├── 02-perf-buf ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md ├── main.bpf.c └── main.go ├── 03-ring-buf ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md ├── main.bpf.c └── main.go ├── 11-map-pin ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md └── main.go ├── 01-hello-world ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.bpf.c └── main.go ├── 04-tracepoint ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── common.h ├── main.bpf.c └── main.go ├── 22-tail-calls ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 28-kprobe-hello ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md └── main.bpf.c ├── 32-fentry-hello ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md └── main.bpf.c ├── 33-xdp-hello ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md ├── main.bpf.c └── main.go ├── 05-get-process-info ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md └── common.h ├── 07-tracepoint-args ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── common.h └── main.bpf.c ├── 10-map-map-type-array ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md ├── common.h └── main.bpf.c ├── 26-lsm-path_chmod ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.bpf.c └── main.go ├── 30-ksyscall-hello ├── Makefile ├── common.h ├── README.md └── main.bpf.c ├── 34-iter-task-hello ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md ├── main.bpf.c └── main.go ├── 39-socket-filter-tcp ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md └── main.bpf.c ├── 43-tcx-ingress-hello ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── main.go ├── README.md └── main.bpf.c ├── 44-tcx-egress-hello ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── main.go ├── README.md └── main.bpf.c ├── 48-iter-tcp-hello ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md ├── main.bpf.c └── main.go ├── 06-get-container-info-1 ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── common.h ├── README.md └── main.bpf.c ├── 12-raw-tracepoint-args ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 16-btf-raw-tracepoint-args ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 29-kprobe-hello-with-macro ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md └── main.bpf.c ├── 40-lsm-block-path_unlink ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 45-iter-task-write-struct ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── common.h ├── main.bpf.c └── main.go ├── 46-iter-sleepable-task ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md ├── main.bpf.c └── main.go ├── 47-iter-task-file-hello ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md ├── main.bpf.c └── main.go ├── 08-map-map-type-hash-kernel ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── common.h └── main.go ├── 09-map-map-type-hash-userspace ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md ├── common.h └── main.bpf.c ├── 14-tracepoint-args-sched_switch ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.bpf.c └── main.go ├── 31-ksyscall-hello-with-macro ├── Makefile ├── common.h ├── README.md └── main.bpf.c ├── 38-raw-tracepoint-sched_wakeup ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── common.h ├── README.md ├── main.go └── main.bpf.c ├── 13-raw-tracepoint-args-sched_switch ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 35-tracepoint-args-use-custom-struct ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md ├── common.h └── main.bpf.c ├── 37-tracepoint-sched_process_exec ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md ├── common.h └── main.bpf.c ├── 41-raw-tracepoint-args-with-macro ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 15-get-container-info-2-via-task_struct ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 17-btf-raw-tracepoint-args-sched_switch ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 27-attach-tracepoint-with-syscall ├── .gitignore ├── cilium-ebpf │ ├── README.md │ └── main.go ├── README.md └── main.bpf.c ├── 42-btf-raw-tracepoint-args-with-macro ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 21-tc-parse-packet-with-bpf_skb_load_bytes ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md └── main.go ├── 25-tc-parse-packet-with-direct-memory-access ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md └── README.md ├── 18-socket-filter-capture-icmp-traffic-kernel-parse ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md ├── common.h └── main.bpf.c ├── 36-tracepoint-args-sched_switch-use-custom-struct ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ ├── README.md │ └── main.go ├── README.md ├── main.go └── main.bpf.c ├── 19-socket-filter-capture-icmp-traffic-userspace-parse ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md └── main.bpf.c ├── 20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load ├── Makefile ├── cilium-ebpf │ ├── Makefile │ ├── bpf_bpfeb.o │ ├── bpf_bpfel.o │ └── README.md ├── README.md └── common.h ├── .gitmodules ├── 23-rewriting-bcc-libbpf-tools-with-libbpfgo └── README.md ├── .github ├── dependabot.yml └── workflows │ └── build.yml ├── ci.sh ├── .gitignore ├── go.mod ├── LICENSE ├── init.sh └── Vagrantfile /02-perf-buf/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /03-ring-buf/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /11-map-pin/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /01-hello-world/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /04-tracepoint/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /22-tail-calls/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /28-kprobe-hello/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /32-fentry-hello/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /33-xdp-hello/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /05-get-process-info/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /07-tracepoint-args/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /10-map-map-type-array/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /26-lsm-path_chmod/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /30-ksyscall-hello/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /34-iter-task-hello/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /39-socket-filter-tcp/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /43-tcx-ingress-hello/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /44-tcx-egress-hello/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /48-iter-tcp-hello/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /06-get-container-info-1/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /12-raw-tracepoint-args/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /16-btf-raw-tracepoint-args/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /29-kprobe-hello-with-macro/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /40-lsm-block-path_unlink/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /45-iter-task-write-struct/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /46-iter-sleepable-task/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /47-iter-task-file-hello/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /08-map-map-type-hash-kernel/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /09-map-map-type-hash-userspace/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /14-tracepoint-args-sched_switch/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /31-ksyscall-hello-with-macro/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /13-raw-tracepoint-args-sched_switch/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /35-tracepoint-args-use-custom-struct/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /37-tracepoint-sched_process_exec/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /41-raw-tracepoint-args-with-macro/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /01-hello-world/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /02-perf-buf/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /03-ring-buf/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /04-tracepoint/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /11-map-pin/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /15-get-container-info-2-via-task_struct/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /17-btf-raw-tracepoint-args-sched_switch/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /22-tail-calls/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /27-attach-tracepoint-with-syscall/.gitignore: -------------------------------------------------------------------------------- 1 | test.c 2 | test 3 | -------------------------------------------------------------------------------- /33-xdp-hello/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /42-btf-raw-tracepoint-args-with-macro/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /05-get-process-info/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /07-tracepoint-args/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /21-tc-parse-packet-with-bpf_skb_load_bytes/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /25-tc-parse-packet-with-direct-memory-access/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /26-lsm-path_chmod/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /28-kprobe-hello/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /32-fentry-hello/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /34-iter-task-hello/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /44-tcx-egress-hello/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /48-iter-tcp-hello/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /06-get-container-info-1/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /10-map-map-type-array/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /12-raw-tracepoint-args/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /18-socket-filter-capture-icmp-traffic-kernel-parse/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /36-tracepoint-args-sched_switch-use-custom-struct/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /39-socket-filter-tcp/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /40-lsm-block-path_unlink/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /43-tcx-ingress-hello/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /46-iter-sleepable-task/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /47-iter-task-file-hello/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /08-map-map-type-hash-kernel/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /16-btf-raw-tracepoint-args/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /19-socket-filter-capture-icmp-traffic-userspace-parse/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /29-kprobe-hello-with-macro/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /45-iter-task-write-struct/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /09-map-map-type-hash-userspace/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /14-tracepoint-args-sched_switch/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /37-tracepoint-sched_process_exec/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /41-raw-tracepoint-args-with-macro/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /13-raw-tracepoint-args-sched_switch/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /15-get-container-info-2-via-task_struct/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /17-btf-raw-tracepoint-args-sched_switch/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /35-tracepoint-args-use-custom-struct/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /42-btf-raw-tracepoint-args-with-macro/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load/Makefile: -------------------------------------------------------------------------------- 1 | ../common/Makefile -------------------------------------------------------------------------------- /21-tc-parse-packet-with-bpf_skb_load_bytes/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "libbpf"] 2 | path = libbpf 3 | url = https://github.com/libbpf/libbpf.git 4 | -------------------------------------------------------------------------------- /36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /18-socket-filter-capture-icmp-traffic-kernel-parse/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /19-socket-filter-capture-icmp-traffic-userspace-parse/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /28-kprobe-hello/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u64 pid; 3 | long long ret; 4 | char filename[256]; 5 | }; 6 | -------------------------------------------------------------------------------- /32-fentry-hello/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u64 pid; 3 | long long ret; 4 | char filename[256]; 5 | }; 6 | -------------------------------------------------------------------------------- /20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load/cilium-ebpf/Makefile: -------------------------------------------------------------------------------- 1 | ../../common/cilium-ebpf.Makefile -------------------------------------------------------------------------------- /30-ksyscall-hello/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u64 pid; 3 | long long ret; 4 | char filename[256]; 5 | }; 6 | -------------------------------------------------------------------------------- /34-iter-task-hello/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u64 pid; 3 | long long ret; 4 | char filename[256]; 5 | }; 6 | -------------------------------------------------------------------------------- /48-iter-tcp-hello/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u64 pid; 3 | long long ret; 4 | char filename[256]; 5 | }; 6 | -------------------------------------------------------------------------------- /11-map-pin/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/11-map-pin/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /11-map-pin/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/11-map-pin/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /46-iter-sleepable-task/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u64 pid; 3 | long long ret; 4 | char filename[256]; 5 | }; 6 | -------------------------------------------------------------------------------- /47-iter-task-file-hello/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u64 pid; 3 | long long ret; 4 | char filename[256]; 5 | }; 6 | -------------------------------------------------------------------------------- /02-perf-buf/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/02-perf-buf/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /02-perf-buf/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/02-perf-buf/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /03-ring-buf/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/03-ring-buf/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /03-ring-buf/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/03-ring-buf/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /29-kprobe-hello-with-macro/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u64 pid; 3 | long long ret; 4 | char filename[256]; 5 | }; 6 | -------------------------------------------------------------------------------- /31-ksyscall-hello-with-macro/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u64 pid; 3 | long long ret; 4 | char filename[256]; 5 | }; 6 | -------------------------------------------------------------------------------- /33-xdp-hello/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/33-xdp-hello/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /33-xdp-hello/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/33-xdp-hello/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /01-hello-world/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/01-hello-world/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /01-hello-world/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/01-hello-world/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /04-tracepoint/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/04-tracepoint/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /04-tracepoint/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/04-tracepoint/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /22-tail-calls/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/22-tail-calls/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /22-tail-calls/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/22-tail-calls/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /28-kprobe-hello/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/28-kprobe-hello/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /28-kprobe-hello/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/28-kprobe-hello/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /32-fentry-hello/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/32-fentry-hello/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /32-fentry-hello/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/32-fentry-hello/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/26-lsm-path_chmod/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/26-lsm-path_chmod/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /48-iter-tcp-hello/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/48-iter-tcp-hello/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /48-iter-tcp-hello/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/48-iter-tcp-hello/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /05-get-process-info/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/05-get-process-info/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /05-get-process-info/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/05-get-process-info/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /07-tracepoint-args/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/07-tracepoint-args/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /07-tracepoint-args/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/07-tracepoint-args/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /34-iter-task-hello/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/34-iter-task-hello/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /34-iter-task-hello/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/34-iter-task-hello/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | -------------------------------------------------------------------------------- /39-socket-filter-tcp/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/39-socket-filter-tcp/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /39-socket-filter-tcp/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/39-socket-filter-tcp/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /43-tcx-ingress-hello/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/43-tcx-ingress-hello/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /43-tcx-ingress-hello/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/43-tcx-ingress-hello/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /44-tcx-egress-hello/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/44-tcx-egress-hello/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /44-tcx-egress-hello/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/44-tcx-egress-hello/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /10-map-map-type-array/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/10-map-map-type-array/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /10-map-map