Merge pull request #57 from OpenCloudOS/dev

monitor mode

Author: menglongdong

component/sys_utils.h

@@ -54,7 +54,7 @@ do {						\
 
 #define pr_info(fmt, args...)	pr_level(0, stdout, fmt, ##args)
 #define pr_verb(fmt, args...)	pr_level(1, stdout, fmt, ##args)
-#define pr_warn(fmt, args...)	pr_level(1, stderr, "\033[0;34mWARN: "fmt"\033[0m", ##args)
+#define pr_warn(fmt, args...)	pr_level(0, stderr, "\033[0;34mWARN: "fmt"\033[0m", ##args)
 #define pr_err(fmt, args...)	pr_level(0, stderr, "\033[0;31mERROR: "fmt"\033[0m", ##args)
 #define pr_debug(fmt, args...)	pr_level(2, stdout, "DEBUG: "fmt, ##args)
 

shared/bpf/skb_shared.h

@@ -13,6 +13,13 @@
 #define __nt_placehold_arg_3		3,
 #define __nt_placehold_arg_4		4,
 #define __nt_placehold_arg_5		5,
+#define __nt_placehold_arg_6		6,
+#define __nt_placehold_arg_7		7,
+#define __nt_placehold_arg_8		8,
+#define __nt_placehold_arg_9		9,
+#define __nt_placehold_arg_10		10,
+#define __nt_placehold_arg_11		11,
+#define __nt_placehold_arg_12		12,
 
 #define ____nt_ternary_take(a, b, c)	nt_take_2th(a b, c)
 #define __nt_ternary_take(a, b, c)	\
@@ -33,7 +40,7 @@ typedef struct {
 	u16	dport;
 } l4_min_t;
 
-typedef struct __attribute__((__packed__)) {
+typedef struct {
 	u64	ts;
 	union {
 		struct {
@@ -79,7 +86,7 @@ typedef struct __attribute__((__packed__)) {
 	u8 pad;
 } packet_t;
 
-typedef struct __attribute__((__packed__)) {
+typedef struct {
 	u64	ts;
 	union {
 		struct {

shared/bpf/vmlinux_arm64.h

@@ -28180,7 +28180,46 @@ enum bpf_func_id {
 	BPF_FUNC_timer_set_callback = 170,
 	BPF_FUNC_timer_start = 171,
 	BPF_FUNC_timer_cancel = 172,
-	__BPF_FUNC_MAX_ID = 173,
+	BPF_FUNC_get_func_ip = 173,
+	BPF_FUNC_get_attach_cookie = 174,
+	BPF_FUNC_task_pt_regs = 175,
+	BPF_FUNC_get_branch_snapshot = 176,
+	BPF_FUNC_trace_vprintk = 177,
+	BPF_FUNC_skc_to_unix_sock = 178,
+	BPF_FUNC_kallsyms_lookup_name = 179,
+	BPF_FUNC_find_vma = 180,
+	BPF_FUNC_loop = 181,
+	BPF_FUNC_strncmp = 182,
+	BPF_FUNC_get_func_arg = 183,
+	BPF_FUNC_get_func_ret = 184,
+	BPF_FUNC_get_func_arg_cnt = 185,
+	BPF_FUNC_get_retval = 186,
+	BPF_FUNC_set_retval = 187,
+	BPF_FUNC_xdp_get_buff_len = 188,
+	BPF_FUNC_xdp_load_bytes = 189,
+	BPF_FUNC_xdp_store_bytes = 190,
+	BPF_FUNC_copy_from_user_task = 191,
+	BPF_FUNC_skb_set_tstamp = 192,
+	BPF_FUNC_ima_file_hash = 193,
+	BPF_FUNC_kptr_xchg = 194,
+	BPF_FUNC_map_lookup_percpu_elem = 195,
+	BPF_FUNC_skc_to_mptcp_sock = 196,
+	BPF_FUNC_dynptr_from_mem = 197,
+	BPF_FUNC_ringbuf_reserve_dynptr = 198,
+	BPF_FUNC_ringbuf_submit_dynptr = 199,
+	BPF_FUNC_ringbuf_discard_dynptr = 200,
+	BPF_FUNC_dynptr_read = 201,
+	BPF_FUNC_dynptr_write = 202,
+	BPF_FUNC_dynptr_data = 203,
+	BPF_FUNC_tcp_raw_gen_syncookie_ipv4 = 204,
+	BPF_FUNC_tcp_raw_gen_syncookie_ipv6 = 205,
+	BPF_FUNC_tcp_raw_check_syncookie_ipv4 = 206,
+	BPF_FUNC_tcp_raw_check_syncookie_ipv6 = 207,
+	BPF_FUNC_ktime_get_tai_ns = 208,
+	BPF_FUNC_user_ringbuf_drain = 209,
+	BPF_FUNC_cgrp_storage_get = 210,
+	BPF_FUNC_cgrp_storage_delete = 211,
+	__BPF_FUNC_MAX_ID = 212,
 };
 
