
end
|
|
11
|
+
|
|
12
|
+
bpf_text = <<~CLANG
|
|
13
|
+
#include <uapi/linux/ptrace.h>
|
|
14
|
+
|
|
15
|
+
struct data_t {
|
|
16
|
+
u32 pid;
|
|
17
|
+
char comm[16];
|
|
18
|
+
};
|
|
19
|
+
|
|
20
|
+
BPF_RINGBUF_OUTPUT(events, 4);
|
|
21
|
+
|
|
22
|
+
int trace_uname(struct pt_regs *ctx) {
|
|
23
|
+
struct data_t *data = events.ringbuf_reserve(sizeof(struct data_t));
|
|
24
|
+
if (!data) return 0;
|
|
25
|
+
|
|
26
|
+
data->pid = bpf_get_current_pid_tgid() >> 32;
|
|
27
|
+
bpf_get_current_comm(&data->comm, sizeof(data->comm));
|
|
28
|
+
|
|
29
|
+
events.ringbuf_submit(data, 0);
|
|
30
|
+
return 0;
|
|
31
|
+
}
|
|
32
|
+
CLANG
|
|
33
|
+
|
|
34
|
+
puts "Process A (Ruby): Loading BPF and attaching tracepoint..."
|
|
35
|
+
b = BCC.new(text: bpf_text)
|
|
36
|
+
b.attach_tracepoint(tp: "syscalls:sys_enter_newuname", fn_name: "trace_uname")
|
|
37
|
+
|
|
38
|
+
puts "Process A (Ruby): Pinning ringbuf map to #{PIN_PATH}..."
|
|
39
|
+
b["events"].pin!(PIN_PATH)
|
|
40
|
+
|
|
41
|
+
puts "\n[Process A Active] Kept alive to feed events. Press Ctrl+C to stop."
|
|
42
|
+
begin
|
|
43
|
+
loop do
|
|
44
|
+
sleep 1
|
|
45
|
+
end
|
|
46
|
+
ensure
|
|
47
|
+
if File.exist?(PIN_PATH)
|
|
48
|
+
puts "\nUnpinning map..."
|
|
49
|
+
File.unlink(PIN_PATH)
|
|
50
|
+
end
|
|
51
|
+
end
|
|
@@ -0,0 +1,29 @@
|
|
|
1
|
+
#!/usr/bin/env ruby
|
|
2
|
+
require 'rbbcc'
|
|
3
|
+
include RbBCC
|
|
4
|
+
|
|
5
|
+
PIN_PATH = "/sys/fs/bpf/pinned_ringbuf"
|
|
6
|
+
|
|
7
|
+
type = "struct data_t {
|
|
8
|
+
u32 pid;
|
|
9
|
+
char comm[16];
|
|
10
|
+
};"
|
|
11
|
+
|
|
12
|
+
puts "Process B (Ruby): Initializing consumer client..."
|
|
13
|
+
buf = RingBuf.from_pin(PIN_PATH, type, 4)
|
|
14
|
+
|
|
15
|
+
# ring_buffer listner
|
|
16
|
+
buf.open_ring_buffer do |cpu, data, size|
|
|
17
|
+
event = buf.event(data)
|
|
18
|
+
puts "[Process B Captured] PID: #{event.pid.to_s.ljust(6)} | COMMAND: #{event.comm}"
|
|
19
|
+
end
|
|
20
|
+
|
|
21
|
+
puts "\n[Process B Active] Successfully hooked to pinned map (FD: #{buf.map_fd}). Listening for events...\n\n"
|
|
22
|
+
|
|
23
|
+
begin
|
|
24
|
+
loop do
|
|
25
|
+
buf.ring_buffer_poll()
|
|
26
|
+
end
|
|
27
|
+
rescue Interrupt
|
|
28
|
+
puts "\nExiting Process B."
|
|
29
|
+
end
|
data/lib/rbbcc/consts.rb
CHANGED
data/lib/rbbcc/table.rb
CHANGED
|
@@ -40,6 +40,8 @@ module RbBCC
|
|
|
40
40
|
fields << [field_type, field_name].join(" ")
|
|
41
41
|
end
|
|
42
42
|
end
|
|
43
|
+
return nil if fields.empty?
|
|
44
|
+
|
|
43
45
|
klass = Fiddle::Importer.struct(fields)
|
|
44
46
|
char_ps = fields.select {|f| f =~ /^char\[(\d+)\] ([_a-zA-Z0-9]+)/ }
|
|
45
47
|
unless char_ps.empty?