-type-array/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/10-map-map-type-array/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /12-raw-tracepoint-args/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/12-raw-tracepoint-args/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /12-raw-tracepoint-args/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/12-raw-tracepoint-args/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /46-iter-sleepable-task/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/46-iter-sleepable-task/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /46-iter-sleepable-task/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/46-iter-sleepable-task/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /06-get-container-info-1/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/06-get-container-info-1/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /06-get-container-info-1/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/06-get-container-info-1/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /40-lsm-block-path_unlink/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/40-lsm-block-path_unlink/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /40-lsm-block-path_unlink/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/40-lsm-block-path_unlink/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /45-iter-task-write-struct/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/45-iter-task-write-struct/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /45-iter-task-write-struct/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/45-iter-task-write-struct/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /47-iter-task-file-hello/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/47-iter-task-file-hello/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /47-iter-task-file-hello/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/47-iter-task-file-hello/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /04-tracepoint/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /08-map-map-type-hash-kernel/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/08-map-map-type-hash-kernel/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /08-map-map-type-hash-kernel/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/08-map-map-type-hash-kernel/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /16-btf-raw-tracepoint-args/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/16-btf-raw-tracepoint-args/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /16-btf-raw-tracepoint-args/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/16-btf-raw-tracepoint-args/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /28-kprobe-hello/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/29-kprobe-hello-with-macro/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /32-fentry-hello/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /09-map-map-type-hash-userspace/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/09-map-map-type-hash-userspace/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /09-map-map-type-hash-userspace/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/09-map-map-type-hash-userspace/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /30-ksyscall-hello/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /34-iter-task-hello/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/38-raw-tracepoint-sched_wakeup/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/38-raw-tracepoint-sched_wakeup/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /48-iter-tcp-hello/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /02-perf-buf/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /03-ring-buf/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /04-tracepoint/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /14-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/14-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /14-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/14-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /29-kprobe-hello-with-macro/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /37-tracepoint-sched_process_exec/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/37-tracepoint-sched_process_exec/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /37-tracepoint-sched_process_exec/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/37-tracepoint-sched_process_exec/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /45-iter-task-write-struct/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /46-iter-sleepable-task/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /47-iter-task-file-hello/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /05-get-process-info/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /13-raw-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/13-raw-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /13-raw-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/13-raw-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /28-kprobe-hello/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /31-ksyscall-hello-with-macro/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /32-fentry-hello/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /34-iter-task-hello/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /41-raw-tracepoint-args-with-macro/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/41-raw-tracepoint-args-with-macro/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /41-raw-tracepoint-args-with-macro/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/41-raw-tracepoint-args-with-macro/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /48-iter-tcp-hello/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /02-perf-buf/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u32 pid; 3 | char filename[256]; 4 | }; 5 | 6 | // cilium/ebpf need this 7 | const struct event *unused __attribute__((unused)); 8 | -------------------------------------------------------------------------------- /03-ring-buf/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u32 pid; 3 | char filename[256]; 4 | }; 5 | 6 | // cilium/ebpf need this 7 | const struct event *unused __attribute__((unused)); 8 | -------------------------------------------------------------------------------- /04-tracepoint/common.h: -------------------------------------------------------------------------------- 1 | struct event { 2 | u32 pid; 3 | char filename[256]; 4 | }; 5 | 6 | // cilium/ebpf need this 7 | const struct event *unused __attribute__((unused)); 8 | -------------------------------------------------------------------------------- /10-map-map-type-array/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /35-tracepoint-args-use-custom-struct/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/35-tracepoint-args-use-custom-struct/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /35-tracepoint-args-use-custom-struct/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/35-tracepoint-args-use-custom-struct/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | ``` 17 | -------------------------------------------------------------------------------- /42-btf-raw-tracepoint-args-with-macro/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/42-btf-raw-tracepoint-args-with-macro/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /42-btf-raw-tracepoint-args-with-macro/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/42-btf-raw-tracepoint-args-with-macro/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /46-iter-sleepable-task/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /47-iter-task-file-hello/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /15-get-container-info-2-via-task_struct/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/15-get-container-info-2-via-task_struct/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /15-get-container-info-2-via-task_struct/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/15-get-container-info-2-via-task_struct/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /17-btf-raw-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/17-btf-raw-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /17-btf-raw-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/17-btf-raw-tracepoint-args-sched_switch/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /29-kprobe-hello-with-macro/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /45-iter-task-write-struct/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /01-hello-world/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Usage 3 | 4 | build: 5 | 6 | ``` 7 | $ make 8 | ``` 9 | 10 | run: 11 | 12 | ``` 13 | $ make run 14 | 15 | $ make cat 16 | ``` 17 | -------------------------------------------------------------------------------- /09-map-map-type-hash-userspace/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /21-tc-parse-packet-with-bpf_skb_load_bytes/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/21-tc-parse-packet-with-bpf_skb_load_bytes/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /21-tc-parse-packet-with-bpf_skb_load_bytes/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/21-tc-parse-packet-with-bpf_skb_load_bytes/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /27-attach-tracepoint-with-syscall/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | ``` 16 | -------------------------------------------------------------------------------- /25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | ``` 17 | -------------------------------------------------------------------------------- /11-map-pin/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ sudo ls /sys/fs/bpf/ 17 | ``` 18 | -------------------------------------------------------------------------------- /18-socket-filter-capture-icmp-traffic-kernel-parse/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/18-socket-filter-capture-icmp-traffic-kernel-parse/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /18-socket-filter-capture-icmp-traffic-kernel-parse/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/18-socket-filter-capture-icmp-traffic-kernel-parse/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /43-tcx-ingress-hello/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | ) 6 | 7 | func main() { 8 | log.Fatal("libbpfgo doesn't support TCX yet. go to ./cilium-ebpf/ to run example") 9 | } 10 | -------------------------------------------------------------------------------- /44-tcx-egress-hello/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | ) 6 | 7 | func main() { 8 | log.Fatal("libbpfgo doesn't support TCX yet. go to ./cilium-ebpf/ to run example") 9 | } 10 | -------------------------------------------------------------------------------- /14-tracepoint-args-sched_switch/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ make cat 17 | ``` 18 | -------------------------------------------------------------------------------- /37-tracepoint-sched_process_exec/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ ls -alh 17 | ``` 18 | -------------------------------------------------------------------------------- /45-iter-task-write-struct/common.h: -------------------------------------------------------------------------------- 1 | struct event_t { 2 | u32 pid; 3 | u32 ppid; 4 | char comm[16]; 5 | }; 6 | 7 | // cilium/ebpf need this 8 | const struct event_t *unused __attribute__((unused)); 9 | -------------------------------------------------------------------------------- /13-raw-tracepoint-args-sched_switch/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ make cat 17 | ``` 18 | -------------------------------------------------------------------------------- /19-socket-filter-capture-icmp-traffic-userspace-parse/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/19-socket-filter-capture-icmp-traffic-userspace-parse/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /19-socket-filter-capture-icmp-traffic-userspace-parse/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/19-socket-filter-capture-icmp-traffic-userspace-parse/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /17-btf-raw-tracepoint-args-sched_switch/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ make cat 17 | ``` 18 | -------------------------------------------------------------------------------- /02-perf-buf/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpfgo-use-perfbuf-map.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | ``` 17 | -------------------------------------------------------------------------------- /03-ring-buf/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpfgo-use-ringbuf-map.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | ``` 17 | -------------------------------------------------------------------------------- /07-tracepoint-args/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ touch a.txt 17 | $ chmod 600 a.txt 18 | ``` 19 | -------------------------------------------------------------------------------- /36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ make cat 17 | ``` 18 | -------------------------------------------------------------------------------- /05-get-process-info/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpfgo-get-process-info.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | ``` 17 | -------------------------------------------------------------------------------- /10-map-map-type-array/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpfgo-use-map-example.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | ``` 17 | -------------------------------------------------------------------------------- /11-map-pin/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u32 pid; 6 | u32 ret; 7 | 8 | char filename[256]; 9 | }; 10 | -------------------------------------------------------------------------------- /18-socket-filter-capture-icmp-traffic-kernel-parse/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ ping baidu.com 18 | 19 | ``` 20 | -------------------------------------------------------------------------------- /19-socket-filter-capture-icmp-traffic-userspace-parse/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ ping baidu.com 18 | 19 | ``` 20 | -------------------------------------------------------------------------------- /35-tracepoint-args-use-custom-struct/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ touch a.txt 17 | $ chmod 600 a.txt 18 | ``` 19 | -------------------------------------------------------------------------------- /08-map-map-type-hash-kernel/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Usage 3 | 4 | build: 5 | 6 | ``` 7 | $ make 8 | ``` 9 | 10 | run: 11 | 12 | ``` 13 | $ make run 14 | 15 | $ touch a.txt 16 | $ cat a.txt 17 | 18 | $ make cat 19 | ``` 20 | -------------------------------------------------------------------------------- /09-map-map-type-hash-userspace/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpfgo-use-map-example.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | ``` 17 | -------------------------------------------------------------------------------- /20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load/cilium-ebpf/bpf_bpfeb.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load/cilium-ebpf/bpf_bpfeb.o -------------------------------------------------------------------------------- /20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load/cilium-ebpf/bpf_bpfel.o: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/mozillazg/hello-libbpfgo/HEAD/20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load/cilium-ebpf/bpf_bpfel.o -------------------------------------------------------------------------------- /12-raw-tracepoint-args/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ touch a.txt 17 | $ chmod 600 a.txt 18 | 19 | $ make cat 20 | ``` 21 | -------------------------------------------------------------------------------- /18-socket-filter-capture-icmp-traffic-kernel-parse/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ ping baidu.com 18 | 19 | ``` 20 | -------------------------------------------------------------------------------- /19-socket-filter-capture-icmp-traffic-userspace-parse/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ ping baidu.com 18 | 19 | ``` 20 | -------------------------------------------------------------------------------- /16-btf-raw-tracepoint-args/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ touch a.txt 17 | $ chmod 600 a.txt 18 | 19 | $ make cat 20 | ``` 21 | -------------------------------------------------------------------------------- /20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ ping baidu.com 18 | 19 | ``` 20 | -------------------------------------------------------------------------------- /10-map-map-type-array/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u32 pid; 6 | 7 | char comm[TASK_COMM_LEN]; 8 | char file[256]; 9 | }; 10 | -------------------------------------------------------------------------------- /23-rewriting-bcc-libbpf-tools-with-libbpfgo/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/11/ebpf-libbpfgo-tools-port-rewriting-the-control-plane-of-bcc-libbpf-tools-in-golang-with-libbpfgo.html 3 | 4 | 5 | repo: https://github.com/mozillazg/libbpfgo-tools 6 | 7 | -------------------------------------------------------------------------------- /27-attach-tracepoint-with-syscall/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | Tracepoint using eBPF assembler and syscall without C eBPF codes. 4 | 5 | 6 | ## Usage 7 | 8 | build: 9 | 10 | ``` 11 | $ make 12 | ``` 13 | 14 | run: 15 | 16 | ``` 17 | $ make run 18 | ``` 19 | -------------------------------------------------------------------------------- /41-raw-tracepoint-args-with-macro/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ touch a.txt 17 | $ chmod 600 a.txt 18 | 19 | $ make cat 20 | ``` 21 | -------------------------------------------------------------------------------- /01-hello-world/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpfgo-develop-env-and-hello-world.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ make cat 18 | ``` 19 | -------------------------------------------------------------------------------- /20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ ping baidu.com 18 | 19 | ``` 20 | -------------------------------------------------------------------------------- /42-btf-raw-tracepoint-args-with-macro/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ make run 15 | 16 | $ touch a.txt 17 | $ chmod 600 a.txt 18 | 19 | $ make cat 20 | ``` 21 | -------------------------------------------------------------------------------- /09-map-map-type-hash-userspace/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u32 pid; 6 | 7 | char comm[TASK_COMM_LEN]; 8 | char file[256]; 9 | }; 10 | -------------------------------------------------------------------------------- /11-map-pin/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpfgo-use-map-example.