 enum {

shared/bpf/vmlinux_x86.h

@@ -34236,7 +34236,46 @@ enum bpf_func_id {
 	BPF_FUNC_timer_set_callback = 170,
 	BPF_FUNC_timer_start = 171,
 	BPF_FUNC_timer_cancel = 172,
-	__BPF_FUNC_MAX_ID = 173,
+	BPF_FUNC_get_func_ip = 173,
+	BPF_FUNC_get_attach_cookie = 174,
+	BPF_FUNC_task_pt_regs = 175,
+	BPF_FUNC_get_branch_snapshot = 176,
+	BPF_FUNC_trace_vprintk = 177,
+	BPF_FUNC_skc_to_unix_sock = 178,
+	BPF_FUNC_kallsyms_lookup_name = 179,
+	BPF_FUNC_find_vma = 180,
+	BPF_FUNC_loop = 181,
+	BPF_FUNC_strncmp = 182,
+	BPF_FUNC_get_func_arg = 183,
+	BPF_FUNC_get_func_ret = 184,
+	BPF_FUNC_get_func_arg_cnt = 185,
+	BPF_FUNC_get_retval = 186,
+	BPF_FUNC_set_retval = 187,
+	BPF_FUNC_xdp_get_buff_len = 188,
+	BPF_FUNC_xdp_load_bytes = 189,
+	BPF_FUNC_xdp_store_bytes = 190,
+	BPF_FUNC_copy_from_user_task = 191,
+	BPF_FUNC_skb_set_tstamp = 192,
+	BPF_FUNC_ima_file_hash = 193,
+	BPF_FUNC_kptr_xchg = 194,
+	BPF_FUNC_map_lookup_percpu_elem = 195,
+	BPF_FUNC_skc_to_mptcp_sock = 196,
+	BPF_FUNC_dynptr_from_mem = 197,
+	BPF_FUNC_ringbuf_reserve_dynptr = 198,
+	BPF_FUNC_ringbuf_submit_dynptr = 199,
+	BPF_FUNC_ringbuf_discard_dynptr = 200,
+	BPF_FUNC_dynptr_read = 201,
+	BPF_FUNC_dynptr_write = 202,
+	BPF_FUNC_dynptr_data = 203,
+	BPF_FUNC_tcp_raw_gen_syncookie_ipv4 = 204,
+	BPF_FUNC_tcp_raw_gen_syncookie_ipv6 = 205,
+	BPF_FUNC_tcp_raw_check_syncookie_ipv4 = 206,
+	BPF_FUNC_tcp_raw_check_syncookie_ipv6 = 207,
+	BPF_FUNC_ktime_get_tai_ns = 208,
+	BPF_FUNC_user_ringbuf_drain = 209,
+	BPF_FUNC_cgrp_storage_get = 210,
+	BPF_FUNC_cgrp_storage_delete = 211,
+	__BPF_FUNC_MAX_ID = 212,
 };
 
 enum {

shared/bpf_utils.c

@@ -11,6 +11,7 @@
 #include <unistd.h>
 
 #include <sys_utils.h>
+#include <bpf/btf.h>
 
 #include "bpf_utils.h"
 
@@ -112,3 +113,35 @@ exist:;
 
 	return 0;
 }
+
+static struct btf *local_btf;
+const struct btf_type *btf_get_type(char *name)
+{
+	const struct btf_type *t;
+	int id;
+
+	if (!local_btf)
+		local_btf= btf__load_vmlinux_btf();
+
+	id = btf__find_by_name(local_btf, name);
+	if (id < 0)
+		return NULL;
+
+	t = btf__type_by_id(local_btf, id);
+	return t;
+}
+
+int btf_get_arg_count(char *name)
+{
+	const struct btf_type *t;
+
+	t = btf_get_type(name);
+	if (!t)
+		return -ENOENT;
+
+	t = btf__type_by_id(local_btf, t->type);
+	if (!t)
+		return -ENOENT;
+
+	return btf_vlen(t);
+}

shared/bpf_utils.h

@@ -63,5 +63,7 @@ static inline int perf_output(int fd, perf_buffer_sample_fn fn)
 }
 
 int compat_bpf_attach_kprobe(int fd, char *name, bool ret);
+const struct btf_type *btf_get_type(char *name);
+int btf_get_arg_count(char *name);
 
