Reputation: 21
I wrote a simple ebpf program (using libbpf) in which I hooked sendto
syscall
libbpf version:
SEC("kprobe/sendto")
int BPF_KPROBE(entry_sendto, int sockfd, char* buf, size_t len)
{
bpf_printk("libbpf - entry_sendto - 0 %p", ctx);
bpf_printk("libbpf - entry_sendto - 1 %p", PT_REGS_PARM1(ctx));
bpf_printk("libbpf - entry_sendto - 2 %p", PT_REGS_PARM2(ctx));
bpf_printk("libbpf - entry_sendto - 3 %p", PT_REGS_PARM3(ctx));
bpf_printk("libbpf - entry_sendto - 1 %d", (int)PT_REGS_PARM1(ctx));
bpf_printk("libbpf - entry_sendto - 2 %s", (char *)PT_REGS_PARM2(ctx));
bpf_printk("libbpf - entry_sendto - 3 %d", (int)PT_REGS_PARM3(ctx));
bpf_printk("libbpf - entry_sendto params - 1 %d", sockfd);
bpf_printk("libbpf - entry_sendto params - 2 %s", buf);
bpf_printk("libbpf - entry_sendto params - 3 %d", len);
return 0;
}
bcc version:
int syscall__probe_entry_sendto(struct pt_regs* ctx, int sockfd, char* buf, size_t len, int flags,
const struct sockaddr* dest_addr, size_t addrlen) {
bpf_trace_printk("bcc - entry_sendto - 0 %p", ctx);
bpf_trace_printk("bcc - entry_sendto - 1 %p", PT_REGS_PARM1(ctx));
bpf_trace_printk("bcc - entry_sendto - 2 %p", PT_REGS_PARM2(ctx));
bpf_trace_printk("bcc - entry_sendto - 3 %p", PT_REGS_PARM3(ctx));
bpf_trace_printk("bcc - entry_sendto - 1 %d", (int)PT_REGS_PARM1(ctx));
bpf_trace_printk("bcc - entry_sendto - 2 %s", (char *)PT_REGS_PARM2(ctx));
bpf_trace_printk("bcc - entry_sendto - 3 %d", (int)PT_REGS_PARM3(ctx));
bpf_trace_printk("bcc - entry_sendto params - 1 %d", sockfd);
bpf_trace_printk("bcc - entry_sendto params - 2 %s", buf);
bpf_trace_printk("bcc - entry_sendto params - 3 %d", len);
return 0;
}
I ran a simple curl request to check the hooks and got the following:
curl-49713 [002] d... 15631.753730: bpf_trace_printk: libbpf - entry_sendto - 0 00000000eca092cd
curl-49713 [002] d... 15631.753731: bpf_trace_printk: libbpf - entry_sendto - 1 00000000bfcdc9b6
curl-49713 [002] d... 15631.753731: bpf_trace_printk: libbpf - entry_sendto - 2 0000000000000000
curl-49713 [002] d... 15631.753731: bpf_trace_printk: libbpf - entry_sendto - 3 ffffffffffffffff
curl-49713 [002] d... 15631.753732: bpf_trace_printk: libbpf - entry_sendto - 1 67403608
curl-49713 [002] d... 15631.753733: bpf_trace_printk: libbpf - entry_sendto - 2
curl-49713 [002] d... 15631.753734: bpf_trace_printk: libbpf - entry_sendto - 3 -1
curl-49713 [002] d... 15631.753735: bpf_trace_printk: libbpf - entry_sendto params - 1 67403608
curl-49713 [002] d... 15631.753736: bpf_trace_printk: libbpf - entry_sendto params - 2
curl-49713 [002] d... 15631.753736: bpf_trace_printk: libbpf - entry_sendto params - 3 -1
curl-49713 [002] d... 15631.753737: bpf_trace_printk: bcc - entry_sendto - 0 00000000eca092cd
curl-49713 [002] d... 15631.753737: bpf_trace_printk: bcc - entry_sendto - 1 00000000bfcdc9b6
curl-49713 [002] d... 15631.753738: bpf_trace_printk: bcc - entry_sendto - 2 0000000000000000
curl-49713 [002] d... 15631.753738: bpf_trace_printk: bcc - entry_sendto - 3 ffffffffffffffff
curl-49713 [002] d... 15631.753738: bpf_trace_printk: bcc - entry_sendto - 1 67403608
curl-49713 [002] d... 15631.753739: bpf_trace_printk: bcc - entry_sendto - 2
curl-49713 [002] d... 15631.753739: bpf_trace_printk: bcc - entry_sendto - 3 -1
curl-49713 [002] d... 15631.753740: bpf_trace_printk: bcc - entry_sendto params - 1 6
curl-49713 [002] d... 15631.753740: bpf_trace_printk: bcc - entry_sendto params - 2 8000
curl-49713 [002] d... 15631.753740: bpf_trace_printk: bcc - entry_sendto params - 3 1
I don't understand how should I read the arguments for the sendto
syscal in libbpf.
The ctx struct is identical (at least address-wise) between the BCC hook and the libbpf hook.
Do you see anything that I've done wrong? did I miss anything? Any help will be much appreciated!
Upvotes: 2
Views: 817
Reputation: 21
If your kernel has enable CONFIG_ARCH_HAS_SYSCALL_WRAPPER, the ctx
is wrapped twice. And the bcc specially process the function args: https://github.com/iovisor/bcc/commit/2da34267fcae4485f4e05a17521214749f6f0edd
Upvotes: 1