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | $ make cat 17 | $ sudo ls /sys/fs/bpf/ 18 | ``` 19 | -------------------------------------------------------------------------------- /22-tail-calls/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | ## Usage 3 | 4 | build: 5 | 6 | ``` 7 | $ make 8 | ``` 9 | 10 | run: 11 | 12 | ``` 13 | $ sudo ./main 14 | 15 | $ touch a.txt 16 | $ chmod 600 a.txt 17 | 18 | $ sudo cat /sys/kernel/debug/tracing/trace_pipe 19 | ``` 20 | -------------------------------------------------------------------------------- /14-tracepoint-args-sched_switch/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpf-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ make cat 18 | ``` 19 | -------------------------------------------------------------------------------- /13-raw-tracepoint-args-sched_switch/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpf-raw-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ make cat 18 | ``` 19 | -------------------------------------------------------------------------------- /33-xdp-hello/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | ``` 22 | -------------------------------------------------------------------------------- /07-tracepoint-args/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpf-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ touch a.txt 18 | $ chmod 600 a.txt 19 | ``` 20 | -------------------------------------------------------------------------------- /18-socket-filter-capture-icmp-traffic-kernel-parse/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u16 type; 6 | u16 code; 7 | u32 src_addr; 8 | u32 dst_addr; 9 | }; 10 | -------------------------------------------------------------------------------- /33-xdp-hello/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | ``` 22 | -------------------------------------------------------------------------------- /36-tracepoint-args-sched_switch-use-custom-struct/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpf-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ make cat 18 | ``` 19 | -------------------------------------------------------------------------------- /39-socket-filter-tcp/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | ``` 22 | -------------------------------------------------------------------------------- /.github/dependabot.yml: -------------------------------------------------------------------------------- 1 | version: 2 2 | updates: 3 | - package-ecosystem: gomod 4 | directory: / 5 | open-pull-requests-limit: 10 6 | schedule: 7 | interval: monthly 8 | - package-ecosystem: github-actions 9 | directory: / 10 | schedule: 11 | interval: monthly 12 | -------------------------------------------------------------------------------- /39-socket-filter-tcp/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | ``` 22 | -------------------------------------------------------------------------------- /17-btf-raw-tracepoint-args-sched_switch/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/06/ebpf-libbpf-btf-powered-enabled-raw-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ make cat 18 | ``` 19 | -------------------------------------------------------------------------------- /20-socket-filter-capture-icmp-traffic-kernel-parse-without-llvm-load/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u16 type; 6 | u16 code; 7 | u32 src_addr; 8 | u32 dst_addr; 9 | }; 10 | -------------------------------------------------------------------------------- /26-lsm-path_chmod/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Ensure that BPF LSM is enabled 4 | 5 | ... 6 | 7 | 8 | 9 | ## Usage 10 | 11 | build: 12 | 13 | ``` 14 | $ make 15 | ``` 16 | 17 | run: 18 | 19 | ``` 20 | $ make run 21 | 22 | touch /tmp/a.txt 23 | chmod 600 /tmp/a.txt 24 | 25 | $ make cat 26 | ``` 27 | -------------------------------------------------------------------------------- /35-tracepoint-args-use-custom-struct/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpf-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ touch a.txt 18 | $ chmod 600 a.txt 19 | ``` 20 | -------------------------------------------------------------------------------- /43-tcx-ingress-hello/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | $ make cat 22 | ``` 23 | -------------------------------------------------------------------------------- /44-tcx-egress-hello/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | $ make cat 22 | ``` 23 | -------------------------------------------------------------------------------- /25-tc-parse-packet-with-direct-memory-access/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | ``` 22 | -------------------------------------------------------------------------------- /40-lsm-block-path_unlink/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Ensure that BPF LSM is enabled 4 | 5 | ... 6 | 7 | 8 | 9 | ## Usage 10 | 11 | build: 12 | 13 | ``` 14 | $ make 15 | ``` 16 | 17 | run: 18 | 19 | ``` 20 | $ make run 21 | 22 | $ touch /tmp/a.txt 23 | $ rm /tmp/a.txt 24 | 25 | $ make cat 26 | ``` 27 | -------------------------------------------------------------------------------- /12-raw-tracepoint-args/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpf-raw-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ touch a.txt 18 | $ chmod 600 a.txt 19 | 20 | $ make cat 21 | ``` 22 | -------------------------------------------------------------------------------- /43-tcx-ingress-hello/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | $ make cat 22 | ``` 23 | -------------------------------------------------------------------------------- /44-tcx-egress-hello/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | $ make cat 22 | ``` 23 | -------------------------------------------------------------------------------- /26-lsm-path_chmod/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Ensure that BPF LSM is enabled 4 | 5 | ... 6 | 7 | 8 | 9 | ## Usage 10 | 11 | build: 12 | 13 | ``` 14 | $ make 15 | ``` 16 | 17 | run: 18 | 19 | ``` 20 | $ make run 21 | 22 | touch /tmp/a.txt 23 | chmod 600 /tmp/a.txt 24 | 25 | $ make cat 26 | ``` 27 | -------------------------------------------------------------------------------- /37-tracepoint-sched_process_exec/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2024/03/ebpf-tracepoint-syscalls-sys-enter-execve-can-not-get-filename-argv-values-case.html 3 | 4 | 5 | ## Usage 6 | 7 | build: 8 | 9 | ``` 10 | $ make 11 | ``` 12 | 13 | run: 14 | 15 | ``` 16 | $ make run 17 | 18 | $ ls -alh 19 | ``` 20 | -------------------------------------------------------------------------------- /40-lsm-block-path_unlink/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Ensure that BPF LSM is enabled 4 | 5 | ... 6 | 7 | 8 | 9 | ## Usage 10 | 11 | build: 12 | 13 | ``` 14 | $ make 15 | ``` 16 | 17 | run: 18 | 19 | ``` 20 | $ make run 21 | 22 | $ touch /tmp/a.txt 23 | $ rm /tmp/a.txt 24 | 25 | $ make cat 26 | ``` 27 | -------------------------------------------------------------------------------- /08-map-map-type-hash-kernel/README.md: -------------------------------------------------------------------------------- 1 | https://mozillazg.com/2022/05/ebpf-libbpfgo-use-map-example.html 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ sudo ./main 15 | $ touch a.txt 16 | $ cat a.txt 17 | $ sudo cat /sys/kernel/debug/tracing/trace_pipe 18 | ``` 19 | -------------------------------------------------------------------------------- /21-tc-parse-packet-with-bpf_skb_load_bytes/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | $ make cat 22 | ``` 23 | -------------------------------------------------------------------------------- /22-tail-calls/README.md: -------------------------------------------------------------------------------- 1 | https://mozillazg.com/2022/10/ebpf-libbpf-use-tail-calls.html 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ sudo ./main 15 | 16 | $ touch a.txt 17 | $ chmod 600 a.txt 18 | 19 | $ sudo cat /sys/kernel/debug/tracing/trace_pipe 20 | ``` 21 | -------------------------------------------------------------------------------- /25-tc-parse-packet-with-direct-memory-access/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | ``` 22 | -------------------------------------------------------------------------------- /41-raw-tracepoint-args-with-macro/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/05/ebpf-libbpf-raw-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ touch a.txt 18 | $ chmod 600 a.txt 19 | 20 | $ make cat 21 | ``` 22 | -------------------------------------------------------------------------------- /15-get-container-info-2-via-task_struct/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ kubectl run test --image docker.io/calico/node:v3.19.1 \ 15 | -- sh -c 'while true; do ls > /dev/null && sleep 10; done' 16 | 17 | $ make run 18 | 19 | $ make cat 20 | ``` 21 | -------------------------------------------------------------------------------- /16-btf-raw-tracepoint-args/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/06/ebpf-libbpf-btf-powered-enabled-raw-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ touch a.txt 18 | $ chmod 600 a.txt 19 | 20 | $ make cat 21 | ``` 22 | -------------------------------------------------------------------------------- /21-tc-parse-packet-with-bpf_skb_load_bytes/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ printf 'HTTP/1.1 200 OK\nContent-Length: 0\n\n' |nc -l 9090 & 18 | 19 | $ curl http://127.0.0.1:9090 20 | 21 | $ make cat 22 | ``` 23 | -------------------------------------------------------------------------------- /08-map-map-type-hash-kernel/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u32 pid; 6 | u32 ret; 7 | 8 | char filename[256]; 9 | }; 10 | 11 | // cilium/ebpf need this 12 | const struct event_t *unused __attribute__((unused)); 13 | -------------------------------------------------------------------------------- /15-get-container-info-2-via-task_struct/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ kubectl run test --image docker.io/calico/node:v3.19.1 \ 15 | -- sh -c 'while true; do ls > /dev/null && sleep 10; done' 16 | 17 | $ make run 18 | 19 | $ make cat 20 | ``` 21 | -------------------------------------------------------------------------------- /42-btf-raw-tracepoint-args-with-macro/README.md: -------------------------------------------------------------------------------- 1 | 2 | https://mozillazg.com/2022/06/ebpf-libbpf-btf-powered-enabled-raw-tracepoint-common-questions.html 3 | 4 | ## Usage 5 | 6 | build: 7 | 8 | ``` 9 | $ make 10 | ``` 11 | 12 | run: 13 | 14 | ``` 15 | $ make run 16 | 17 | $ touch a.txt 18 | $ chmod 600 a.txt 19 | 20 | $ make cat 21 | ``` 22 | -------------------------------------------------------------------------------- /35-tracepoint-args-use-custom-struct/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u32 host_pid; // pid in host pid namespace 6 | u32 host_ppid; // ppid in host pid namespace 7 | 8 | u32 mode; 9 | char comm[TASK_COMM_LEN]; // the name of the executable (excluding the path) 10 | char filename[256]; 11 | }; 12 | -------------------------------------------------------------------------------- /06-get-container-info-1/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u32 host_pid; // pid in host pid namespace 6 | u32 host_ppid; // ppid in host pid namespace 7 | 8 | char comm[TASK_COMM_LEN]; // the name of the executable (excluding the path) 9 | }; 10 | 11 | // cilium/ebpf need this 12 | const struct event_t *unused __attribute__((unused)); 13 | -------------------------------------------------------------------------------- /27-attach-tracepoint-with-syscall/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | SEC("tracepoint/syscalls/sys_enter_execve") 9 | int tracepoint_execve(struct trace_event_raw_sys_enter *ctx) { 10 | char fmt[] = "hello world:\n"; 11 | bpf_trace_printk(fmt, sizeof(fmt)); 12 | 13 | return 0; 14 | } 15 | 16 | char _license[] SEC("license") = "GPL"; 17 | -------------------------------------------------------------------------------- /ci.sh: -------------------------------------------------------------------------------- 1 | #!/bin/env bash 2 | 3 | set -e 4 | 5 | for i in $(ls ./ | grep '[0-9]' ); do 6 | echo -e "\033[33m=== start build $i ===\033[0;39m" 7 | ( cd $i && (! test -f Makefile || make) ) 8 | echo -e "\033[32m=== finish build $i ===\033[0;39m" 9 | 10 | i="$i/cilium-ebpf" 11 | echo -e "\033[33m=== start build $i ===\033[0;39m" 12 | (! test -d $i || cd $i && (! test -f Makefile || make) ) 13 | echo -e "\033[32m=== finish build $i ===\033[0;39m" 14 | done 15 | 16 | -------------------------------------------------------------------------------- /06-get-container-info-1/README.md: -------------------------------------------------------------------------------- 1 | https://mozillazg.com/2022/05/ebpf-libbpfgo-get-container-info-via-process-info.rst.html 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ sudo microk8s start 15 | 16 | $ kubectl run test --image docker.io/calico/node:v3.19.1 \ 17 | -- sh -c 'while true; do ls > /dev/null && sleep 10; done' 18 | 19 | $ sudo ./main 20 | 21 | $ kubectl delete pod test 22 | $ sudo microk8s stop 23 | ``` 24 | -------------------------------------------------------------------------------- /06-get-container-info-1/cilium-ebpf/README.md: -------------------------------------------------------------------------------- 1 | https://mozillazg.com/2022/05/ebpf-libbpfgo-get-container-info-via-process-info.rst.html 2 | 3 | ## Usage 4 | 5 | build: 6 | 7 | ``` 8 | $ make 9 | ``` 10 | 11 | run: 12 | 13 | ``` 14 | $ sudo microk8s start 15 | 16 | $ kubectl run test --image docker.io/calico/node:v3.19.1 \ 17 | -- sh -c 'while true; do ls > /dev/null && sleep 10; done' 18 | 19 | $ sudo ./main 20 | 21 | $ kubectl delete pod test 22 | $ sudo microk8s stop 23 | ``` 24 | -------------------------------------------------------------------------------- /07-tracepoint-args/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u32 host_pid; // pid in host pid namespace 6 | u32 host_ppid; // ppid in host pid namespace 7 | 8 | u32 mode; 9 | char comm[TASK_COMM_LEN]; // the name of the executable (excluding the path) 10 | char filename[256]; 11 | }; 12 | 13 | // cilium/ebpf need this 14 | const struct event_t *unused __attribute__((unused)); 15 | -------------------------------------------------------------------------------- /37-tracepoint-sched_process_exec/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | #define FILENAME_LEN 512 4 | #define ARGV_LEN 4096 5 | 6 | struct event_t { 7 | u32 host_pid; // pid in host pid namespace 8 | u32 host_ppid; // ppid in host pid namespace 9 | 10 | char comm[TASK_COMM_LEN]; // the name of the executable (excluding the path) 11 | char filename[FILENAME_LEN]; 12 | 13 | u32 argv_size; 14 | char argv[ARGV_LEN]; 15 | }; 16 | -------------------------------------------------------------------------------- /01-hello-world/main.bpf.c: -------------------------------------------------------------------------------- 1 | //go:build ignore 2 | 3 | #include "vmlinux.h" 4 | 5 | #include 6 | #include 7 | 8 | SEC("kprobe/do_sys_openat2") 9 | int kprobe__do_sys_openat2(struct pt_regs *ctx) { 10 | char file_name[256]; 11 | bpf_probe_read(file_name, sizeof(file_name), (void *)PT_REGS_PARM2(ctx)); 12 | 13 | char fmt[] = "open file %s\n"; 14 | bpf_trace_printk(fmt, sizeof(fmt), &file_name); 15 | 16 | return 0; 17 | } 18 | 19 | char _license[] SEC("license") = "GPL"; 20 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .env 2 | /.vagrant/ 3 | main.bpf.o 4 | vmlinux.h 5 | output/ 6 | main-static 7 | main 8 | # Binaries for programs and plugins 9 | *.exe 10 | *.exe~ 11 | *.dll 12 | *.so 13 | *.dylib 14 | 15 | # Test binary, built with `go test -c` 16 | *.test 17 | 18 | # Output of the go coverage tool, specifically when used with LiteIDE 19 | *.out 20 | 21 | # Dependency directories (remove the comment below to include it) 22 | # vendor/ 23 | a.txt 24 | events.txt 25 | /05-get-process-info-plus/ 26 | Vagrantfile.local 27 | /9999-playground/ 28 | -------------------------------------------------------------------------------- /26-lsm-path_chmod/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | SEC("lsm/path_chmod") 9 | int BPF_PROG(lsm_path_chmod, struct path *path) { 10 | char path_str[32]; 11 | struct qstr dname; 12 | 13 | dname = BPF_CORE_READ(path, dentry, d_name); 14 | bpf_probe_read_kernel_str(&path_str, sizeof(path_str), dname.name); 15 | 16 | bpf_printk("chmod %s", path_str); 17 | 18 | return 0; 19 | } 20 | 21 | char _license[] SEC("license") = "GPL"; 22 | -------------------------------------------------------------------------------- /46-iter-sleepable-task/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | SEC("iter.s/task") 9 | int iter__task(struct bpf_iter__task *ctx) { 10 | struct seq_file *seq = ctx->meta->seq; 11 | struct task_struct *task = ctx->task; 12 | if (task == NULL) 13 | return 0; 14 | 15 | BPF_SEQ_PRINTF(seq, "%d\t%d\t%s\n", task->parent->pid, task->pid, task->comm); 16 | 17 | return 0; 18 | } 19 | 20 | 21 | char _license[] SEC("license") = "GPL"; 22 | -------------------------------------------------------------------------------- /34-iter-task-hello/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | SEC("iter/task") 9 | // int BPF_PROG(iter__task) { 10 | int iter__task(struct bpf_iter__task *ctx) { 11 | struct seq_file *seq = ctx->meta->seq; 12 | struct task_struct *task = ctx->task; 13 | if (task == NULL) 14 | return 0; 15 | 16 | BPF_SEQ_PRINTF(seq, "%d\t%d\t%s\n", task->parent->pid, task->pid, task->comm); 17 | 18 | return 0; 19 | } 20 | 21 | 22 | char _license[] SEC("license") = "GPL"; 23 | -------------------------------------------------------------------------------- /14-tracepoint-args-sched_switch/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | SEC("tracepoint/sched/sched_switch") 8 | int tracepoint__sched__sched_switch(struct trace_event_raw_sched_switch *ctx) { 9 | u32 prev_pid = BPF_CORE_READ(ctx, prev_pid); 10 | u32 next_pid = BPF_CORE_READ(ctx, next_pid); 11 | 12 | char fmt[] = "sched_switch %d -> %d\n"; 13 | bpf_trace_printk(fmt, sizeof(fmt), prev_pid, next_pid); 14 | return 0; 15 | } 16 | 17 | char _license[] SEC("license") = "GPL"; 18 | -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | 6 | bpf "github.com/aquasecurity/libbpfgo" 7 | ) 8 | 9 | func main() { 10 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 11 | if err != nil { 12 | panic(err) 13 | } 14 | 15 | if err := bpfModule.BPFLoadObject(); err != nil { 16 | panic(err) 17 | } 18 | progIter := bpfModule.Iterator() 19 | for { 20 | prog := progIter.NextProgram() 21 | if prog == nil { 22 | break 23 | } 24 | _, err = prog.AttachGeneric() 25 | if err != nil { 26 | panic(err) 27 | } 28 | } 29 | 30 | fmt.Println("tracing...") 31 | select {} 32 | } 33 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module github.com/mozillazg/hello-libbpfgo 2 | 3 | go 1.23.0 4 | 5 | require ( 6 | github.com/aquasecurity/libbpfgo v0.8.0-libbpf-1.5 7 | github.com/cilium/ebpf v0.16.0 8 | github.com/florianl/go-tc v0.4.4 9 | github.com/google/gopacket v1.1.19 10 | golang.org/x/net v0.34.0 11 | golang.org/x/sys v0.33.0 12 | ) 13 | 14 | require ( 15 | github.com/google/go-cmp v0.6.0 // indirect 16 | github.com/josharian/native v1.1.0 // indirect 17 | github.com/mdlayher/netlink v1.7.2 // indirect 18 | github.com/mdlayher/socket v0.4.1 // indirect 19 | golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect 20 | golang.org/x/sync v0.1.0 // indirect 21 | ) 22 | -------------------------------------------------------------------------------- /47-iter-task-file-hello/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | 8 | SEC("iter/task_file") 9 | int iter__task_file(struct bpf_iter__task_file *ctx) { 10 | struct seq_file *seq = ctx->meta->seq; 11 | struct task_struct *task = ctx->task; 12 | struct file *file = ctx->file; 13 | if (task == NULL || file == NULL) 14 | return 0; 15 | 16 | BPF_SEQ_PRINTF(seq, "%d\t%d\t%s\t%lld\t%lld\n", 17 | task->parent->pid, task->pid, task->comm, ctx->fd, file->f_pos); 18 | 19 | return 0; 20 | } 21 | 22 | 23 | char _license[] SEC("license") = "GPL"; 24 | -------------------------------------------------------------------------------- /01-hello-world/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | 7 | bpf "github.com/aquasecurity/libbpfgo" 8 | ) 9 | 10 | func main() { 11 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 12 | if err != nil { 13 | panic(err) 14 | } 15 | defer bpfModule.Close() 16 | if err := bpfModule.BPFLoadObject(); err != nil { 17 | panic(err) 18 | } 19 | prog, err := bpfModule.GetProgram("kprobe__do_sys_openat2") 20 | if err != nil { 21 | panic(err) 22 | } 23 | if _, err := prog.AttachKprobe("do_sys_openat2"); err != nil { 24 | panic(err) 25 | } 26 | 27 | for { 28 | fmt.Println("Waiting...") 