|
|
@@ -280,6 +282,11 @@ module RbBCC
|
|
|
280
282
|
false # TODO: implement me in the future
|
|
281
283
|
end
|
|
282
284
|
|
|
285
|
+
# Just a wrapper to BCC class method
|
|
286
|
+
def pin!(path)
|
|
287
|
+
BCC.pin!(self.map_fd, path)
|
|
288
|
+
end
|
|
289
|
+
|
|
283
290
|
private
|
|
284
291
|
def normalize_key(key)
|
|
285
292
|
case key
|
|
@@ -368,7 +375,7 @@ module RbBCC
|
|
|
368
375
|
end
|
|
369
376
|
|
|
370
377
|
def event(data)
|
|
371
|
-
@event_class ||= get_event_class
|
|
378
|
+
@event_class ||= (get_event_class || self.leaftype)
|
|
372
379
|
ev = @event_class.malloc
|
|
373
380
|
Fiddle::Pointer.new(ev.to_ptr)[0, @event_class.size] = data[0, @event_class.size]
|
|
374
381
|
return ev
|
|
@@ -429,7 +436,28 @@ module RbBCC
|
|
|
429
436
|
|
|
430
437
|
class RingBuf < TableBase
|
|
431
438
|
include EventTypeSupported
|
|
432
|
-
|
|
439
|
+
|
|
440
|
+
# Make a dynamic BCC program to load the pinned ringbuf map
|
|
441
|
+
def self.from_pin(path, leaftype, size, name: "events")
|
|
442
|
+
map_fd = Clib.bpf_obj_get(path)
|
|
443
|
+
if map_fd < 0
|
|
444
|
+
raise SystemCallError.new("Could not open pinned map", Fiddle.last_error)
|
|
445
|
+
end
|
|
446
|
+
leaftype_typename = case leaftype
|
|
447
|
+
when /\Astruct\s+(\w+)\s+{/m
|
|
448
|
+
"struct #{Regexp.last_match(1)}"
|
|
449
|
+
else
|
|
450
|
+
leaftype
|
|
451
|
+
end
|
|
452
|
+
|
|
453
|
+
prog = <<~CLANG
|
|
454
|
+
#{leaftype}
|
|
455
|
+
BPF_TABLE_PINNED("ringbuf", u32, #{leaftype_typename}, #{name}, #{size}, "#{path}");
|
|
456
|
+
CLANG
|
|
457
|
+
b = BCC.new(text: prog)
|
|
458
|
+
b[name.to_s]
|
|
459
|
+
end
|
|
460
|
+
|
|
433
461
|
def initialize(bpf, map_id, map_fd, keytype, leaftype, name: nil)
|
|
434
462
|
super
|
|
435
463
|
@_ringbuf = nil
|
|
@@ -438,7 +466,7 @@ module RbBCC
|
|
|
438
466
|
end
|
|
439
467
|
|
|
440
468
|
def event(data)
|
|
441
|
-
@event_class ||= get_event_class
|
|
469
|
+
@event_class ||= (get_event_class || self.leaftype)
|
|
442
470
|
ev = @event_class.malloc
|
|
443
471
|
Fiddle::Pointer.new(ev.to_ptr)[0, @event_class.size] = data[0, @event_class.size]
|
|
444
472
|
return ev
|
|
@@ -470,6 +498,10 @@ module RbBCC
|
|
|
470
498
|
@bpf._open_ring_buffer(@map_fd, fn, ctx)
|
|
471
499
|
nil
|
|
472
500
|
end
|
|
501
|
+
|
|
502
|
+
def ring_buffer_poll(timeout=-1)
|
|
503
|
+
@bpf.ring_buffer_poll(timeout)
|
|
504
|
+
end
|
|
473
505
|
end
|
|
474
506
|
|
|
475
507
|
class StackTrace < TableBase
|
data/lib/rbbcc/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: rbbcc
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 0.11.
|
|
4
|
+
version: 0.11.6
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Uchio Kondo
|
|
@@ -99,6 +99,8 @@ files:
|
|
|
99
99
|
- examples/pin_maps_a.rb
|
|
100
100
|
- examples/pin_maps_b.rb
|
|
101
101
|
- examples/py-orig/sockblock.py
|
|
102
|
+
- examples/ringbuf_pin_a.rb
|
|
103
|
+
- examples/ringbuf_pin_b.rb
|
|
102
104
|
- examples/ruby_usdt.rb
|
|
103
105
|
- examples/sbrk_trace.rb
|
|
104
106
|
- examples/ssl_http_trace.rb
|