 #endif

src/Makefile

@@ -1,12 +1,15 @@
 ROOT		?= $(abspath ../)
-bpf_progs	:= progs/tracing progs/kprobe
+bpf_progs	:= progs/kprobe
 progs		:= nettrace
 prog-nettrace-origin = \
 		trace.c $(COMMON_SHARED) trace_probe.c trace_tracing.c \
 		analysis.c $(COMPONENT)/parse_sym.c trace_group.c \
 		dropreason.c
 prog-nettrace	= $(prog-nettrace-origin) nettrace.c
 
+ifndef COMPAT
+	bpf_progs += progs/tracing progs/feat_args_ext
+endif
 
 BPF_EXTRA_DEP := kheaders.h
 include ../common.mk
@@ -28,7 +31,7 @@ progs/kprobe_trace.h:
 trace_group.c: trace.yaml
 	python3 gen_trace.py > trace_group.c
 
-progs/kprobe.c: progs/kprobe_trace.h
+progs/*.c: progs/kprobe_trace.h
 	@:
 
 nettrace.c: $(prog-nettrace-origin)

src/analysis.c

@@ -289,8 +289,8 @@ void analy_ctx_handle(analy_ctx_t *ctx)
 	analy_ctx_free(ctx);
 }
 
-static int try_run_analyzer(trace_t *trace, analyzer_t *analyzer,
-			    analy_entry_t *entry)
+static int try_run_entry(trace_t *trace, analyzer_t *analyzer,
+			 analy_entry_t *entry)
 {
 	if (analyzer && (analyzer->mode & (1 << trace_ctx.mode)) &&
 	    analyzer->analy_entry)
@@ -299,6 +299,16 @@ static int try_run_analyzer(trace_t *trace, analyzer_t *analyzer,
 	return RESULT_CONT;
 }
 
+static int try_run_exit(trace_t *trace, analyzer_t *analyzer,
+			analy_exit_t *exit)
+{
+	if (analyzer && (analyzer->mode & (1 << trace_ctx.mode)) &&
+	    analyzer->analy_exit)
+		return analyzer->analy_exit(trace, exit);
+
+	return RESULT_CONT;
+}
+
 void tl_poll_handler(void *raw_ctx, int cpu, void *data, u32 size)
 {
 	static char buf[1024], tinfo[128];
@@ -340,7 +350,7 @@ void tl_poll_handler(void *raw_ctx, int cpu, void *data, u32 size)
 
 	entry->ctx = analy_ctx;
 	entry->fake_ctx = fake;
-	switch (try_run_analyzer(trace, analyzer, entry)) {
+	switch (try_run_entry(trace, analyzer, entry)) {
 	case RESULT_CONSUME:
 		goto check_pending;
 	case RESULT_CONT:
@@ -349,7 +359,7 @@ void tl_poll_handler(void *raw_ctx, int cpu, void *data, u32 size)
 		break;
 	}
 
-	switch (try_run_analyzer(trace, trace->analyzer, entry)) {
+	switch (try_run_entry(trace, trace->analyzer, entry)) {
 	case RESULT_CONSUME:
 		goto check_pending;
 	case RESULT_CONT:
@@ -407,17 +417,33 @@ do_ret:;
 	}
 }
 
+static inline void do_basic_poll(analy_entry_t *entry)
+{
+	trace_t *trace;
+
+	trace = get_trace_from_analy_entry(entry);
+	try_run_entry(trace, trace->analyzer, entry);
+
+	if (trace_ctx.mode == TRACE_MODE_MONITOR) {
+		analy_exit_t analy_exit = {
+			.event = {
+				.val = entry->event->retval,
+			},
+			.entry = entry,
+		};
+		try_run_exit(trace, trace->analyzer, &analy_exit);
+	}
+
+	analy_entry_handle(entry);
+}
+
 void basic_poll_handler(void *ctx, int cpu, void *data, u32 size)
 {
 	analy_entry_t entry = {
 		.event = data,
 		.cpu = cpu
 	};
-	trace_t *trace;
-
-	trace = get_trace_from_analy_entry(&entry);
-	try_run_analyzer(trace, trace->analyzer, &entry);
-	analy_entry_handle(&entry);
+	do_basic_poll(&entry);
 }
 