29 | time.Sleep(10 * time.Second) 30 | } 31 | } 32 | -------------------------------------------------------------------------------- /12-raw-tracepoint-args/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | 7 | bpf "github.com/aquasecurity/libbpfgo" 8 | ) 9 | 10 | func main() { 11 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 12 | if err != nil { 13 | panic(err) 14 | } 15 | defer bpfModule.Close() 16 | 17 | if err := bpfModule.BPFLoadObject(); err != nil { 18 | panic(err) 19 | } 20 | prog, err := bpfModule.GetProgram("raw_tracepoint__sys_enter") 21 | if err != nil { 22 | panic(err) 23 | } 24 | if _, err := prog.AttachRawTracepoint("sys_enter"); err != nil { 25 | panic(err) 26 | } 27 | 28 | for { 29 | fmt.Println("Waiting...") 30 | time.Sleep(10 * time.Second) 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /26-lsm-path_chmod/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | bpf "github.com/aquasecurity/libbpfgo" 8 | ) 9 | 10 | func main() { 11 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 12 | if err != nil { 13 | panic(err) 14 | } 15 | defer bpfModule.Close() 16 | 17 | if err := bpfModule.BPFLoadObject(); err != nil { 18 | log.Println(err) 19 | return 20 | } 21 | prog, err := bpfModule.GetProgram("lsm_path_chmod") 22 | if err != nil { 23 | log.Println(err) 24 | return 25 | } 26 | 27 | if _, err := prog.AttachLSM(); err != nil { 28 | log.Println(err) 29 | return 30 | } 31 | 32 | log.Println("waiting for events") 33 | time.Sleep(time.Minute * 1024) 34 | } 35 | -------------------------------------------------------------------------------- /14-tracepoint-args-sched_switch/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | 7 | bpf "github.com/aquasecurity/libbpfgo" 8 | ) 9 | 10 | func main() { 11 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 12 | if err != nil { 13 | panic(err) 14 | } 15 | defer bpfModule.Close() 16 | 17 | if err := bpfModule.BPFLoadObject(); err != nil { 18 | panic(err) 19 | } 20 | prog, err := bpfModule.GetProgram("tracepoint__sched__sched_switch") 21 | if err != nil { 22 | panic(err) 23 | } 24 | if _, err := prog.AttachTracepoint("sched", "sched_switch"); err != nil { 25 | panic(err) 26 | } 27 | 28 | for { 29 | fmt.Println("Waiting...") 30 | time.Sleep(10 * time.Second) 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /13-raw-tracepoint-args-sched_switch/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | 7 | bpf "github.com/aquasecurity/libbpfgo" 8 | ) 9 | 10 | func main() { 11 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 12 | if err != nil { 13 | panic(err) 14 | } 15 | defer bpfModule.Close() 16 | 17 | if err := bpfModule.BPFLoadObject(); err != nil { 18 | panic(err) 19 | } 20 | prog, err := bpfModule.GetProgram("raw_tracepoint__sched__sched_switch") 21 | if err != nil { 22 | panic(err) 23 | } 24 | if _, err := prog.AttachRawTracepoint("sched_switch"); err != nil { 25 | panic(err) 26 | } 27 | 28 | for { 29 | fmt.Println("Waiting...") 30 | time.Sleep(10 * time.Second) 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /36-tracepoint-args-sched_switch-use-custom-struct/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | 7 | bpf "github.com/aquasecurity/libbpfgo" 8 | ) 9 | 10 | func main() { 11 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 12 | if err != nil { 13 | panic(err) 14 | } 15 | defer bpfModule.Close() 16 | 17 | if err := bpfModule.BPFLoadObject(); err != nil { 18 | panic(err) 19 | } 20 | prog, err := bpfModule.GetProgram("tracepoint__sched__sched_switch") 21 | if err != nil { 22 | panic(err) 23 | } 24 | if _, err := prog.AttachTracepoint("sched", "sched_switch"); err != nil { 25 | panic(err) 26 | } 27 | 28 | for { 29 | fmt.Println("Waiting...") 30 | time.Sleep(10 * time.Second) 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /15-get-container-info-2-via-task_struct/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | 7 | bpf "github.com/aquasecurity/libbpfgo" 8 | ) 9 | 10 | func main() { 11 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 12 | if err != nil { 13 | panic(err) 14 | } 15 | defer bpfModule.Close() 16 | 17 | if err := bpfModule.BPFLoadObject(); err != nil { 18 | panic(err) 19 | } 20 | prog, err := bpfModule.GetProgram("tracepoint__syscalls__sys_enter_execve") 21 | if err != nil { 22 | panic(err) 23 | } 24 | if _, err := prog.AttachTracepoint("syscalls", "sys_enter_execve"); err != nil { 25 | panic(err) 26 | } 27 | 28 | for { 29 | fmt.Println("Waiting...") 30 | time.Sleep(10 * time.Second) 31 | } 32 | } 33 | -------------------------------------------------------------------------------- /16-btf-raw-tracepoint-args/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | "time" 7 | 8 | bpf "github.com/aquasecurity/libbpfgo" 9 | ) 10 | 11 | func main() { 12 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 13 | if err != nil { 14 | panic(err) 15 | } 16 | defer bpfModule.Close() 17 | 18 | if err := bpfModule.BPFLoadObject(); err != nil { 19 | panic(err) 20 | } 21 | prog, err := bpfModule.GetProgram("btf_raw_tracepoint__sys_enter") 22 | if err != nil { 23 | panic(err) 24 | } 25 | link, err := prog.AttachGeneric() 26 | if err != nil { 27 | panic(err) 28 | } 29 | if link.GetFd() == 0 { 30 | os.Exit(-1) 31 | } 32 | 33 | for { 34 | fmt.Println("Waiting...") 35 | time.Sleep(10 * time.Second) 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /45-iter-task-write-struct/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | #include "common.h" 3 | 4 | #include 5 | #include 6 | #include 7 | 8 | 9 | SEC("iter/task") 10 | int iter__task(struct bpf_iter__task *ctx) { 11 | struct seq_file *seq = ctx->meta->seq; 12 | struct task_struct *task = ctx->task; 13 | if (task == NULL) 14 | return 0; 15 | 16 | struct event_t event = {0}; 17 | 18 | BPF_CORE_READ_INTO(&event.pid, task, tgid); 19 | BPF_CORE_READ_INTO(&event.ppid, task, parent, tgid); 20 | BPF_CORE_READ_STR_INTO(&event.comm, task, comm); 21 | 22 | bpf_seq_write(seq, &event, sizeof(event)); 23 | 24 | return 0; 25 | } 26 | 27 | 28 | char _license[] SEC("license") = "GPL"; 29 | -------------------------------------------------------------------------------- /17-btf-raw-tracepoint-args-sched_switch/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "os" 6 | "time" 7 | 8 | bpf "github.com/aquasecurity/libbpfgo" 9 | ) 10 | 11 | func main() { 12 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 13 | if err != nil { 14 | panic(err) 15 | } 16 | defer bpfModule.Close() 17 | 18 | if err := bpfModule.BPFLoadObject(); err != nil { 19 | panic(err) 20 | } 21 | prog, err := bpfModule.GetProgram("btf_raw_tracepoint__sched_switch") 22 | if err != nil { 23 | panic(err) 24 | } 25 | link, err := prog.AttachGeneric() 26 | if err != nil { 27 | panic(err) 28 | } 29 | if link.GetFd() == 0 { 30 | os.Exit(-1) 31 | } 32 | 33 | for { 34 | fmt.Println("Waiting...") 35 | time.Sleep(10 * time.Second) 36 | } 37 | } 38 | -------------------------------------------------------------------------------- /02-perf-buf/main.bpf.c: -------------------------------------------------------------------------------- 1 | //go:build ignore 2 | 3 | #include "vmlinux.h" 4 | 5 | #include "common.h" 6 | #include 7 | #include 8 | 9 | /* BPF perfbuf map */ 10 | struct { 11 | __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); 12 | __uint(key_size, sizeof(u32)); 13 | __uint(value_size, sizeof(u32)); 14 | } events SEC(".maps"); 15 | 16 | SEC("kprobe/do_sys_openat2") 17 | int kprobe__do_sys_openat2(struct pt_regs *ctx) { 18 | struct event e = {}; 19 | 20 | e.pid = bpf_get_current_pid_tgid() >> 32; 21 | bpf_probe_read(&e.filename, sizeof(e.filename), (void *)PT_REGS_PARM2(ctx)); 22 | 23 | bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &e, sizeof(e)); 24 | 25 | return 0; 26 | } 27 | 28 | char _license[] SEC("license") = "GPL"; 29 | -------------------------------------------------------------------------------- /17-btf-raw-tracepoint-args-sched_switch/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | // include/trace/events/sched.h 8 | // typedef void (*btf_trace_sched_switch)(void *, bool, struct task_struct *, 9 | // struct task_struct *); 10 | SEC("tp_btf/sched_switch") 11 | int btf_raw_tracepoint__sched_switch(u64 *ctx) { 12 | struct task_struct *prev_task = (struct task_struct *)ctx[1]; 13 | struct task_struct *next_task = (struct task_struct *)ctx[2]; 14 | u32 prev_pid = prev_task->tgid; 15 | u32 next_pid = next_task->tgid; 16 | 17 | char fmt[] = "sched_switch %d -> %d\n"; 18 | bpf_trace_printk(fmt, sizeof(fmt), prev_pid, next_pid); 19 | return 0; 20 | } 21 | 22 | char _license[] SEC("license") = "GPL"; 23 | -------------------------------------------------------------------------------- /03-ring-buf/main.bpf.c: -------------------------------------------------------------------------------- 1 | //go:build ignore 2 | 3 | #include "vmlinux.h" 4 | 5 | #include "common.h" 6 | #include 7 | #include 8 | 9 | /* BPF ringbuf map */ 10 | struct { 11 | __uint(type, BPF_MAP_TYPE_RINGBUF); 12 | __uint(max_entries, 256 * 1024 /* 256 KB */); 13 | } events SEC(".maps"); 14 | 15 | SEC("kprobe/do_sys_openat2") 16 | int kprobe__do_sys_openat2(struct pt_regs *ctx) { 17 | struct event *e; 18 | e = bpf_ringbuf_reserve(&events, sizeof(*e), 0); 19 | if (!e) { 20 | return 0; 21 | } 22 | 23 | e->pid = bpf_get_current_pid_tgid() >> 32; 24 | bpf_probe_read(&e->filename, sizeof(e->filename), (void *)PT_REGS_PARM2(ctx)); 25 | 26 | bpf_ringbuf_submit(e, 0); 27 | 28 | return 0; 29 | } 30 | 31 | char _license[] SEC("license") = "GPL"; 32 | -------------------------------------------------------------------------------- /41-raw-tracepoint-args-with-macro/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | bpf "github.com/aquasecurity/libbpfgo" 6 | "log" 7 | "os" 8 | "os/signal" 9 | "syscall" 10 | ) 11 | 12 | func main() { 13 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 14 | if err != nil { 15 | panic(err) 16 | } 17 | defer bpfModule.Close() 18 | 19 | if err := bpfModule.BPFLoadObject(); err != nil { 20 | panic(err) 21 | } 22 | prog, err := bpfModule.GetProgram("raw_tracepoint__sys_enter") 23 | if err != nil { 24 | panic(err) 25 | } 26 | if _, err := prog.AttachRawTracepoint("sys_enter"); err != nil { 27 | panic(err) 28 | } 29 | 30 | log.Println("waiting for events") 31 | ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) 32 | defer stop() 33 | <-ctx.Done() 34 | } 35 | -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | 9 | SEC("raw_tracepoint/sched_wakeup") 10 | int raw_tp__sched_wakeup(struct bpf_raw_tracepoint_args *ctx) { 11 | struct task_struct *p; 12 | pid_t pid; 13 | char comm[TASK_COMM_LEN]; 14 | 15 | p = (struct task_struct*)ctx->args[0]; 16 | 17 | pid = BPF_CORE_READ(p, pid); 18 | /* bpf_probe_read_kernel(&pid, sizeof(pid), &p->pid); */ 19 | 20 | BPF_CORE_READ_STR_INTO(&comm, p, comm); 21 | /* bpf_probe_read_kernel_str(&comm, sizeof(comm), &p->comm); */ 22 | 23 | bpf_printk("[sched_wakeup] p->pid: %d, p->comm: %s", pid, comm); 24 | return 0; 25 | } 26 | 27 | char _license[] SEC("license") = "GPL"; 28 | -------------------------------------------------------------------------------- /13-raw-tracepoint-args-sched_switch/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | // include/trace/events/sched.h 8 | SEC("raw_tracepoint/sched_switch") 9 | int raw_tracepoint__sched__sched_switch(struct bpf_raw_tracepoint_args *ctx) { 10 | struct task_struct *prev_task = 11 | (struct task_struct *)BPF_CORE_READ(ctx, args[1]); 12 | struct task_struct *next_task = 13 | (struct task_struct *)BPF_CORE_READ(ctx, args[2]); 14 | 15 | u32 prev_pid = BPF_CORE_READ(prev_task, tgid); 16 | u32 next_pid = BPF_CORE_READ(next_task, tgid); 17 | 18 | char fmt[] = "sched_switch %d -> %d\n"; 19 | bpf_trace_printk(fmt, sizeof(fmt), prev_pid, next_pid); 20 | return 0; 21 | } 22 | 23 | char _license[] SEC("license") = "GPL"; 24 | -------------------------------------------------------------------------------- /41-raw-tracepoint-args-with-macro/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | SEC("raw_tracepoint/sys_enter") 8 | int BPF_PROG(raw_tracepoint__sys_enter, struct pt_regs *regs, long id) { 9 | if (id != 268) // fchmodat 10 | return 0; 11 | 12 | // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags); 13 | char pathname[256]; 14 | u32 mode; 15 | 16 | char *pathname_ptr = (char *)PT_REGS_PARM2_CORE(regs); 17 | bpf_core_read_user_str(&pathname, sizeof(pathname), pathname_ptr); 18 | mode = (u32)PT_REGS_PARM3_CORE(regs); 19 | 20 | char fmt[] = "fchmodat %s %d\n"; 21 | bpf_trace_printk(fmt, sizeof(fmt), &pathname, mode); 22 | return 0; 23 | } 24 | 25 | char _license[] SEC("license") = "GPL"; 26 | -------------------------------------------------------------------------------- /40-lsm-block-path_unlink/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | bpf "github.com/aquasecurity/libbpfgo" 6 | "log" 7 | "os" 8 | "os/signal" 9 | "syscall" 10 | ) 11 | 12 | func main() { 13 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 14 | if err != nil { 15 | panic(err) 16 | } 17 | defer bpfModule.Close() 18 | 19 | if err := bpfModule.BPFLoadObject(); err != nil { 20 | log.Println(err) 21 | return 22 | } 23 | prog, err := bpfModule.GetProgram("lsm_path_unlink") 24 | if err != nil { 25 | log.Println(err) 26 | return 27 | } 28 | 29 | if _, err := prog.AttachLSM(); err != nil { 30 | log.Println(err) 31 | return 32 | } 33 | 34 | log.Println("waiting for events") 35 | ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) 36 | defer stop() 37 | <-ctx.Done() 38 | } 39 | -------------------------------------------------------------------------------- /42-btf-raw-tracepoint-args-with-macro/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | bpf "github.com/aquasecurity/libbpfgo" 6 | "log" 7 | "os" 8 | "os/signal" 9 | "syscall" 10 | ) 11 | 12 | func main() { 13 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 14 | if err != nil { 15 | panic(err) 16 | } 17 | defer bpfModule.Close() 18 | 19 | if err := bpfModule.BPFLoadObject(); err != nil { 20 | panic(err) 21 | } 22 | prog, err := bpfModule.GetProgram("btf_raw_tracepoint__sys_enter") 23 | if err != nil { 24 | panic(err) 25 | } 26 | link, err := prog.AttachGeneric() 27 | if err != nil { 28 | panic(err) 29 | } 30 | if link.GetFd() == 0 { 31 | os.Exit(-1) 32 | } 33 | 34 | log.Println("waiting for events") 35 | ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) 36 | defer stop() 37 | <-ctx.Done() 38 | } 39 | -------------------------------------------------------------------------------- /26-lsm-path_chmod/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf/link" 8 | "github.com/cilium/ebpf/rlimit" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 13 | 14 | func main() { 15 | if err := rlimit.RemoveMemlock(); err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | objs := bpfObjects{} 20 | if err := loadBpfObjects(&objs, nil); err != nil { 21 | log.Fatal(err) 22 | } 23 | defer objs.Close() 24 | 25 | tp, err := link.AttachLSM(link.LSMOptions{ 26 | Program: objs.LsmPathChmod, 27 | }) 28 | if err != nil { 29 | log.Println(err) 30 | return 31 | } 32 | defer tp.Close() 33 | 34 | log.Println("Waiting for events...") 35 | time.Sleep(time.Minute * 1024) 36 | } 37 | -------------------------------------------------------------------------------- /36-tracepoint-args-sched_switch-use-custom-struct/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | // sudo cat /sys/kernel/debug/tracing/events/sched/sched_switch/format 8 | struct sched_switch_args { 9 | char _[8]; 10 | char prev_comm[16]; 11 | pid_t prev_pid; 12 | int prev_prio; 13 | long prev_state; 14 | char next_comm[16]; 15 | pid_t next_pid; 16 | int next_prio; 17 | }; 18 | 19 | SEC("tracepoint/sched/sched_switch") 20 | int tracepoint__sched__sched_switch(struct sched_switch_args *ctx) { 21 | u32 prev_pid = (u32)ctx->prev_pid; 22 | u32 next_pid = (u32)ctx->next_pid; 23 | 24 | char fmt[] = "sched_switch %d -> %d\n"; 25 | bpf_trace_printk(fmt, sizeof(fmt), prev_pid, next_pid); 26 | return 0; 27 | } 28 | 29 | char _license[] SEC("license") = "GPL"; 30 | -------------------------------------------------------------------------------- /01-hello-world/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf/link" 8 | "github.com/cilium/ebpf/rlimit" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 13 | 14 | func main() { 15 | kernel_func_name := "do_sys_openat2" 16 | if err := rlimit.RemoveMemlock(); err != nil { 17 | log.Fatal(err) 18 | } 19 | 20 | objs := bpfObjects{} 21 | if err := loadBpfObjects(&objs, nil); err != nil { 22 | log.Fatal(err) 23 | } 24 | defer objs.Close() 25 | 26 | kp, err := link.Kprobe(kernel_func_name, objs.KprobeDoSysOpenat2, nil) 27 | if err != nil { 28 | log.Println(err) 29 | return 30 | } 31 | defer kp.Close() 32 | 33 | log.Println("Waiting for events...") 34 | time.Sleep(time.Minute * 100) 35 | } 36 | -------------------------------------------------------------------------------- /14-tracepoint-args-sched_switch/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf/link" 8 | "github.com/cilium/ebpf/rlimit" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 13 | 14 | func main() { 15 | if err := rlimit.RemoveMemlock(); err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | objs := bpfObjects{} 20 | if err := loadBpfObjects(&objs, nil); err != nil { 21 | log.Fatal(err) 22 | } 23 | defer objs.Close() 24 | 25 | tp, err := link.Tracepoint("sched", "sched_switch", objs.TracepointSchedSchedSwitch, nil) 26 | if err != nil { 27 | log.Println(err) 28 | return 29 | } 30 | defer tp.Close() 31 | 32 | log.Println("Waiting for events...") 