├── Android.bp
├── README.md
├── bpf_cli.cpp
└── bpf_sys.c


/Android.bp:
--------------------------------------------------------------------------------
 1 | bpf {
 2 |     name: "bpf_sys.o",
 3 |     srcs: ["bpf_sys.c"],
 4 |     cflags: [
 5 |         "-Wall",
 6 |         "-Werror",
 7 |     ],
 8 | }
 9 | 
10 | cc_binary {
11 |     name: "bpf_cli",
12 | 
13 |     cflags: [
14 |         "-Wall",
15 |         "-Werror",
16 |         "-Wthread-safety",
17 |     ],
18 |     clang: true,
19 |     shared_libs: [
20 |         "libcutils",
21 |         "libbpf_android",
22 |         "libbase",
23 |         "liblog",
24 |         "libnetdutils",
25 |         "libbpf",
26 |     ],
27 |     srcs: [
28 |         "bpf_cli.cpp",
29 |     ],
30 | }


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | Android ebpf监控内核事件
2 | 
3 | 详细内容见:
4 | https://pshocker.github.io/2022/06/18/Android-eBPF%E7%9B%91%E6%8E%A7%E6%89%80%E6%9C%89%E7%B3%BB%E7%BB%9F%E8%B0%83%E7%94%A8/


--------------------------------------------------------------------------------
/bpf_cli.cpp:
--------------------------------------------------------------------------------
 1 | #include <android-base/macros.h>
 2 | #include <stdlib.h>
 3 | #include <unistd.h>
 4 | #include <iostream>
 5 | #include <bpf/BpfMap.h>
 6 | #include <bpf/BpfUtils.h>
 7 | #include <libbpf_android.h>
 8 | 
 9 | int main()
10 | {
11 |     constexpr const char tp_prog_path[] = "/sys/fs/bpf/prog_bpf_sys_tracepoint_raw_syscalls_sys_enter";
12 |     constexpr const char tp_map_path[] = "/sys/fs/bpf/map_bpf_sys_sys_enter_map";
13 |     // Attach tracepoint and wait for 4 seconds
14 |     int mProgFd = bpf_obj_get(tp_prog_path);
15 |     // int mMapFd = bpf_obj_get(tp_map_path);
16 |     bpf_attach_tracepoint(mProgFd, "raw_syscalls", "sys_enter");
17 |     sleep(1);
18 |     android::bpf::BpfMap<int, int> myMap(tp_map_path);
19 | 
20 |     const auto iterFunc = [&](const uint32_t &key, const uint32_t &val, android::bpf::BpfMap<int, int> &) {
21 |         printf("pid is:%d,syscall_id:%d\n", key, val);
22 |         return android::base::Result<void>();
23 |     };
24 | 
25 |     while (1)
26 |     {
27 |         usleep(40000);
28 |         myMap.iterateWithValue(iterFunc);
29 |     }
30 | 
31 |     exit(0);
32 | }


--------------------------------------------------------------------------------
/bpf_sys.c:
--------------------------------------------------------------------------------
 1 | #include <linux/bpf.h>
 2 | #include <stdbool.h>
 3 | #include <stdint.h>
 4 | #include <bpf_helpers.h>
 5 | 
 6 | DEFINE_BPF_MAP(sys_enter_map, HASH, int, uint32_t, 1024);
 7 | 
 8 | struct syscalls_enter_args {
 9 | 	unsigned short common_type;
10 | 	unsigned char common_flags;
11 | 	unsigned char common_preempt_count;
12 | 	int common_pid;
13 | 
14 |     long id;
15 |     unsigned long args[6];
16 | };
17 | 
18 | struct task_struct {
19 | 	int pid;
20 | 	int tgid;
21 | 	char comm[16];
22 | 	struct task_struct *group_leader;
23 | };
24 | 
25 | 
26 | // SEC("raw_syscalls/sys_enter")
27 | DEFINE_BPF_PROG("tracepoint/raw_syscalls/sys_enter", AID_ROOT, AID_NET_ADMIN, sys_enter)
28 | (struct syscalls_enter_args *args)
29 | {
30 |     //获取进程信息
31 |     // struct task_struct *task = (void *)bpf_get_current_task();
32 | 
33 |     // int key = bpf_get_smp_processor_id();
34 | 	int key = bpf_get_current_pid_tgid();//这里是强制取低32位,也就是pid
35 |     uint32_t syscall_id=args->id;
36 | 
37 |     bpf_sys_enter_map_update_elem(&key, &syscall_id, BPF_ANY);
38 |     return 0;
39 | }
40 | 
41 | // char _license[] SEC("license") = "GPL";
42 | LICENSE("Apache 2.0");


--------------------------------------------------------------------------------