 static pthread_mutex_t mutex = PTHREAD_MUTEX_INITIALIZER;
@@ -439,9 +465,7 @@ static void *do_async_poll(void *arg)
 		pthread_mutex_unlock(&mutex);
 
 		list_for_each_entry_safe(entry, pos, &head, list) {
-			trace = get_trace_from_analy_entry(entry);
-			try_run_analyzer(trace, trace->analyzer, entry);
-			analy_entry_handle(entry);
+			do_basic_poll(entry);
 			list_del(&entry->list);
 			analy_entry_free(entry);
 		}
@@ -513,6 +537,8 @@ static inline void rule_run(analy_entry_t *entry, trace_t *trace, int ret)
 		if (!hit)
 			continue;
 		entry->rule = rule;
+		if (!mode_has_context())
+			break;
 		switch (rule->level) {
 		case RULE_INFO:
 			break;
@@ -540,7 +566,8 @@ DEFINE_ANALYZER_ENTRY(free, TRACE_MODE_TIMELINE_MASK | TRACE_MODE_DIAG_MASK)
 }
 
 DEFINE_ANALYZER_ENTRY(drop, TRACE_MODE_TIMELINE_MASK | TRACE_MODE_DIAG_MASK |
-			    TRACE_MODE_DROP_MASK)
+			    TRACE_MODE_DROP_MASK |
+			    TRACE_MODE_MONITOR_MASK)
 {
 	define_pure_event(drop_event_t, event, e->event);
 	char *reason = NULL, *sym_str, *info;
@@ -550,7 +577,7 @@ DEFINE_ANALYZER_ENTRY(drop, TRACE_MODE_TIMELINE_MASK | TRACE_MODE_DIAG_MASK |
 	sym = sym_parse(event->location);
 	sym_str = sym ? sym->desc : "unknow";
 
-	if (trace_ctx.mode == TRACE_MODE_DROP) {
+	if (!mode_has_context()) {
 		info = malloc(1024);
 		if (trace_ctx.drop_reason)
 			sprintf(info, ", reason: %s, %s", reason, sym_str);
@@ -595,7 +622,8 @@ DEFINE_ANALYZER_EXIT(clone, TRACE_MODE_TIMELINE_MASK | TRACE_MODE_DIAG_MASK)
 	return RESULT_CONSUME;
 }
 
-DEFINE_ANALYZER_EXIT(ret, TRACE_MODE_DIAG_MASK)
+DEFINE_ANALYZER_EXIT(ret, TRACE_MODE_DIAG_MASK |
+			  TRACE_MODE_MONITOR_MASK)
 {
 	int ret = (int) e->event.val;
 
@@ -644,7 +672,8 @@ const char *pf_names[] = {
 };
 DEFINE_ANALYZER_ENTRY(nf, TRACE_MODE_DIAG_MASK |
 			  TRACE_MODE_BASIC_MASK |
-			  TRACE_MODE_TIMELINE_MASK)
+			  TRACE_MODE_TIMELINE_MASK |
+			  TRACE_MODE_MONITOR_MASK)
 {
 	define_pure_event(nf_hooks_event_t, event, e->event);
 	char *msg = malloc(1024), *extinfo;
@@ -681,7 +710,8 @@ DEFINE_ANALYZER_EXIT_FUNC_DEFAULT(nf)
 
 DEFINE_ANALYZER_ENTRY(iptable, TRACE_MODE_DIAG_MASK |
 			       TRACE_MODE_BASIC_MASK |
-			       TRACE_MODE_TIMELINE_MASK)
+			       TRACE_MODE_TIMELINE_MASK |
+			       TRACE_MODE_MONITOR_MASK)
 {
 	define_pure_event(nf_event_t, event, e->event);
 	char *msg = malloc(1024);
@@ -702,7 +732,8 @@ DEFINE_ANALYZER_EXIT_FUNC_DEFAULT(iptable)
 
 DEFINE_ANALYZER_ENTRY(qdisc, TRACE_MODE_DIAG_MASK |
 			     TRACE_MODE_BASIC_MASK |
-			     TRACE_MODE_TIMELINE_MASK)
+			     TRACE_MODE_TIMELINE_MASK |
+			     TRACE_MODE_MONITOR_MASK)
 {
 	define_pure_event(qdisc_event_t, event, e->event);
 	char *msg = malloc(1024);