33 | time.Sleep(time.Minute * 1024) 34 | 35 | } 36 | -------------------------------------------------------------------------------- /05-get-process-info/common.h: -------------------------------------------------------------------------------- 1 | // https://elixir.bootlin.com/linux/v5.13/source/include/linux/sched.h#L215 2 | #define TASK_COMM_LEN 16 3 | 4 | struct event_t { 5 | u64 cgroup_id; // cgroup id 6 | u32 host_tid; // tid in host pid namespace 7 | u32 host_pid; // pid in host pid namespace 8 | u32 host_ppid; // ppid in host pid namespace 9 | 10 | u32 tid; // thread id in userspace 11 | u32 pid; // process id in userspace 12 | u32 ppid; // parent process id in userspace 13 | u32 uid; 14 | u32 gid; 15 | 16 | u32 cgroup_ns_id; 17 | u32 ipc_ns_id; 18 | u32 net_ns_id; 19 | u32 mount_ns_id; 20 | u32 pid_ns_id; 21 | u32 time_ns_id; 22 | u32 user_ns_id; 23 | u32 uts_ns_id; 24 | 25 | char comm[TASK_COMM_LEN]; // the name of the executable (excluding the path) 26 | }; 27 | 28 | // cilium/ebpf need this 29 | const struct event_t *unused __attribute__((unused)); 30 | -------------------------------------------------------------------------------- /34-iter-task-hello/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "log" 6 | "strings" 7 | 8 | bpf "github.com/aquasecurity/libbpfgo" 9 | ) 10 | 11 | func main() { 12 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 13 | if err != nil { 14 | panic(err) 15 | } 16 | defer bpfModule.Close() 17 | 18 | if err := bpfModule.BPFLoadObject(); err != nil { 19 | panic(err) 20 | } 21 | prog, err := bpfModule.GetProgram("iter__task") 22 | if err != nil { 23 | panic(err) 24 | } 25 | link, err := prog.AttachIter(bpf.IterOpts{}) 26 | if err != nil { 27 | panic(err) 28 | } 29 | reader, err := link.Reader() 30 | if err != nil { 31 | panic(err) 32 | } 33 | defer reader.Close() 34 | 35 | scanner := bufio.NewScanner(reader) 36 | for scanner.Scan() { 37 | fields := strings.Split(scanner.Text(), "\t") 38 | log.Printf("ppid: %s, pid: %s, comm: %s", fields[0], fields[1], fields[2]) 39 | } 40 | } 41 | -------------------------------------------------------------------------------- /48-iter-tcp-hello/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | #define AF_INET 0x2 8 | 9 | 10 | SEC("iter/tcp") 11 | int iter__tcpv4(struct bpf_iter__tcp *ctx) { 12 | struct sock_common *sk_common = ctx->sk_common; 13 | struct seq_file *seq = ctx->meta->seq; 14 | 15 | if (sk_common == NULL) 16 | return 0; 17 | if (sk_common->skc_family != AF_INET) 18 | return 0; 19 | 20 | u32 family = sk_common->skc_family; 21 | u32 saddr = sk_common->skc_rcv_saddr; 22 | u16 sport = sk_common->skc_num; 23 | u32 daddr = sk_common->skc_daddr; 24 | u16 dport = sk_common->skc_dport; 25 | 26 | BPF_SEQ_PRINTF(seq, "%d\t%pI4\t%d\t%pI4\t%d\n", 27 | family, &saddr, sport, &daddr, dport); 28 | 29 | return 0; 30 | } 31 | 32 | 33 | char _license[] SEC("license") = "GPL"; 34 | -------------------------------------------------------------------------------- /15-get-container-info-2-via-task_struct/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf/link" 8 | "github.com/cilium/ebpf/rlimit" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 13 | 14 | func main() { 15 | if err := rlimit.RemoveMemlock(); err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | objs := bpfObjects{} 20 | if err := loadBpfObjects(&objs, nil); err != nil { 21 | log.Fatal(err) 22 | } 23 | defer objs.Close() 24 | 25 | tp, err := link.Tracepoint("syscalls", "sys_enter_execve", objs.TracepointSyscallsSysEnterExecve, nil) 26 | if err != nil { 27 | log.Println(err) 28 | return 29 | } 30 | defer tp.Close() 31 | 32 | log.Println("Waiting for events...") 33 | time.Sleep(time.Minute * 1024) 34 | } 35 | -------------------------------------------------------------------------------- /36-tracepoint-args-sched_switch-use-custom-struct/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf/link" 8 | "github.com/cilium/ebpf/rlimit" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 13 | 14 | func main() { 15 | if err := rlimit.RemoveMemlock(); err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | objs := bpfObjects{} 20 | if err := loadBpfObjects(&objs, nil); err != nil { 21 | log.Fatal(err) 22 | } 23 | defer objs.Close() 24 | 25 | tp, err := link.Tracepoint("sched", "sched_switch", objs.TracepointSchedSchedSwitch, nil) 26 | if err != nil { 27 | log.Println(err) 28 | return 29 | } 30 | defer tp.Close() 31 | 32 | log.Println("Waiting for events...") 33 | time.Sleep(time.Minute * 1024) 34 | 35 | } 36 | -------------------------------------------------------------------------------- /04-tracepoint/main.bpf.c: -------------------------------------------------------------------------------- 1 | //go:build ignore 2 | 3 | #include "vmlinux.h" 4 | 5 | #include "common.h" 6 | #include 7 | #include 8 | #include 9 | 10 | /* BPF ringbuf map */ 11 | struct { 12 | __uint(type, BPF_MAP_TYPE_RINGBUF); 13 | __uint(max_entries, 256 * 1024 /* 256 KB */); 14 | } events SEC(".maps"); 15 | 16 | SEC("tracepoint/syscalls/sys_enter_openat") 17 | int tracepoint_openat(struct trace_event_raw_sys_enter *ctx) { 18 | struct event *e; 19 | e = bpf_ringbuf_reserve(&events, sizeof(*e), 0); 20 | if (!e) { 21 | return 0; 22 | } 23 | 24 | e->pid = bpf_get_current_pid_tgid() >> 32; 25 | 26 | char *fn_ptr; 27 | fn_ptr = (char *)(ctx->args[1]); 28 | bpf_core_read_user_str(&e->filename, sizeof(e->filename), fn_ptr); 29 | 30 | bpf_ringbuf_submit(e, 0); 31 | 32 | return 0; 33 | } 34 | 35 | char _license[] SEC("license") = "GPL"; 36 | -------------------------------------------------------------------------------- /12-raw-tracepoint-args/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf/link" 8 | "github.com/cilium/ebpf/rlimit" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 13 | 14 | func main() { 15 | if err := rlimit.RemoveMemlock(); err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | objs := bpfObjects{} 20 | if err := loadBpfObjects(&objs, nil); err != nil { 21 | log.Fatal(err) 22 | } 23 | defer objs.Close() 24 | 25 | tp, err := link.AttachRawTracepoint(link.RawTracepointOptions{ 26 | Name: "sys_enter", 27 | Program: objs.RawTracepointSysEnter, 28 | }) 29 | if err != nil { 30 | log.Println(err) 31 | return 32 | } 33 | defer tp.Close() 34 | 35 | log.Println("Waiting for events...") 36 | time.Sleep(time.Minute * 1024) 37 | 38 | } 39 | -------------------------------------------------------------------------------- /38-raw-tracepoint-sched_wakeup/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf/link" 8 | "github.com/cilium/ebpf/rlimit" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 13 | 14 | func main() { 15 | if err := rlimit.RemoveMemlock(); err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | objs := bpfObjects{} 20 | if err := loadBpfObjects(&objs, nil); err != nil { 21 | log.Fatal(err) 22 | } 23 | defer objs.Close() 24 | 25 | tp, err := link.AttachRawTracepoint(link.RawTracepointOptions{ 26 | Name: "sched_wakeup", 27 | Program: objs.RawTpSchedWakeup, 28 | }) 29 | if err != nil { 30 | log.Println(err) 31 | return 32 | } 33 | defer tp.Close() 34 | 35 | log.Println("Waiting for events...") 36 | time.Sleep(time.Minute * 1024) 37 | } 38 | -------------------------------------------------------------------------------- /12-raw-tracepoint-args/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | SEC("raw_tracepoint/sys_enter") 8 | int raw_tracepoint__sys_enter(struct bpf_raw_tracepoint_args *ctx) { 9 | unsigned long syscall_id = ctx->args[1]; 10 | if (syscall_id != 268) // fchmodat 11 | return 0; 12 | 13 | struct pt_regs *regs; 14 | regs = (struct pt_regs *)ctx->args[0]; 15 | 16 | // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags); 17 | char pathname[256]; 18 | u32 mode; 19 | 20 | char *pathname_ptr = (char *)PT_REGS_PARM2_CORE(regs); 21 | bpf_core_read_user_str(&pathname, sizeof(pathname), pathname_ptr); 22 | mode = (u32)PT_REGS_PARM3_CORE(regs); 23 | 24 | char fmt[] = "fchmodat %s %d\n"; 25 | bpf_trace_printk(fmt, sizeof(fmt), &pathname, mode); 26 | return 0; 27 | } 28 | 29 | char _license[] SEC("license") = "GPL"; 30 | -------------------------------------------------------------------------------- /08-map-map-type-hash-kernel/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | 7 | bpf "github.com/aquasecurity/libbpfgo" 8 | ) 9 | 10 | func main() { 11 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 12 | if err != nil { 13 | panic(err) 14 | } 15 | defer bpfModule.Close() 16 | 17 | if err := bpfModule.BPFLoadObject(); err != nil { 18 | panic(err) 19 | } 20 | progEnter, err := bpfModule.GetProgram("tracepoint__syscalls__sys_enter_openat") 21 | if err != nil { 22 | panic(err) 23 | } 24 | if _, err := progEnter.AttachTracepoint("syscalls", "sys_enter_openat"); err != nil { 25 | panic(err) 26 | } 27 | progExit, err := bpfModule.GetProgram("tracepoint__syscalls__sys_exit_openat") 28 | if err != nil { 29 | panic(err) 30 | } 31 | if _, err := progExit.AttachTracepoint("syscalls", "sys_exit_openat"); err != nil { 32 | panic(err) 33 | } 34 | 35 | for { 36 | fmt.Println("Waiting...") 37 | time.Sleep(10 * time.Second) 38 | } 39 | } 40 | -------------------------------------------------------------------------------- /13-raw-tracepoint-args-sched_switch/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf/link" 8 | "github.com/cilium/ebpf/rlimit" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 13 | 14 | func main() { 15 | if err := rlimit.RemoveMemlock(); err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | objs := bpfObjects{} 20 | if err := loadBpfObjects(&objs, nil); err != nil { 21 | log.Fatal(err) 22 | } 23 | defer objs.Close() 24 | 25 | tp, err := link.AttachRawTracepoint(link.RawTracepointOptions{ 26 | Name: "sched_switch", 27 | Program: objs.RawTracepointSchedSchedSwitch, 28 | }) 29 | if err != nil { 30 | log.Println(err) 31 | return 32 | } 33 | defer tp.Close() 34 | 35 | log.Println("Waiting for events...") 36 | time.Sleep(time.Minute * 1024) 37 | 38 | } 39 | -------------------------------------------------------------------------------- /16-btf-raw-tracepoint-args/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf" 8 | "github.com/cilium/ebpf/link" 9 | "github.com/cilium/ebpf/rlimit" 10 | ) 11 | 12 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 13 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 14 | 15 | func main() { 16 | if err := rlimit.RemoveMemlock(); err != nil { 17 | log.Fatal(err) 18 | } 19 | 20 | objs := bpfObjects{} 21 | if err := loadBpfObjects(&objs, nil); err != nil { 22 | log.Fatal(err) 23 | } 24 | defer objs.Close() 25 | 26 | tp, err := link.AttachTracing(link.TracingOptions{ 27 | Program: objs.BtfRawTracepointSysEnter, 28 | AttachType: ebpf.AttachTraceRawTp, 29 | }) 30 | if err != nil { 31 | log.Println(err) 32 | return 33 | } 34 | defer tp.Close() 35 | 36 | log.Println("Waiting for events...") 37 | time.Sleep(time.Minute * 1024) 38 | 39 | } 40 | -------------------------------------------------------------------------------- /46-iter-sleepable-task/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "log" 6 | "strings" 7 | 8 | bpf "github.com/aquasecurity/libbpfgo" 9 | ) 10 | 11 | func main() { 12 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 13 | if err != nil { 14 | panic(err) 15 | } 16 | defer bpfModule.Close() 17 | 18 | if err := bpfModule.BPFLoadObject(); err != nil { 19 | panic(err) 20 | } 21 | prog, err := bpfModule.GetProgram("iter__task") 22 | if err != nil { 23 | log.Println(err) 24 | return 25 | } 26 | link, err := prog.AttachIter(bpf.IterOpts{}) 27 | if err != nil { 28 | log.Println(err) 29 | return 30 | } 31 | defer link.Destroy() 32 | reader, err := link.Reader() 33 | if err != nil { 34 | log.Println(err) 35 | return 36 | } 37 | defer reader.Close() 38 | 39 | scanner := bufio.NewScanner(reader) 40 | for scanner.Scan() { 41 | fields := strings.Split(scanner.Text(), "\t") 42 | log.Printf("ppid: %s, pid: %s, comm: %s", fields[0], fields[1], fields[2]) 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /17-btf-raw-tracepoint-args-sched_switch/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf" 8 | "github.com/cilium/ebpf/link" 9 | "github.com/cilium/ebpf/rlimit" 10 | ) 11 | 12 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 13 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 14 | 15 | func main() { 16 | if err := rlimit.RemoveMemlock(); err != nil { 17 | log.Fatal(err) 18 | } 19 | 20 | objs := bpfObjects{} 21 | if err := loadBpfObjects(&objs, nil); err != nil { 22 | log.Fatal(err) 23 | } 24 | defer objs.Close() 25 | 26 | tp, err := link.AttachTracing(link.TracingOptions{ 27 | Program: objs.BtfRawTracepointSchedSwitch, 28 | AttachType: ebpf.AttachTraceRawTp, 29 | }) 30 | if err != nil { 31 | log.Println(err) 32 | return 33 | } 34 | defer tp.Close() 35 | 36 | log.Println("Waiting for events...") 37 | time.Sleep(time.Minute * 1024) 38 | 39 | } 40 | -------------------------------------------------------------------------------- /40-lsm-block-path_unlink/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "github.com/cilium/ebpf/link" 6 | "github.com/cilium/ebpf/rlimit" 7 | "log" 8 | "os" 9 | "os/signal" 10 | "syscall" 11 | ) 12 | 13 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 14 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 15 | 16 | func main() { 17 | if err := rlimit.RemoveMemlock(); err != nil { 18 | log.Fatal(err) 19 | } 20 | 21 | objs := bpfObjects{} 22 | if err := loadBpfObjects(&objs, nil); err != nil { 23 | log.Fatal(err) 24 | } 25 | defer objs.Close() 26 | 27 | tp, err := link.AttachLSM(link.LSMOptions{ 28 | Program: objs.LsmPathUnlink, 29 | }) 30 | if err != nil { 31 | log.Println(err) 32 | return 33 | } 34 | defer tp.Close() 35 | 36 | log.Println("waiting for events") 37 | ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) 38 | defer stop() 39 | <-ctx.Done() 40 | } 41 | -------------------------------------------------------------------------------- /42-btf-raw-tracepoint-args-with-macro/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | // typedef void (*btf_trace_sys_enter)(void *, struct pt_regs *, long int); 8 | SEC("tp_btf/sys_enter") 9 | int BPF_PROG(btf_raw_tracepoint__sys_enter, struct pt_regs *regs, long int id) { 10 | if (id != 268) // fchmodat 11 | return 0; 12 | 13 | struct task_struct *task = (struct task_struct *)bpf_get_current_task_btf(); 14 | 15 | // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags); 16 | char pathname[256]; 17 | u32 mode; 18 | 19 | char *pathname_ptr = (char *)PT_REGS_PARM2_CORE(regs); 20 | bpf_core_read_user_str(&pathname, sizeof(pathname), pathname_ptr); 21 | mode = (u32)PT_REGS_PARM3_CORE(regs); 22 | 23 | char fmt[] = "%d fchmodat %s %d\n"; 24 | bpf_trace_printk(fmt, sizeof(fmt), task->tgid, &pathname, mode); 25 | return 0; 26 | } 27 | 28 | char _license[] SEC("license") = "GPL"; 29 | -------------------------------------------------------------------------------- /.github/workflows/build.yml: -------------------------------------------------------------------------------- 1 | name: Build examples 2 | 3 | on: 4 | push: 5 | pull_request: 6 | workflow_dispatch: 7 | 8 | jobs: 9 | build-examples: 10 | runs-on: ubuntu-22.04 11 | steps: 12 | - name: Checkout code 13 | uses: actions/checkout@v4 14 | with: 15 | fetch-depth: 0 16 | 17 | - name: Set up Go 18 | uses: actions/setup-go@v5 19 | with: 20 | go-version: '1.21' 21 | 22 | - name: Install dependencies 23 | run: | 24 | set -e 25 | sudo apt-get update 26 | sudo apt-get install --yes build-essential pkgconf libelf-dev llvm-12 clang-12 27 | for tool in "clang" "llc" "llvm-strip"; do 28 | path=$(which $tool-12) 29 | test $(which $tool) && sudo mv $(which $tool){,.bak} 30 | sudo ln -sf $path ${path%-*} 31 | done 32 | 33 | git submodule update --init --recursive 34 | 35 | - name: build examples 36 | run: | 37 | set -e 38 | bash ci.sh 39 | -------------------------------------------------------------------------------- /19-socket-filter-capture-icmp-traffic-userspace-parse/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | #define ETH_P_IP 0x0800 /* Internet Protocol packet */ // ipv4 8 | #define ETH_HLEN 14 /* Total octets in header. */ 9 | 10 | unsigned long long load_byte(void *skb, 11 | unsigned long long off) asm("llvm.bpf.load.byte"); 12 | unsigned long long load_half(void *skb, 13 | unsigned long long off) asm("llvm.bpf.load.half"); 14 | unsigned long long load_word(void *skb, 15 | unsigned long long off) asm("llvm.bpf.load.word"); 16 | 17 | SEC("socket") 18 | int socket__filter_icmp(struct __sk_buff *skb) 19 | { 20 | // Skip non-IP packets 21 | if (load_half(skb, offsetof(struct ethhdr, h_proto)) != ETH_P_IP) 22 | return 0; 23 | 24 | // Skip non-ICMP packets 25 | if (load_byte(skb, ETH_HLEN + offsetof(struct iphdr, protocol)) != IPPROTO_ICMP) 26 | return 0; 27 | 28 | return -1; 29 | } 30 | 31 | char _license[] SEC("license") = "GPL"; 32 | -------------------------------------------------------------------------------- /47-iter-task-file-hello/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "log" 6 | "strings" 7 | 8 | bpf "github.com/aquasecurity/libbpfgo" 9 | ) 10 | 11 | func main() { 12 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 13 | if err != nil { 14 | panic(err) 15 | } 16 | defer bpfModule.Close() 17 | 18 | if err := bpfModule.BPFLoadObject(); err != nil { 19 | panic(err) 20 | } 21 | prog, err := bpfModule.GetProgram("iter__task_file") 22 | if err != nil { 23 | log.Println(err) 24 | return 25 | } 26 | link, err := prog.AttachIter(bpf.IterOpts{}) 27 | if err != nil { 28 | log.Println(err) 29 | return 30 | } 31 | defer link.Destroy() 32 | reader, err := link.Reader() 33 | if err != nil { 34 | log.Println(err) 35 | return 36 | } 37 | defer reader.Close() 38 | 39 | scanner := bufio.NewScanner(reader) 40 | for scanner.Scan() { 41 | fields := strings.Split(scanner.Text(), "\t") 42 | log.Printf("ppid: %s, pid: %s, comm: %s, fd: %s, f_op: %s", 43 | fields[0], fields[1], fields[2], fields[3], fields[4]) 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /48-iter-tcp-hello/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "log" 6 | "strings" 7 | 8 | bpf "github.com/aquasecurity/libbpfgo" 9 | ) 10 | 11 | func main() { 12 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 13 | if err != nil { 14 | panic(err) 15 | } 16 | defer bpfModule.Close() 17 | 18 | if err := bpfModule.BPFLoadObject(); err != nil { 19 | panic(err) 20 | } 21 | prog, err := bpfModule.GetProgram("iter__tcpv4") 22 | if err != nil { 23 | log.Println(err) 24 | return 25 | } 26 | link, err := prog.AttachIter(bpf.IterOpts{}) 27 | if err != nil { 28 | log.Println(err) 29 | return 30 | } 31 | defer link.Destroy() 32 | reader, err := link.Reader() 33 | if err != nil { 34 | log.Println(err) 35 | return 36 | } 37 | defer reader.Close() 38 | 39 | scanner := bufio.NewScanner(reader) 40 | for scanner.Scan() { 41 | fields := strings.Split(scanner.Text(), "\t") 42 | log.Printf("family: %s, saddr: %s, sport: %s, daddr: %s, dport: %s", 43 | fields[0], fields[1], fields[2], fields[3], fields[4]) 44 | } 45 | } 46 | -------------------------------------------------------------------------------- /15-get-container-info-2-via-task_struct/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | SEC("tracepoint/syscalls/sys_enter_execve") 8 | int tracepoint__syscalls__sys_enter_execve(struct trace_event_raw_sys_enter *ctx) 9 | { 10 | char comm[16]; 11 | bpf_get_current_comm(&comm, sizeof(comm)); 12 | // filter sh 13 | if (comm[0] != 's' || comm[1] != 'h' || comm[2] != '\0') { 14 | return 0; 15 | } 16 | 17 | u32 pid = bpf_get_current_pid_tgid() >> 32; 18 | struct task_struct *task = (struct task_struct *)bpf_get_current_task(); 19 | 20 | char cgroup_name[128]; 21 | const char *cname = BPF_CORE_READ(task, cgroups, subsys[0], cgroup, kn, name); 22 | bpf_core_read_str(&cgroup_name, sizeof(cgroup_name), cname); 23 | 24 | char fmt[] = "pid: %d comm: %s cgroup name: %s\n"; 25 | bpf_trace_printk(fmt, sizeof(fmt), pid, comm, cgroup_name); 26 | 27 | return 0; 28 | } 29 | 30 | char _license[] SEC("license") = "GPL"; 31 | -------------------------------------------------------------------------------- /41-raw-tracepoint-args-with-macro/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "github.com/cilium/ebpf/link" 6 | "github.com/cilium/ebpf/rlimit" 7 | "log" 