安装依赖

sudo apt update
sudo apt install -y libelf-dev libbpf-dev python3-bpfcc bpfcc-tools \
clang llvm linux-headers-$(uname -r) build-essential

hello world

编写程序

hello_world.py

from bcc import BPF

program = r"""
int hello_world(void *ctx) {
    bpf_trace_printk("Hello eBPF World!");
    return 0;
}
"""

b = BPF(text=program)
syscall = b.get_syscall_fnname("execve")
b.attach_kprobe(event=syscall, fn_name="hello_world")

b.trace_print()

运行

在一个终端中运行

python3 hello_world.py

测试

另一个终端中运行

ls

可以在python3 hello_world.py对应的终端中看到输出了

Hello eBPF World!

trace open

编写程序

trace_open.c

#include <uapi/linux/openat2.h>
#include <linux/sched.h>

struct data_t {
  u32 pid;
  char comm[TASK_COMM_LEN];
  char fname[NAME_MAX];
};

BPF_PERF_OUTPUT(events);

int trace_open(struct pt_regs *ctx, int dfd, const char __user * filename, struct open_how *how) {
  struct data_t data = {};
  data.pid = bpf_get_current_pid_tgid();

  if (bpf_get_current_comm(&data.comm, sizeof(data.comm)) == 0) {
    bpf_probe_read(&data.fname, sizeof(data.fname), (void *)filename);
  }

  events.perf_submit(ctx, &data, sizeof(data));
  return 0;
}

trace_open.py

from bcc import BPF

b = BPF(src_file="trace_open.c")
b.attach_kprobe(event="do_sys_openat2", fn_name="trace_open")

def print_event(cpu, data, size):
    event = b["events"].event(data)
    print("%s %s %s" % (event.comm, event.pid, event.fname))

b["events"].open_perf_buffer(print_event)
while True:
    try:
        b.perf_buffer_poll()
    except KeyboardInterrupt:
        exit()

运行

在一个终端中运行

python3 trace_open.py

测试

在另一个终端运行

ls

可以在python3 trace_open.py对应的终端中看到输出了

b'ls' 152758 b'.'