8 | "os" 9 | "os/signal" 10 | "syscall" 11 | ) 12 | 13 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 14 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 15 | 16 | func main() { 17 | if err := rlimit.RemoveMemlock(); err != nil { 18 | log.Fatal(err) 19 | } 20 | 21 | objs := bpfObjects{} 22 | if err := loadBpfObjects(&objs, nil); err != nil { 23 | log.Fatal(err) 24 | } 25 | defer objs.Close() 26 | 27 | tp, err := link.AttachRawTracepoint(link.RawTracepointOptions{ 28 | Name: "sys_enter", 29 | Program: objs.RawTracepointSysEnter, 30 | }) 31 | if err != nil { 32 | log.Println(err) 33 | return 34 | } 35 | defer tp.Close() 36 | 37 | log.Println("waiting for events") 38 | ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) 39 | defer stop() 40 | <-ctx.Done() 41 | 42 | } 43 | -------------------------------------------------------------------------------- /16-btf-raw-tracepoint-args/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | // typedef void (*btf_trace_sys_enter)(void *, struct pt_regs *, long int); 8 | SEC("tp_btf/sys_enter") 9 | int btf_raw_tracepoint__sys_enter(u64 *ctx) { 10 | long int syscall_id = (long int)ctx[1]; 11 | if (syscall_id != 268) // fchmodat 12 | return 0; 13 | 14 | struct pt_regs *regs = (struct pt_regs *)ctx[0]; 15 | struct task_struct *task = (struct task_struct *)bpf_get_current_task_btf(); 16 | 17 | // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags); 18 | char pathname[256]; 19 | u32 mode; 20 | 21 | char *pathname_ptr = (char *)PT_REGS_PARM2_CORE(regs); 22 | bpf_core_read_user_str(&pathname, sizeof(pathname), pathname_ptr); 23 | mode = (u32)PT_REGS_PARM3_CORE(regs); 24 | 25 | char fmt[] = "%d fchmodat %s %d\n"; 26 | bpf_trace_printk(fmt, sizeof(fmt), task->tgid, &pathname, mode); 27 | return 0; 28 | } 29 | 30 | char _license[] SEC("license") = "GPL"; 31 | -------------------------------------------------------------------------------- /22-tail-calls/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "fmt" 5 | "time" 6 | "unsafe" 7 | 8 | bpf "github.com/aquasecurity/libbpfgo" 9 | ) 10 | 11 | func main() { 12 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 13 | if err != nil { 14 | panic(err) 15 | } 16 | defer bpfModule.Close() 17 | 18 | if err := bpfModule.BPFLoadObject(); err != nil { 19 | panic(err) 20 | } 21 | 22 | tailMap, err := bpfModule.GetMap("tail_jmp_map") 23 | if err != nil { 24 | panic(err) 25 | } 26 | enterFchmodat, err := bpfModule.GetProgram("enter_fchmodat") 27 | if err != nil { 28 | panic(err) 29 | } 30 | syscallId := 268 31 | enterFchmodatFd := enterFchmodat.GetFd() 32 | if err := tailMap.Update(unsafe.Pointer(&syscallId), unsafe.Pointer(&enterFchmodatFd)); err != nil { 33 | panic(err) 34 | } 35 | 36 | prog, err := bpfModule.GetProgram("raw_tracepoint__sys_enter") 37 | if err != nil { 38 | panic(err) 39 | } 40 | if _, err := prog.AttachRawTracepoint("sys_enter"); err != nil { 41 | panic(err) 42 | } 43 | 44 | for { 45 | fmt.Println("Waiting...") 46 | time.Sleep(10 * time.Second) 47 | } 48 | } 49 | -------------------------------------------------------------------------------- /42-btf-raw-tracepoint-args-with-macro/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "github.com/cilium/ebpf" 6 | "github.com/cilium/ebpf/link" 7 | "github.com/cilium/ebpf/rlimit" 8 | "log" 9 | "os" 10 | "os/signal" 11 | "syscall" 12 | ) 13 | 14 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 15 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 16 | 17 | func main() { 18 | if err := rlimit.RemoveMemlock(); err != nil { 19 | log.Fatal(err) 20 | } 21 | 22 | objs := bpfObjects{} 23 | if err := loadBpfObjects(&objs, nil); err != nil { 24 | log.Fatal(err) 25 | } 26 | defer objs.Close() 27 | 28 | tp, err := link.AttachTracing(link.TracingOptions{ 29 | Program: objs.BtfRawTracepointSysEnter, 30 | AttachType: ebpf.AttachTraceRawTp, 31 | }) 32 | if err != nil { 33 | log.Println(err) 34 | return 35 | } 36 | defer tp.Close() 37 | 38 | log.Println("waiting for events") 39 | ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt, syscall.SIGTERM) 40 | defer stop() 41 | <-ctx.Done() 42 | 43 | } 44 | -------------------------------------------------------------------------------- /08-map-map-type-hash-kernel/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf/link" 8 | "github.com/cilium/ebpf/rlimit" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS -type event_t Bpf ../main.bpf.c -- -I../ -I../output 13 | 14 | func main() { 15 | if err := rlimit.RemoveMemlock(); err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | objs := BpfObjects{} 20 | if err := LoadBpfObjects(&objs, nil); err != nil { 21 | log.Fatal(err) 22 | } 23 | defer objs.Close() 24 | 25 | tpEnter, err := link.Tracepoint("syscalls", "sys_enter_openat", objs.TracepointSyscallsSysEnterOpenat, nil) 26 | if err != nil { 27 | log.Println(err) 28 | return 29 | } 30 | defer tpEnter.Close() 31 | tpExit, err := link.Tracepoint("syscalls", "sys_exit_openat", objs.TracepointSyscallsSysExitOpenat, nil) 32 | if err != nil { 33 | log.Println(err) 34 | return 35 | } 36 | defer tpExit.Close() 37 | 38 | log.Println("Waiting for events...") 39 | time.Sleep(time.Minute * 1024) 40 | } 41 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2022 mozillazg 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /46-iter-sleepable-task/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "github.com/cilium/ebpf/link" 6 | "github.com/cilium/ebpf/rlimit" 7 | "log" 8 | "strings" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | // 13 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 14 | 15 | func main() { 16 | if err := rlimit.RemoveMemlock(); err != nil { 17 | log.Fatal(err) 18 | } 19 | 20 | objs := bpfObjects{} 21 | if err := loadBpfObjects(&objs, nil); err != nil { 22 | log.Fatal(err) 23 | } 24 | defer objs.Close() 25 | 26 | iter, err := link.AttachIter(link.IterOptions{ 27 | Program: objs.IterTask, 28 | }) 29 | if err != nil { 30 | log.Println(err) 31 | return 32 | } 33 | defer iter.Close() 34 | 35 | reader, err := iter.Open() 36 | if err != nil { 37 | log.Println(err) 38 | return 39 | } 40 | defer reader.Close() 41 | 42 | scanner := bufio.NewScanner(reader) 43 | for scanner.Scan() { 44 | fields := strings.Split(scanner.Text(), "\t") 45 | log.Printf("ppid: %s, pid: %s, comm: %s", fields[0], fields[1], fields[2]) 46 | } 47 | 48 | } 49 | -------------------------------------------------------------------------------- /22-tail-calls/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "time" 6 | 7 | "github.com/cilium/ebpf" 8 | "github.com/cilium/ebpf/link" 9 | "github.com/cilium/ebpf/rlimit" 10 | ) 11 | 12 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 13 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 14 | 15 | func main() { 16 | if err := rlimit.RemoveMemlock(); err != nil { 17 | log.Fatal(err) 18 | } 19 | 20 | objs := bpfObjects{} 21 | if err := loadBpfObjects(&objs, nil); err != nil { 22 | log.Fatal(err) 23 | } 24 | defer objs.Close() 25 | 26 | syscallId := uint32(268) 27 | enterFchmodatFd := uint32(objs.EnterFchmodat.FD()) 28 | if err := objs.TailJmpMap.Update(syscallId, enterFchmodatFd, ebpf.UpdateAny); err != nil { 29 | log.Println(err) 30 | return 31 | } 32 | 33 | tp, err := link.AttachRawTracepoint(link.RawTracepointOptions{ 34 | Name: "sys_enter", 35 | Program: objs.RawTracepointSysEnter, 36 | }) 37 | if err != nil { 38 | log.Println(err) 39 | return 40 | } 41 | defer tp.Close() 42 | 43 | log.Println("Waiting for events...") 44 | time.Sleep(time.Minute * 1024) 45 | 46 | } 47 | -------------------------------------------------------------------------------- /47-iter-task-file-hello/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "github.com/cilium/ebpf/link" 6 | "github.com/cilium/ebpf/rlimit" 7 | "log" 8 | "strings" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | // 13 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 14 | 15 | func main() { 16 | if err := rlimit.RemoveMemlock(); err != nil { 17 | log.Fatal(err) 18 | } 19 | 20 | objs := bpfObjects{} 21 | if err := loadBpfObjects(&objs, nil); err != nil { 22 | log.Fatal(err) 23 | } 24 | defer objs.Close() 25 | 26 | iter, err := link.AttachIter(link.IterOptions{ 27 | Program: objs.IterTaskFile, 28 | }) 29 | if err != nil { 30 | log.Println(err) 31 | return 32 | } 33 | defer iter.Close() 34 | 35 | reader, err := iter.Open() 36 | if err != nil { 37 | log.Println(err) 38 | return 39 | } 40 | defer reader.Close() 41 | 42 | scanner := bufio.NewScanner(reader) 43 | for scanner.Scan() { 44 | fields := strings.Split(scanner.Text(), "\t") 45 | log.Printf("ppid: %s, pid: %s, comm: %s, fd: %s, f_op: %s", 46 | fields[0], fields[1], fields[2], fields[3], fields[4]) 47 | } 48 | 49 | } 50 | -------------------------------------------------------------------------------- /48-iter-tcp-hello/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "github.com/cilium/ebpf/link" 6 | "github.com/cilium/ebpf/rlimit" 7 | "log" 8 | "strings" 9 | ) 10 | 11 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 12 | // 13 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 14 | 15 | func main() { 16 | if err := rlimit.RemoveMemlock(); err != nil { 17 | log.Fatal(err) 18 | } 19 | 20 | objs := bpfObjects{} 21 | if err := loadBpfObjects(&objs, nil); err != nil { 22 | log.Fatal(err) 23 | } 24 | defer objs.Close() 25 | 26 | iter, err := link.AttachIter(link.IterOptions{ 27 | Program: objs.IterTcpv4, 28 | }) 29 | if err != nil { 30 | log.Println(err) 31 | return 32 | } 33 | defer iter.Close() 34 | 35 | reader, err := iter.Open() 36 | if err != nil { 37 | log.Println(err) 38 | return 39 | } 40 | defer reader.Close() 41 | 42 | scanner := bufio.NewScanner(reader) 43 | for scanner.Scan() { 44 | fields := strings.Split(scanner.Text(), "\t") 45 | log.Printf("family: %s, saddr: %s, sport: %s, daddr: %s, dport: %s", 46 | fields[0], fields[1], fields[2], fields[3], fields[4]) 47 | } 48 | 49 | } 50 | -------------------------------------------------------------------------------- /07-tracepoint-args/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF ringbuf map */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_RINGBUF); 11 | __uint(max_entries, 16 * 1024 /* 16 KB */); 12 | } events SEC(".maps"); 13 | 14 | SEC("tracepoint/syscalls/sys_enter_fchmodat") 15 | int tracepoint__syscalls__sys_enter_fchmodat( 16 | struct trace_event_raw_sys_enter *ctx) { 17 | struct event_t *event; 18 | event = bpf_ringbuf_reserve(&events, sizeof(*event), 0); 19 | if (!event) { 20 | return 0; 21 | } 22 | 23 | struct task_struct *task = (struct task_struct *)bpf_get_current_task(); 24 | 25 | event->host_pid = bpf_get_current_pid_tgid() >> 32; 26 | event->host_ppid = BPF_CORE_READ(task, real_parent, tgid); 27 | bpf_get_current_comm(&event->comm, sizeof(event->comm)); 28 | 29 | char *filename_ptr = (char *)BPF_CORE_READ(ctx, args[1]); 30 | bpf_core_read_user_str(&event->filename, sizeof(event->filename), 31 | filename_ptr); 32 | event->mode = BPF_CORE_READ(ctx, args[2]); 33 | 34 | bpf_ringbuf_submit(event, 0); 35 | return 0; 36 | } 37 | 38 | char _license[] SEC("license") = "GPL"; 39 | -------------------------------------------------------------------------------- /06-get-container-info-1/main.bpf.c: -------------------------------------------------------------------------------- 1 | //go:build ignore 2 | 3 | #include "vmlinux.h" 4 | 5 | #include "common.h" 6 | #include 7 | #include 8 | #include 9 | 10 | /* BPF ringbuf map */ 11 | struct { 12 | __uint(type, BPF_MAP_TYPE_RINGBUF); 13 | __uint(max_entries, 16 * 1024 /* 16 KB */); 14 | } events SEC(".maps"); 15 | 16 | SEC("tracepoint/syscalls/sys_enter_execve") 17 | int tracepoint__syscalls__sys_enter_execve( 18 | struct trace_event_raw_sys_enter *ctx) { 19 | char name[TASK_COMM_LEN]; 20 | bpf_get_current_comm(&name, sizeof(name)); 21 | // filter sh 22 | if (name[0] != 's' || name[1] != 'h' || name[2] != '\0') { 23 | return 0; 24 | } 25 | 26 | struct event_t *event; 27 | event = bpf_ringbuf_reserve(&events, sizeof(*event), 0); 28 | if (!event) { 29 | return 0; 30 | } 31 | 32 | struct task_struct *task = (struct task_struct *)bpf_get_current_task(); 33 | 34 | event->host_pid = bpf_get_current_pid_tgid() >> 32; 35 | event->host_ppid = BPF_CORE_READ(task, real_parent, tgid); 36 | 37 | bpf_get_current_comm(&event->comm, sizeof(event->comm)); 38 | 39 | bpf_ringbuf_submit(event, 0); 40 | 41 | return 0; 42 | } 43 | 44 | char _license[] SEC("license") = "GPL"; 45 | -------------------------------------------------------------------------------- /39-socket-filter-tcp/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define ETH_P_IP 0x0800 /* Internet Protocol packet */ // ipv4 9 | #define ETH_HLEN 14 /* Total octets in header. */ 10 | 11 | SEC("socket") 12 | int socket__filter_tcp(struct __sk_buff *skb) 13 | { 14 | u16 h_proto; 15 | if (bpf_skb_load_bytes(skb, offsetof(struct ethhdr, h_proto), &h_proto, 16 | sizeof(h_proto)) < 0) 17 | return 0; 18 | if (bpf_ntohs(h_proto) != ETH_P_IP) // not ipv4 19 | return 0; 20 | 21 | struct iphdr ip_hdr; 22 | if (bpf_skb_load_bytes(skb, ETH_HLEN, &ip_hdr, sizeof(ip_hdr)) < 0) 23 | return 0; 24 | if (ip_hdr.protocol != IPPROTO_TCP) // not tcp 25 | return 0; 26 | 27 | struct tcphdr tcp_hdr; 28 | if (bpf_skb_load_bytes(skb, ETH_HLEN + sizeof(struct iphdr), &tcp_hdr, 29 | sizeof(tcp_hdr)) < 0) 30 | return 0; 31 | if (tcp_hdr.dest != bpf_htons(9090)) // filter dest port 32 | return 0; 33 | 34 | bpf_printk("saddr: %pI4, daddr: %pI4:%d", &ip_hdr.saddr, &ip_hdr.daddr, bpf_htons(tcp_hdr.dest)); 35 | return -1; 36 | } 37 | 38 | char _license[] SEC("license") = "GPL"; 39 | -------------------------------------------------------------------------------- /40-lsm-block-path_unlink/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | static __always_inline bool str_eq(const char *a, const char *b, int len) 8 | { 9 | for (int i = 0; i < len; i++) { 10 | if (a[i] != b[i]) 11 | return false; 12 | if (a[i] == '\0') 13 | break; 14 | } 15 | return true; 16 | } 17 | 18 | static __always_inline int str_len(char *s, int max_len) 19 | { 20 | for (int i = 0; i < max_len; i++) { 21 | if (s[i] == '\0') 22 | return i; 23 | } 24 | if (s[max_len - 1] != '\0') 25 | return max_len; 26 | return 0; 27 | } 28 | 29 | SEC("lsm/path_unlink") 30 | int BPF_PROG(lsm_path_unlink, struct path *dir, struct dentry *dentry) { 31 | char file_name_str[32]; 32 | char block_file_name[32] = "a.txt"; 33 | struct qstr file_dname; 34 | 35 | file_dname = BPF_CORE_READ(dentry, d_name); 36 | bpf_probe_read_kernel_str(&file_name_str, sizeof(file_name_str), file_dname.name); 37 | 38 | if (!str_eq(file_name_str, block_file_name, str_len(block_file_name, 32))) 39 | return 0; 40 | 41 | bpf_printk("blocked unlink file named %s", file_name_str); 42 | 43 | return -1; 44 | } 45 | 46 | char _license[] SEC("license") = "GPL"; 47 | -------------------------------------------------------------------------------- /11-map-pin/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "os" 6 | "os/signal" 7 | "syscall" 8 | 9 | bpf "github.com/aquasecurity/libbpfgo" 10 | ) 11 | 12 | func main() { 13 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 14 | if err != nil { 15 | panic(err) 16 | } 17 | defer bpfModule.Close() 18 | 19 | if err := bpfModule.BPFLoadObject(); err != nil { 20 | panic(err) 21 | } 22 | progEnter, err := bpfModule.GetProgram("tracepoint__syscalls__sys_enter_openat") 23 | if err != nil { 24 | panic(err) 25 | } 26 | if _, err := progEnter.AttachTracepoint("syscalls", "sys_enter_openat"); err != nil { 27 | panic(err) 28 | } 29 | progExit, err := bpfModule.GetProgram("tracepoint__syscalls__sys_exit_openat") 30 | if err != nil { 31 | panic(err) 32 | } 33 | if _, err := progExit.AttachTracepoint("syscalls", "sys_exit_openat"); err != nil { 34 | panic(err) 35 | } 36 | 37 | bpfMap, err := bpfModule.GetMap("pid_event_map") 38 | if err != nil { 39 | panic(err) 40 | } 41 | path := bpfMap.GetPinPath() 42 | log.Printf("pin path: %s", path) 43 | log.Println("Waiting...") 44 | 45 | ch := make(chan os.Signal, 1) 46 | signal.Notify(ch, os.Interrupt, syscall.SIGTERM) 47 | // unpin 48 | <-ch 49 | log.Printf("unpin...") 50 | if err := bpfMap.Unpin(path); err != nil { 51 | log.Printf("unpin %s failed: %s", path, err) 52 | } 53 | } 54 | -------------------------------------------------------------------------------- /45-iter-task-write-struct/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/binary" 5 | bpf "github.com/aquasecurity/libbpfgo" 6 | "golang.org/x/sys/unix" 7 | "io" 8 | "log" 9 | ) 10 | 11 | type EventT struct { 12 | Pid uint32 13 | Ppid uint32 14 | Comm [16]byte 15 | } 16 | 17 | func main() { 18 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 19 | if err != nil { 20 | log.Printf("error: %s", err) 21 | return 22 | } 23 | defer bpfModule.Close() 24 | 25 | if err := bpfModule.BPFLoadObject(); err != nil { 26 | log.Printf("error: %s", err) 27 | return 28 | } 29 | prog, err := bpfModule.GetProgram("iter__task") 30 | if err != nil { 31 | log.Printf("error: %s", err) 32 | return 33 | } 34 | 35 | link, err := prog.AttachIter(bpf.IterOpts{}) 36 | if err != nil { 37 | log.Printf("error: %s", err) 38 | return 39 | } 40 | defer link.Destroy() 41 | 42 | reader, err := link.Reader() 43 | if err != nil { 44 | log.Printf("error: %s", err) 45 | return 46 | } 47 | defer reader.Close() 48 | 49 | for { 50 | event := EventT{} 51 | if err := binary.Read(reader, binary.LittleEndian, &event); err != nil { 52 | log.Printf("read event: %s", err) 53 | if err == io.EOF { 54 | break 55 | } 56 | continue 57 | } 58 | 59 | log.Printf("ppid: %d, pid: %d, comm: %s", 60 | event.Ppid, event.Pid, unix.ByteSliceToString(event.Comm[:])) 61 | } 62 | } 63 | -------------------------------------------------------------------------------- /43-tcx-ingress-hello/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define ETH_P_IP 0x0800 /* Internet Protocol packet */ // ipv4 9 | #define ETH_HLEN 14 /* Total octets in header. */ 10 | 11 | #define TCX_NEXT -1 12 | #define TCX_PASS 0 13 | #define TCX_DROP 2 14 | #define TCX_REDIRECT 7 15 | 16 | SEC("tcx/ingress") 17 | int handle_ingress(struct __sk_buff *skb) { 18 | bpf_skb_pull_data(skb, 0); 19 | 20 | u16 h_proto; 21 | if (bpf_skb_load_bytes(skb, offsetof(struct ethhdr, h_proto), &h_proto, 22 | sizeof(h_proto)) < 0) 23 | goto out; 24 | if (bpf_ntohs(h_proto) != ETH_P_IP) // not ipv4 25 | goto out; 26 | 27 | struct iphdr ip_hdr; 28 | if (bpf_skb_load_bytes(skb, ETH_HLEN, &ip_hdr, sizeof(ip_hdr)) < 0) 29 | return 0; 30 | if (ip_hdr.protocol != IPPROTO_TCP) // not tcp 31 | return 0; 32 | 33 | struct tcphdr tcp_hdr; 34 | if (bpf_skb_load_bytes(skb, ETH_HLEN + sizeof(struct iphdr), &tcp_hdr, 35 | sizeof(tcp_hdr)) < 0) 36 | goto out; 37 | 38 | bpf_printk("saddr: %pI4:%d, daddr: %pI4:%d", &ip_hdr.saddr, bpf_htons(tcp_hdr.source), &ip_hdr.daddr, bpf_htons(tcp_hdr.dest)); 39 | 40 | out: 41 | return TCX_NEXT; 42 | } 43 | 44 | char _license[] SEC("license") = "GPL"; 45 | -------------------------------------------------------------------------------- /44-tcx-egress-hello/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "github.com/cilium/ebpf" 6 | "github.com/cilium/ebpf/link" 7 | "github.com/cilium/ebpf/rlimit" 8 | "log" 9 | "net" 10 | "os" 11 | "os/signal" 12 | "syscall" 13 | ) 14 | 15 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 16 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 17 | 18 | func main() { 19 | if err := rlimit.RemoveMemlock(); err != nil { 20 | log.Fatal(err) 21 | } 22 | 23 | objs := bpfObjects{} 24 | if err := loadBpfObjects(&objs, nil); err != nil { 25 | log.Fatal(err) 26 | } 27 | defer objs.Close() 28 | 29 | tcIface := "lo" 30 | if v := os.Getenv("IFACE"); v != "" { 31 | tcIface = v 32 | } 33 | log.Printf("interface name: %s", tcIface) 34 | devID, err := net.InterfaceByName(tcIface) 35 | if err != nil { 36 | log.Println(err) 37 | return 38 | } 39 | 40 | lk, err := link.AttachTCX(link.TCXOptions{ 41 | Interface: devID.Index, 42 | Program: objs.HandleEgress, 43 | Attach: ebpf.AttachTCXEgress, 44 | }) 45 | if err != nil { 46 | log.Println(err) 47 | return 48 | } 49 | defer lk.Close() 50 | 51 | ctx, stop := signal.NotifyContext( 52 | context.Background(), syscall.SIGINT, syscall.SIGTERM, 53 | ) 54 | defer stop() 55 | 56 | log.Println("...") 57 | <-ctx.Done() 58 | log.Println("bye bye") 59 | } 60 | -------------------------------------------------------------------------------- /44-tcx-egress-hello/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define ETH_P_IP 0x0800 /* Internet Protocol packet */ // ipv4 9 | #define ETH_HLEN 14 /* Total octets in header. */ 10 | 11 | #define TCX_NEXT -1 12 | #define TCX_PASS 0 13 | #define TCX_DROP 2 14 | #define TCX_REDIRECT 7 15 | 16 | SEC("tcx/egress") 17 | int handle_egress(struct __sk_buff *skb) { 18 | bpf_skb_pull_data(skb, 0); 19 | 20 | u16 h_proto; 21 | if (bpf_skb_load_bytes(skb, offsetof(struct ethhdr, h_proto), &h_proto, 22 | sizeof(h_proto)) < 0) 23 | goto out; 24 | if (bpf_ntohs(h_proto) != ETH_P_IP) // not ipv4 25 | goto out; 26 | 27 | struct iphdr ip_hdr; 28 | if (bpf_skb_load_bytes(skb, ETH_HLEN, &ip_hdr, sizeof(ip_hdr)) < 0) 29 | return 0; 30 | if (ip_hdr.protocol != IPPROTO_TCP) // not tcp 31 | return 0; 32 | 33 | struct tcphdr tcp_hdr; 34 | if (bpf_skb_load_bytes(skb, ETH_HLEN + sizeof(struct iphdr), &tcp_hdr, 35 | sizeof(tcp_hdr)) < 0) 36 | goto out; 37 | 38 | bpf_printk("saddr: %pI4:%d, daddr: %pI4:%d", &ip_hdr.saddr, bpf_htons(tcp_hdr.source), &ip_hdr.daddr, bpf_htons(tcp_hdr.dest)); 39 | 40 | out: 41 | return TCX_NEXT; 42 | } 43 | 44 | char _license[] SEC("license") = "GPL"; 45 | -------------------------------------------------------------------------------- /43-tcx-ingress-hello/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "github.com/cilium/ebpf" 6 | "github.com/cilium/ebpf/link" 7 | "github.com/cilium/ebpf/rlimit" 8 | "log" 9 | "net" 10 | "os" 11 | "os/signal" 12 | "syscall" 13 | ) 14 | 15 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 16 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 17 | 18 | func main() { 19 | if err := rlimit.RemoveMemlock(); err != nil { 20 | log.Fatal(err) 21 | } 22 | 23 | objs := bpfObjects{} 24 | if err := loadBpfObjects(&objs, nil); err != nil { 25 | log.Fatal(err) 26 | } 27 | defer objs.Close() 28 | 29 | tcIface := "lo" 30 | if v := os.Getenv("IFACE"); v != "" { 31 | tcIface = v 32 | } 33 | log.Printf("interface name: %s", tcIface) 34 | devID, err := net.InterfaceByName(tcIface) 35 | if err != nil { 36 | log.Println(err) 37 | return 38 | } 39 | 40 | lk, err := link.AttachTCX(link.TCXOptions{ 41 | Interface: devID.Index, 42 | Program: objs.HandleIngress, 43 | Attach: ebpf.AttachTCXIngress, 44 | }) 45 | if err != nil { 46 | log.Println(err) 47 | return 48 | } 49 | defer lk.Close() 50 | 51 | ctx, stop := signal.NotifyContext( 52 | context.Background(), syscall.SIGINT, syscall.SIGTERM, 53 | ) 54 | defer stop() 55 | 56 | log.Println("...") 57 | <-ctx.Done() 58 | log.Println("bye bye") 59 | } 60 | -------------------------------------------------------------------------------- /34-iter-task-hello/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bufio" 5 | "log" 6 | "strings" 7 | "syscall" 8 | 9 | "github.com/cilium/ebpf/link" 10 | "github.com/cilium/ebpf/rlimit" 11 | ) 12 | 13 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 14 | // 15 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 16 | 17 | type RawLinkReader struct { 18 | l *link.RawLink 19 | } 20 | 21 | func (r *RawLinkReader) Read(p []byte) (n int, err error) { 22 | return syscall.Read(r.l.FD(), p) 23 | } 24 | 25 | func (r *RawLinkReader) Close() error { 26 | return syscall.Close(r.l.FD()) 27 | } 28 | 29 | func main() { 30 | if err := rlimit.RemoveMemlock(); err != nil { 31 | log.Fatal(err) 32 | } 33 | 34 | objs := bpfObjects{} 35 | if err := loadBpfObjects(&objs, nil); err != nil { 36 | log.Fatal(err) 37 | } 38 | defer objs.Close() 39 | 40 | iter, err := link.AttachIter(link.IterOptions{ 41 | Program: objs.IterTask, 42 | }) 43 | if err != nil { 44 | log.Println(err) 45 | return 46 | } 47 | 48 | reader, err := iter.Open() 49 | if err != nil { 50 | log.Println(err) 51 | return 52 | } 53 | defer reader.Close() 54 | 55 | scanner := bufio.NewScanner(reader) 56 | for scanner.Scan() { 57 | fields := strings.Split(scanner.Text(), "\t") 58 | log.Printf("ppid: %s, pid: %s, comm: %s", fields[0], fields[1], fields[2]) 59 | } 60 | 61 | } 62 | -------------------------------------------------------------------------------- /09-map-map-type-hash-userspace/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF_MAP_TYPE_HASH */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_HASH); 11 | __type(key, u32); 12 | __type(value, struct event_t); 13 | __uint(max_entries, 1024 * 16 /* number */); 14 | } pid_event_map SEC(".maps"); 15 | 16 | struct { 17 | __uint(type, BPF_MAP_TYPE_HASH); 18 | __type(key, u32); 19 | __type(value, u8); 20 | __uint(max_entries, 1024 * 16 /* number */); 21 | } pid_filter SEC(".maps"); 22 | 23 | SEC("tracepoint/syscalls/sys_enter_openat") 24 | int tracepoint__syscalls__sys_enter_openat( 25 | struct trace_event_raw_sys_enter *ctx) { 26 | u32 pid = bpf_get_current_pid_tgid() >> 32; 27 | u8 *allow; 28 | allow = bpf_map_lookup_elem(&pid_filter, &pid); 29 | if (!(allow && *allow == 1)) { 30 | return 0; 31 | } 32 | 33 | struct event_t event = {}; 34 | event.pid = pid; 35 | bpf_get_current_comm(&event.comm, sizeof(event.comm)); 36 | char *fn_ptr; 37 | fn_ptr = (char *)(ctx->args[1]); 38 | bpf_core_read_user_str(&event.file, sizeof(event.file), fn_ptr); 39 | 40 | bpf_map_update_elem(&pid_event_map, &pid, &event, BPF_ANY); 41 | 42 | char fmt[] = "%d %s open %s\n"; 43 | bpf_trace_printk(fmt, sizeof(fmt), event.pid, event.comm, event.file); 44 | return 0; 45 | } 46 | 47 | char _license[] SEC("license") = "GPL"; 48 | -------------------------------------------------------------------------------- /35-tracepoint-args-use-custom-struct/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF ringbuf map */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_RINGBUF); 11 | __uint(max_entries, 16 * 1024 /* 16 KB */); 12 | } events SEC(".maps"); 13 | 14 | 15 | // sudo cat /sys/kernel/debug/tracing/events/syscalls/sys_enter_fchmodat/format 16 | struct sys_enter_fchmodat_args { 17 | char _[16]; 18 | long dfd; 19 | long filename_ptr; 20 | long mode; 21 | }; 22 | 23 | SEC("tracepoint/syscalls/sys_enter_fchmodat") 24 | int tracepoint__syscalls__sys_enter_fchmodat( 25 | struct sys_enter_fchmodat_args *ctx) { 26 | struct event_t *event; 27 | event = bpf_ringbuf_reserve(&events, sizeof(*event), 0); 28 | if (!event) { 29 | return 0; 30 | } 31 | 32 | struct task_struct *task = (struct task_struct *)bpf_get_current_task(); 33 | 34 | event->host_pid = bpf_get_current_pid_tgid() >> 32; 35 | event->host_ppid = BPF_CORE_READ(task, real_parent, tgid); 36 | bpf_get_current_comm(&event->comm, sizeof(event->comm)); 37 | 38 | char *filename_ptr = (char *)ctx->filename_ptr; 39 | bpf_core_read_user_str(&event->filename, sizeof(event->filename), 40 | filename_ptr); 41 | event->mode = (u32)ctx->mode; 42 | 43 | bpf_ringbuf_submit(event, 0); 44 | return 0; 45 | } 46 | 47 | char _license[] SEC("license") = "GPL"; 48 | -------------------------------------------------------------------------------- /10-map-map-type-array/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF_MAP_TYPE_ARRAY */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_ARRAY); 11 | __type(key, u32); 12 | __type(value, struct event_t); 13 | __uint(max_entries, 1024 * 1024 /* should match key size */); 14 | } pid_event_map SEC(".maps"); 15 | 16 | struct { 17 | __uint(type, BPF_MAP_TYPE_ARRAY); 18 | __type(key, u32); 19 | __type(value, u8); 20 | __uint(max_entries, 1024 * 1024 /* should match key size */); 21 | } pid_filter SEC(".maps"); 22 | 23 | SEC("tracepoint/syscalls/sys_enter_openat") 24 | int tracepoint__syscalls__sys_enter_openat( 25 | struct trace_event_raw_sys_enter *ctx) { 26 | u32 pid = bpf_get_current_pid_tgid() >> 32; 27 | u8 *allow; 28 | allow = bpf_map_lookup_elem(&pid_filter, &pid); 29 | if (!(allow && *allow == 1)) { 30 | return 0; 31 | } 32 | 33 | struct event_t event = {}; 34 | event.pid = pid; 35 | bpf_get_current_comm(&event.comm, sizeof(event.comm)); 36 | char *fn_ptr; 37 | fn_ptr = (char *)(ctx->args[1]); 38 | bpf_core_read_user_str(&event.file, sizeof(event.file), fn_ptr); 39 | 40 | bpf_map_update_elem(&pid_event_map, &pid, &event, BPF_ANY); 41 | 42 | char fmt[] = "%d %s open %s\n"; 43 | bpf_trace_printk(fmt, sizeof(fmt), event.pid, event.comm, event.file); 44 | return 0; 45 | } 46 | 47 | char _license[] SEC("license") = "GPL"; 48 | -------------------------------------------------------------------------------- /21-tc-parse-packet-with-bpf_skb_load_bytes/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "log" 6 | "os/signal" 7 | "syscall" 8 | 9 | bpf "github.com/aquasecurity/libbpfgo" 10 | ) 11 | 12 | func main() { 13 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 14 | if err != nil { 15 | panic(err) 16 | } 17 | defer bpfModule.Close() 18 | 19 | if err := bpfModule.BPFLoadObject(); err != nil { 20 | panic(err) 21 | } 22 | hook := bpfModule.TcHookInit() 23 | err = hook.SetInterfaceByName("lo") 24 | if err != nil { 25 | log.Fatalf("failed to set tc hook on interface lo: %v", err) 26 | } 27 | 28 | hook.SetAttachPoint(bpf.BPFTcIngress) 29 | err = hook.Create() 30 | if err != nil { 31 | if errno, ok := err.(syscall.Errno); ok && errno != syscall.EEXIST { 32 | log.Fatalf("tc hook create: %v", err) 33 | } 34 | } 35 | 36 | tcProg, err := bpfModule.GetProgram("handle_ingress") 37 | if tcProg == nil { 38 | log.Fatal(err) 39 | } 40 | 41 | var tcOpts bpf.TcOpts 42 | tcOpts.ProgFd = int(tcProg.GetFd()) 43 | tcOpts.Handle = 1 44 | tcOpts.Priority = 1 45 | err = hook.Attach(&tcOpts) 46 | if err != nil { 47 | log.Fatal(err) 48 | } 49 | defer func() { 50 | tcOpts.ProgFd = 0 51 | tcOpts.ProgId = 0 52 | if err := hook.Detach(&tcOpts); err != nil { 53 | log.Println(err) 54 | } 55 | }() 56 | 57 | ctx, stop := signal.NotifyContext( 58 | context.Background(), syscall.SIGINT, syscall.SIGTERM, 59 | ) 60 | defer stop() 61 | 62 | log.Println("...") 63 | <-ctx.Done() 64 | log.Println("bye bye") 65 | } 66 | -------------------------------------------------------------------------------- /45-iter-task-write-struct/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "encoding/binary" 5 | "github.com/cilium/ebpf/link" 6 | "github.com/cilium/ebpf/rlimit" 7 | "io" 8 | "log" 9 | "strings" 10 | ) 11 | 12 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 13 | // 14 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS -type event_t Bpf ../main.bpf.c -- -I../ -I../output 15 | 16 | func main() { 17 | if err := rlimit.RemoveMemlock(); err != nil { 18 | log.Fatal(err) 19 | } 20 | 21 | objs := BpfObjects{} 22 | if err := LoadBpfObjects(&objs, nil); err != nil { 23 | log.Fatal(err) 24 | } 25 | defer objs.Close() 26 | 27 | iter, err := link.AttachIter(link.IterOptions{ 28 | Program: objs.IterTask, 29 | }) 30 | if err != nil { 31 | log.Println(err) 32 | return 33 | } 34 | defer iter.Close() 35 | 36 | reader, err := iter.Open() 37 | if err != nil { 38 | log.Println(err) 39 | return 40 | } 41 | defer reader.Close() 42 | 43 | for { 44 | event := BpfEventT{} 45 | if err := binary.Read(reader, binary.LittleEndian, &event); err != nil { 46 | log.Printf("read event: %s", err) 47 | if err == io.EOF { 48 | break 49 | } 50 | continue 51 | } 52 | 53 | log.Printf("ppid: %d, pid: %d, comm: %s", 54 | event.Ppid, event.Pid, GoString(event.Comm[:])) 55 | } 56 | } 57 | 58 | func GoString(cstring []int8) string { 59 | var bs strings.Builder 60 | 61 | for _, i := range cstring { 62 | b := byte(i) 63 | if b == '\x00' { 64 | break 65 | } 66 | bs.WriteByte(b) 67 | } 68 | 69 | return bs.String() 70 | } 71 | -------------------------------------------------------------------------------- /11-map-pin/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "log" 5 | "os" 6 | "os/signal" 7 | "syscall" 8 | 9 | "github.com/cilium/ebpf" 10 | "github.com/cilium/ebpf/link" 11 | "github.com/cilium/ebpf/rlimit" 12 | ) 13 | 14 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 15 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 16 | 17 | type Event struct { 18 | Pid uint32 19 | Ret uint32 20 | FileName [256]byte 21 | } 22 | 23 | func main() { 24 | if err := rlimit.RemoveMemlock(); err != nil { 25 | log.Fatal(err) 26 | } 27 | 28 | objs := bpfObjects{} 29 | if err := loadBpfObjects(&objs, &ebpf.CollectionOptions{ 30 | Maps: ebpf.MapOptions{ 31 | PinPath: "/sys/fs/bpf", 32 | }, 33 | }); err != nil { 34 | log.Fatal(err) 35 | } 36 | defer objs.Close() 37 | 38 | tpEnter, err := link.Tracepoint("syscalls", "sys_enter_openat", objs.TracepointSyscallsSysEnterOpenat, nil) 39 | if err != nil { 40 | log.Println(err) 41 | return 42 | } 43 | defer tpEnter.Close() 44 | tpExit, err := link.Tracepoint("syscalls", "sys_exit_openat", objs.TracepointSyscallsSysExitOpenat, nil) 45 | if err != nil { 46 | log.Println(err) 47 | return 48 | } 49 | defer tpExit.Close() 50 | 51 | path := "pid_event_map" 52 | log.Printf("pin path: %s", path) 53 | log.Println("Waiting...") 54 | 55 | ch := make(chan os.Signal, 1) 56 | signal.Notify(ch, os.Interrupt, syscall.SIGTERM) 57 | // unpin 58 | <-ch 59 | log.Printf("unpin...") 60 | if err := objs.PidEventMap.Unpin(); err != nil { 61 | log.Printf("unpin %s failed: %s", path, err) 62 | } 63 | } 64 | -------------------------------------------------------------------------------- /33-xdp-hello/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | 8 | #define ETH_P_IP 0x0800 /* Internet Protocol packet */ // ipv4 9 | #define ETH_HLEN 14 /* Total octets in header. */ 10 | 11 | 12 | struct event_t { 13 | }; 14 | 15 | struct { 16 | __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY); 17 | __uint(key_size, sizeof(u32)); 18 | __uint(value_size, sizeof(u32)); 19 | } events SEC(".maps"); 20 | 21 | SEC("xdp") 22 | int handle_xdp(struct xdp_md *ctx) { 23 | void *data_end = (void *)(long)ctx->data_end; 24 | void *data = (void *)(long)ctx->data; 25 | 26 | struct iphdr *ip_hdr = data + ETH_HLEN; 27 | if ((void *)ip_hdr + sizeof(struct iphdr) > data_end) { 28 | return XDP_PASS; 29 | } 30 | if (ip_hdr->protocol != IPPROTO_TCP) { // not tcp 31 | return XDP_PASS; 32 | } 33 | 34 | struct tcphdr *tcp_hdr = (void *)ip_hdr + sizeof(struct iphdr); 35 | if ((void *)tcp_hdr + sizeof(struct tcphdr) > data_end) { 36 | return XDP_PASS; 37 | } 38 | if (tcp_hdr->dest != bpf_htons(9090)) // not 9090 port 39 | return XDP_PASS; 40 | // if (tcp_hdr->psh == 0) // no payload 41 | // return XDP_PASS; 42 | 43 | struct event_t event = {}; 44 | 45 | u64 flags = BPF_F_CURRENT_CPU; 46 | u64 save_size = (u64)(data_end - data); 47 | // save_size = min(save_size, 1024); 48 | flags |= save_size << 32; 49 | bpf_perf_event_output(ctx, &events, flags, &event, sizeof(event)); 50 | 51 | return XDP_PASS; 52 | } 53 | 54 | char _license[] SEC("license") = "GPL"; 55 | -------------------------------------------------------------------------------- /37-tracepoint-sched_process_exec/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF ringbuf map */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_RINGBUF); 11 | __uint(max_entries, 16 * 1024 /* 16 KB */); 12 | } events SEC(".maps"); 13 | 14 | 15 | SEC("tracepoint/sched/sched_process_exec") 16 | int tracepoint__sched__sched_process_exec( 17 | struct trace_event_raw_sched_process_exec *ctx) { 18 | struct event_t *event; 19 | event = bpf_ringbuf_reserve(&events, sizeof(*event), 0); 20 | if (!event) { 21 | return 0; 22 | } 23 | 24 | struct task_struct *task = (struct task_struct *)bpf_get_current_task(); 25 | 26 | event->host_pid = bpf_get_current_pid_tgid() >> 32; 27 | event->host_ppid = BPF_CORE_READ(task, real_parent, tgid); 28 | bpf_get_current_comm(&event->comm, sizeof(event->comm)); 29 | 30 | unsigned int filename_loc = BPF_CORE_READ(ctx, __data_loc_filename) & 0xFFFF; 31 | bpf_probe_read_str(&event->filename, sizeof(event->filename), (void *)ctx + filename_loc); 32 | 33 | void *arg_start = (void *)BPF_CORE_READ(task, mm, arg_start); 34 | void *arg_end = (void *)BPF_CORE_READ(task, mm, arg_end); 35 | unsigned long arg_length = arg_end - arg_start; 36 | arg_length = arg_length < ARGV_LEN ? arg_length : ARGV_LEN; 37 | int arg_ret = bpf_probe_read(&event->argv, arg_length, arg_start); 38 | if (!arg_ret) { 39 | event->argv_size = arg_length; 40 | } 41 | 42 | bpf_ringbuf_submit(event, 0); 43 | return 0; 44 | } 45 | 46 | char _license[] SEC("license") = "GPL"; 47 | -------------------------------------------------------------------------------- /31-ksyscall-hello-with-macro/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF ringbuf map */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_RINGBUF); 11 | __uint(max_entries, 256 * 1024 /* 256 KB */); 12 | } events SEC(".maps"); 13 | 14 | struct { 15 | __uint(type, BPF_MAP_TYPE_HASH); 16 | __uint(max_entries, 10240); 17 | __type(key, pid_t); 18 | __type(value, struct event); 19 | } tmp_map SEC(".maps"); 20 | 21 | SEC("ksyscall/openat") 22 | int BPF_KSYSCALL(ksyscall__openat, int dfd, const char *filename) { 23 | struct event e = {0} ; 24 | 25 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 26 | 27 | e.pid = bpf_get_current_pid_tgid() >> 32; 28 | 29 | bpf_core_read_user_str(&e.filename, sizeof(e.filename), filename); 30 | 31 | bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST); 32 | 33 | return 0; 34 | } 35 | 36 | SEC("kretsyscall/openat") 37 | int BPF_KRETPROBE(kretsyscall__openat, long ret) { 38 | struct event *e; 39 | 40 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 41 | 42 | struct event *tmp; 43 | tmp = bpf_map_lookup_elem(&tmp_map, &tid); 44 | if (!tmp) { 45 | return 0; 46 | } 47 | 48 | e = bpf_ringbuf_reserve(&events, sizeof(*e), 0); 49 | if (!e) { 50 | return 0; 51 | } 52 | 53 | e->ret = ret; 54 | e->pid = tmp->pid; 55 | __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename)); 56 | 57 | 58 | bpf_ringbuf_submit(e, 0); 59 | 60 | bpf_map_delete_elem(&tmp_map, &tid); 61 | 62 | return 0; 63 | } 64 | 65 | char _license[] SEC("license") = "GPL"; 66 | -------------------------------------------------------------------------------- /29-kprobe-hello-with-macro/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF ringbuf map */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_RINGBUF); 11 | __uint(max_entries, 256 * 1024 /* 256 KB */); 12 | } events SEC(".maps"); 13 | 14 | struct { 15 | __uint(type, BPF_MAP_TYPE_HASH); 16 | __uint(max_entries, 10240); 17 | __type(key, pid_t); 18 | __type(value, struct event); 19 | } tmp_map SEC(".maps"); 20 | 21 | SEC("kprobe/do_sys_openat2") 22 | int BPF_KPROBE(kprobe__do_sys_openat2, int dfd, const char *filename) { 23 | struct event e = {0} ; 24 | 25 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 26 | 27 | e.pid = bpf_get_current_pid_tgid() >> 32; 28 | 29 | bpf_core_read_user_str(&e.filename, sizeof(e.filename), filename); 30 | 31 | bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST); 32 | 33 | return 0; 34 | } 35 | 36 | SEC("kretprobe/do_sys_openat2") 37 | int BPF_KRETPROBE(kretprobe__do_sys_openat2, long ret) { 38 | struct event *e; 39 | 40 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 41 | 42 | struct event *tmp; 43 | tmp = bpf_map_lookup_elem(&tmp_map, &tid); 44 | if (!tmp) { 45 | return 0; 46 | } 47 | 48 | e = bpf_ringbuf_reserve(&events, sizeof(*e), 0); 49 | if (!e) { 50 | return 0; 51 | } 52 | 53 | e->ret = ret; 54 | e->pid = tmp->pid; 55 | __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename)); 56 | 57 | 58 | bpf_ringbuf_submit(e, 0); 59 | 60 | bpf_map_delete_elem(&tmp_map, &tid); 61 | 62 | return 0; 63 | } 64 | 65 | char _license[] SEC("license") = "GPL"; 66 | -------------------------------------------------------------------------------- /03-ring-buf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "fmt" 7 | "log" 8 | 9 | bpf "github.com/aquasecurity/libbpfgo" 10 | ) 11 | 12 | type gdata struct { 13 | Pid uint32 14 | FileName string 15 | } 16 | 17 | func resizeMap(module *bpf.Module, name string, size uint32) error { 18 | m, err := module.GetMap(name) 19 | if err != nil { 20 | return err 21 | } 22 | 23 | if err = m.Resize(size); err != nil { 24 | return err 25 | } 26 | 27 | if actual := m.GetMaxEntries(); actual != size { 28 | return fmt.Errorf("map resize failed, expected %v, actual %v", size, actual) 29 | } 30 | 31 | return nil 32 | } 33 | 34 | func main() { 35 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 36 | if err != nil { 37 | panic(err) 38 | } 39 | defer bpfModule.Close() 40 | if err := resizeMap(bpfModule, "events", 8192); err != nil { 41 | panic(err) 42 | } 43 | 44 | if err := bpfModule.BPFLoadObject(); err != nil { 45 | panic(err) 46 | } 47 | prog, err := bpfModule.GetProgram("kprobe__do_sys_openat2") 48 | if err != nil { 49 | panic(err) 50 | } 51 | if _, err := prog.AttachKprobe("do_sys_openat2"); err != nil { 52 | panic(err) 53 | } 54 | 55 | eventsChannel := make(chan []byte) 56 | pb, err := bpfModule.InitRingBuf("events", eventsChannel) 57 | if err != nil { 58 | panic(err) 59 | } 60 | 61 | pb.Start() 62 | defer func() { 63 | pb.Stop() 64 | pb.Close() 65 | }() 66 | 67 | for { 68 | select { 69 | case e := <-eventsChannel: 70 | pid := binary.LittleEndian.Uint32(e[0:4]) 71 | fileName := string(bytes.TrimRight(e[4:], "\x00")) 72 | gd := gdata{ 73 | Pid: pid, 74 | FileName: fileName, 75 | } 76 | log.Printf("pid %d opened %q", gd.Pid, gd.FileName) 77 | } 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /32-fentry-hello/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF ringbuf map */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_RINGBUF); 11 | __uint(max_entries, 256 * 1024 /* 256 KB */); 12 | } events SEC(".maps"); 13 | 14 | struct { 15 | __uint(type, BPF_MAP_TYPE_HASH); 16 | __uint(max_entries, 10240); 17 | __type(key, pid_t); 18 | __type(value, struct event); 19 | } tmp_map SEC(".maps"); 20 | 21 | SEC("fentry/do_sys_openat2") 22 | int BPF_PROG(fentry__do_sys_openat2, int dfd, const char *filename, struct open_how *how) { 23 | struct event e = {0} ; 24 | 25 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 26 | 27 | e.pid = bpf_get_current_pid_tgid() >> 32; 28 | 29 | bpf_core_read_user_str(&e.filename, sizeof(e.filename), filename); 30 | 31 | 32 | bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST); 33 | 34 | return 0; 35 | } 36 | 37 | SEC("fexit/do_sys_openat2") 38 | int BPF_PROG(fexit__do_sys_openat2, int dfd, const char *filename, struct open_how *how, long ret) { 39 | struct event *e; 40 | 41 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 42 | 43 | struct event *tmp; 44 | tmp = bpf_map_lookup_elem(&tmp_map, &tid); 45 | if (!tmp) { 46 | return 0; 47 | } 48 | 49 | e = bpf_ringbuf_reserve(&events, sizeof(*e), 0); 50 | if (!e) { 51 | return 0; 52 | } 53 | 54 | e->ret = ret; 55 | e->pid = tmp->pid; 56 | 57 | __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename)); 58 | 59 | bpf_ringbuf_submit(e, 0); 60 | 61 | bpf_map_delete_elem(&tmp_map, &tid); 62 | 63 | return 0; 64 | } 65 | 66 | char _license[] SEC("license") = "GPL"; 67 | -------------------------------------------------------------------------------- /04-tracepoint/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "fmt" 7 | "log" 8 | 9 | bpf "github.com/aquasecurity/libbpfgo" 10 | ) 11 | 12 | type gdata struct { 13 | Pid uint32 14 | FileName string 15 | } 16 | 17 | func resizeMap(module *bpf.Module, name string, size uint32) error { 18 | m, err := module.GetMap(name) 19 | if err != nil { 20 | return err 21 | } 22 | 23 | if err = m.Resize(size); err != nil { 24 | return err 25 | } 26 | 27 | if actual := m.GetMaxEntries(); actual != size { 28 | return fmt.Errorf("map resize failed, expected %v, actual %v", size, actual) 29 | } 30 | 31 | return nil 32 | } 33 | 34 | func main() { 35 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 36 | if err != nil { 37 | panic(err) 38 | } 39 | defer bpfModule.Close() 40 | if err := resizeMap(bpfModule, "events", 8192); err != nil { 41 | panic(err) 42 | } 43 | 44 | if err := bpfModule.BPFLoadObject(); err != nil { 45 | panic(err) 46 | } 47 | prog, err := bpfModule.GetProgram("tracepoint_openat") 48 | if err != nil { 49 | panic(err) 50 | } 51 | if _, err := prog.AttachTracepoint("syscalls", "sys_enter_openat"); err != nil { 52 | panic(err) 53 | } 54 | 55 | eventsChannel := make(chan []byte) 56 | pb, err := bpfModule.InitRingBuf("events", eventsChannel) 57 | if err != nil { 58 | panic(err) 59 | } 60 | 61 | pb.Start() 62 | defer func() { 63 | pb.Stop() 64 | pb.Close() 65 | }() 66 | 67 | for { 68 | select { 69 | case e := <-eventsChannel: 70 | pid := binary.LittleEndian.Uint32(e[0:4]) 71 | fileName := string(bytes.TrimRight(e[4:], "\x00")) 72 | gd := gdata{ 73 | Pid: pid, 74 | FileName: fileName, 75 | } 76 | log.Printf("pid %d opened %q", gd.Pid, gd.FileName) 77 | } 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /28-kprobe-hello/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF ringbuf map */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_RINGBUF); 11 | __uint(max_entries, 256 * 1024 /* 256 KB */); 12 | } events SEC(".maps"); 13 | 14 | struct { 15 | __uint(type, BPF_MAP_TYPE_HASH); 16 | __uint(max_entries, 10240); 17 | __type(key, pid_t); 18 | __type(value, struct event); 19 | } tmp_map SEC(".maps"); 20 | 21 | SEC("kprobe/do_sys_openat2") 22 | int kprobe__do_sys_openat2(struct pt_regs *ctx) { 23 | struct event e = {0} ; 24 | 25 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 26 | 27 | e.pid = bpf_get_current_pid_tgid() >> 32; 28 | 29 | char *fn_ptr; 30 | fn_ptr = (char *)PT_REGS_PARM2_CORE(ctx); 31 | bpf_core_read_user_str(&e.filename, sizeof(e.filename), fn_ptr); 32 | 33 | bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST); 34 | 35 | return 0; 36 | } 37 | 38 | SEC("kretprobe/do_sys_openat2") 39 | int kretprobe__do_sys_openat2(struct pt_regs *ctx) { 40 | struct event *e; 41 | 42 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 43 | 44 | struct event *tmp; 45 | tmp = bpf_map_lookup_elem(&tmp_map, &tid); 46 | if (!tmp) { 47 | return 0; 48 | } 49 | 50 | e = bpf_ringbuf_reserve(&events, sizeof(*e), 0); 51 | if (!e) { 52 | return 0; 53 | } 54 | 55 | e->ret = (long)PT_REGS_RC_CORE(ctx); 56 | e->pid = tmp->pid; 57 | __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename)); 58 | 59 | 60 | bpf_ringbuf_submit(e, 0); 61 | 62 | bpf_map_delete_elem(&tmp_map, &tid); 63 | 64 | return 0; 65 | } 66 | 67 | char _license[] SEC("license") = "GPL"; 68 | -------------------------------------------------------------------------------- /30-ksyscall-hello/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include "common.h" 4 | #include 5 | #include 6 | #include 7 | 8 | /* BPF ringbuf map */ 9 | struct { 10 | __uint(type, BPF_MAP_TYPE_RINGBUF); 11 | __uint(max_entries, 256 * 1024 /* 256 KB */); 12 | } events SEC(".maps"); 13 | 14 | struct { 15 | __uint(type, BPF_MAP_TYPE_HASH); 16 | __uint(max_entries, 10240); 17 | __type(key, pid_t); 18 | __type(value, struct event); 19 | } tmp_map SEC(".maps"); 20 | 21 | SEC("ksyscall/openat") 22 | int ksyscall__openat(struct pt_regs *ctx) { 23 | struct event e = {0} ; 24 | 25 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 26 | 27 | e.pid = bpf_get_current_pid_tgid() >> 32; 28 | 29 | struct pt_regs *regs = (struct pt_regs *)PT_REGS_PARM1_CORE(ctx); 30 | char *fn_ptr; 31 | fn_ptr = (char *)PT_REGS_PARM2_CORE(regs); 32 | bpf_core_read_user_str(&e.filename, sizeof(e.filename), fn_ptr); 33 | 34 | bpf_map_update_elem(&tmp_map, &tid, &e, BPF_NOEXIST); 35 | 36 | return 0; 37 | } 38 | 39 | SEC("kretsyscall/openat") 40 | int kretsyscall__openat(struct pt_regs *ctx) { 41 | struct event *e; 42 | 43 | pid_t tid = (pid_t)bpf_get_current_pid_tgid(); 44 | 45 | struct event *tmp; 46 | tmp = bpf_map_lookup_elem(&tmp_map, &tid); 47 | if (!tmp) { 48 | return 0; 49 | } 50 | 51 | e = bpf_ringbuf_reserve(&events, sizeof(*e), 0); 52 | if (!e) { 53 | return 0; 54 | } 55 | 56 | e->ret = (long)PT_REGS_RC_CORE(ctx); 57 | e->pid = tmp->pid; 58 | __builtin_memcpy(&e->filename, tmp->filename, sizeof(e->filename)); 59 | 60 | 61 | bpf_ringbuf_submit(e, 0); 62 | 63 | bpf_map_delete_elem(&tmp_map, &tid); 64 | 65 | return 0; 66 | } 67 | 68 | char _license[] SEC("license") = "GPL"; 69 | -------------------------------------------------------------------------------- /22-tail-calls/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | 7 | SEC("raw_tracepoint/sys_enter") 8 | int enter_fchmodat(struct bpf_raw_tracepoint_args *ctx) { 9 | struct pt_regs *regs; 10 | regs = (struct pt_regs *)ctx->args[0]; 11 | 12 | // int fchmodat(int dirfd, const char *pathname, mode_t mode, int flags); 13 | char pathname[256]; 14 | u32 mode; 15 | 16 | char *pathname_ptr = (char *)PT_REGS_PARM2_CORE(regs); 17 | bpf_core_read_user_str(&pathname, sizeof(pathname), pathname_ptr); 18 | mode = (u32)PT_REGS_PARM3_CORE(regs); 19 | 20 | char fmt[] = "fchmodat %s %d\n"; 21 | bpf_trace_printk(fmt, sizeof(fmt), &pathname, mode); 22 | return 0; 23 | } 24 | 25 | struct { 26 | __uint(type, BPF_MAP_TYPE_PROG_ARRAY); 27 | __uint(key_size, sizeof(u32)); 28 | __uint(value_size, sizeof(u32)); 29 | __uint(max_entries, 1024); 30 | } tail_jmp_map SEC(".maps"); 31 | 32 | // init with values 33 | //struct { 34 | // __uint(type, BPF_MAP_TYPE_PROG_ARRAY); 35 | // __uint(key_size, sizeof(u32)); 36 | // __uint(value_size, sizeof(u32)); 37 | // __uint(max_entries, 1024); 38 | // __array(values, int (void *)); 39 | //} tail_jmp_map SEC(".maps") = { 40 | // .values = { 41 | // [268] = (void *)&enter_fchmodat, 42 | // }, 43 | //}; 44 | 45 | SEC("raw_tracepoint/sys_enter") 46 | int raw_tracepoint__sys_enter(struct bpf_raw_tracepoint_args *ctx) { 47 | u32 syscall_id = ctx->args[1]; 48 | // if (syscall_id != 268) // fchmodat 49 | // return 0; 50 | 51 | bpf_tail_call(ctx, &tail_jmp_map, syscall_id); 52 | 53 | // char fmt[] = "no bpf program for syscall %d\n"; 54 | // bpf_trace_printk(fmt, sizeof(fmt), syscall_id); 55 | return 0; 56 | } 57 | 58 | 59 | char _license[] SEC("license") = "GPL"; 60 | -------------------------------------------------------------------------------- /02-perf-buf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "fmt" 7 | "log" 8 | 9 | bpf "github.com/aquasecurity/libbpfgo" 10 | ) 11 | 12 | type gdata struct { 13 | Pid uint32 14 | FileName string 15 | } 16 | 17 | func resizeMap(module *bpf.Module, name string, size uint32) error { 18 | m, err := module.GetMap(name) 19 | if err != nil { 20 | return err 21 | } 22 | if err = m.Resize(size); err != nil { 23 | return err 24 | } 25 | if actual := m.GetMaxEntries(); actual != size { 26 | return fmt.Errorf("map resize failed, expected %v, actual %v", size, actual) 27 | } 28 | return nil 29 | } 30 | 31 | func main() { 32 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 33 | if err != nil { 34 | panic(err) 35 | } 36 | defer bpfModule.Close() 37 | if err = resizeMap(bpfModule, "events", 8192); err != nil { 38 | panic(err) 39 | } 40 | 41 | if err := bpfModule.BPFLoadObject(); err != nil { 42 | panic(err) 43 | } 44 | prog, err := bpfModule.GetProgram("kprobe__do_sys_openat2") 45 | if err != nil { 46 | panic(err) 47 | } 48 | if _, err := prog.AttachKprobe("do_sys_openat2"); err != nil { 49 | panic(err) 50 | } 51 | 52 | eventsChannel := make(chan []byte) 53 | lostChannel := make(chan uint64) 54 | pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1) 55 | if err != nil { 56 | panic(err) 57 | } 58 | 59 | pb.Start() 60 | defer func() { 61 | pb.Stop() 62 | pb.Close() 63 | }() 64 | 65 | for { 66 | select { 67 | case e := <-eventsChannel: 68 | pid := binary.LittleEndian.Uint32(e[0:4]) 69 | fileName := string(bytes.TrimRight(e[4:], "\x00")) 70 | gd := gdata{ 71 | Pid: pid, 72 | FileName: fileName, 73 | } 74 | log.Printf("pid %d opened %q", gd.Pid, gd.FileName) 75 | case e := <-lostChannel: 76 | log.Printf("lost %d events", e) 77 | } 78 | } 79 | } 80 | -------------------------------------------------------------------------------- /27-attach-tracepoint-with-syscall/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "errors" 5 | "log" 6 | "time" 7 | 8 | "github.com/cilium/ebpf" 9 | "github.com/cilium/ebpf/asm" 10 | "github.com/cilium/ebpf/link" 11 | "github.com/cilium/ebpf/rlimit" 12 | ) 13 | 14 | func main() { 15 | if err := rlimit.RemoveMemlock(); err != nil { 16 | log.Fatal(err) 17 | } 18 | 19 | var progSpec = &ebpf.ProgramSpec{ 20 | Name: "hello_world", 21 | Type: ebpf.TracePoint, 22 | License: "GPL", 23 | } 24 | progSpec.Instructions = asm.Instructions{ 25 | asm.Mov.Imm(asm.R1, 10), 26 | 27 | // char fmt[] = "hello world:\n"; 28 | asm.StoreMem(asm.R10, -4, asm.R1, asm.Half), 29 | asm.Mov.Imm(asm.R1, 979659890), 30 | asm.StoreMem(asm.R10, -8, asm.R1, asm.Word), 31 | asm.LoadImm(asm.R1, 0x6f77206f6c6c6568, asm.DWord), 32 | asm.StoreMem(asm.R10, -16, asm.R1, asm.DWord), 33 | asm.Mov.Reg(asm.R1, 10), 34 | asm.ALUOp.Imm(asm.Add, asm.R1, -16), 35 | 36 | // bpf_trace_printk(fmt, sizeof(fmt)); 37 | asm.Mov.Imm(asm.R2, 14), 38 | asm.FnTracePrintk.Call(), 39 | 40 | // return 0; 41 | asm.Mov.Imm(asm.R0, 0), 42 | asm.Return(), 43 | } 44 | 45 | prog, err := ebpf.NewProgram(progSpec) 46 | if err != nil { 47 | var ve *ebpf.VerifierError 48 | if errors.As(err, &ve) { 49 | // Using %+v will print the whole verifier error, not just the last 50 | // few lines. 51 | log.Printf("Verifier error: %+v\n", ve) 52 | } 53 | log.Printf("creating ebpf program: %+v", err) 54 | return 55 | } 56 | defer prog.Close() 57 | 58 | tp, err := link.Tracepoint("syscalls", "sys_enter_execve", prog, nil) 59 | if err != nil { 60 | log.Printf("opening tracepoint: %+v", err) 61 | return 62 | } 63 | defer tp.Close() 64 | 65 | log.Println("you can get the message via `sudo cat /sys/kernel/debug/tracing/trace_pipe`") 66 | time.Sleep(time.Minute) 67 | 68 | } 69 | -------------------------------------------------------------------------------- /33-xdp-hello/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "context" 5 | "log" 6 | "os/signal" 7 | "syscall" 8 | 9 | bpf "github.com/aquasecurity/libbpfgo" 10 | "github.com/google/gopacket" 11 | "github.com/google/gopacket/layers" 12 | ) 13 | 14 | func parseEvent(data []byte) { 15 | // Decode a packet 16 | packet := gopacket.NewPacket(data, layers.LayerTypeEthernet, gopacket.Default) 17 | // Get the TCP layer from this packet 18 | if tcpLayer := packet.Layer(layers.LayerTypeTCP); tcpLayer != nil { 19 | log.Println("This is a TCP packet!") 20 | // Get actual TCP data from this layer 21 | tcp, _ := tcpLayer.(*layers.TCP) 22 | log.Printf("From src port %d to dst port %d", tcp.SrcPort, tcp.DstPort) 23 | } 24 | } 25 | 26 | func main() { 27 | bpfModule, err := bpf.NewModuleFromFile("main.bpf.o") 28 | if err != nil { 29 | panic(err) 30 | } 31 | defer bpfModule.Close() 32 | 33 | if err := bpfModule.BPFLoadObject(); err != nil { 34 | panic(err) 35 | } 36 | 37 | xdpProg, err := bpfModule.GetProgram("handle_xdp") 38 | if xdpProg == nil { 39 | log.Fatal(err) 40 | } 41 | link, err := xdpProg.AttachXDP("lo") 42 | if err != nil { 43 | log.Fatal(err) 44 | } 45 | defer link.Destroy() 46 | 47 | eventsChannel := make(chan []byte) 48 | lostChannel := make(chan uint64) 49 | pb, err := bpfModule.InitPerfBuf("events", eventsChannel, lostChannel, 1024) 50 | if err != nil { 51 | return 52 | } 53 | ctx, stop := signal.NotifyContext( 54 | context.Background(), syscall.SIGINT, syscall.SIGTERM, 55 | ) 56 | pb.Start() 57 | defer func() { 58 | pb.Stop() 59 | pb.Close() 60 | stop() 61 | }() 62 | 63 | log.Println("...") 64 | loop: 65 | for { 66 | select { 67 | case data := <-eventsChannel: 68 | parseEvent(data) 69 | case n := <-lostChannel: 70 | log.Printf("lost %d events", n) 71 | case <-ctx.Done(): 72 | break loop 73 | } 74 | } 75 | log.Println("bye bye~") 76 | } 77 | -------------------------------------------------------------------------------- /04-tracepoint/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "errors" 7 | "log" 8 | "strings" 9 | 10 | "github.com/cilium/ebpf/link" 11 | "github.com/cilium/ebpf/ringbuf" 12 | "github.com/cilium/ebpf/rlimit" 13 | ) 14 | 15 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 16 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS -type event Bpf ../main.bpf.c -- -I../ -I../output 17 | 18 | func main() { 19 | if err := rlimit.RemoveMemlock(); err != nil { 20 | log.Fatal(err) 21 | } 22 | 23 | objs := BpfObjects{} 24 | if err := LoadBpfObjects(&objs, nil); err != nil { 25 | log.Fatal(err) 26 | } 27 | defer objs.Close() 28 | 29 | tp, err := link.Tracepoint("syscalls", "sys_enter_openat", objs.TracepointOpenat, nil) 30 | if err != nil { 31 | log.Println(err) 32 | return 33 | } 34 | defer tp.Close() 35 | 36 | reader, err := ringbuf.NewReader(objs.Events) 37 | if err != nil { 38 | log.Println(err) 39 | return 40 | } 41 | defer reader.Close() 42 | 43 | log.Println("Waiting for events...") 44 | 45 | for { 46 | record, err := reader.Read() 47 | if err != nil { 48 | if errors.Is(err, ringbuf.ErrClosed) { 49 | log.Println("Received signal, exiting...") 50 | return 51 | } 52 | log.Printf("reading from reader: %s", err) 53 | continue 54 | } 55 | var event BpfEvent 56 | if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil { 57 | log.Printf("parse event: %s", err) 58 | continue 59 | } 60 | log.Printf("pid %d, file: %s", event.Pid, GoString(event.Filename[:])) 61 | 62 | } 63 | } 64 | 65 | func GoString(cstring []int8) string { 66 | var bs strings.Builder 67 | 68 | for _, i := range cstring { 69 | b := byte(i) 70 | if b == '\x00' { 71 | break 72 | } 73 | bs.WriteByte(b) 74 | } 75 | 76 | return bs.String() 77 | } 78 | -------------------------------------------------------------------------------- /03-ring-buf/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "errors" 7 | "log" 8 | "strings" 9 | 10 | "github.com/cilium/ebpf/link" 11 | "github.com/cilium/ebpf/ringbuf" 12 | "github.com/cilium/ebpf/rlimit" 13 | ) 14 | 15 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 16 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS -type event Bpf ../main.bpf.c -- -I../ -I../output 17 | 18 | func main() { 19 | kernel_func_name := "do_sys_openat2" 20 | if err := rlimit.RemoveMemlock(); err != nil { 21 | log.Fatal(err) 22 | } 23 | 24 | objs := BpfObjects{} 25 | if err := LoadBpfObjects(&objs, nil); err != nil { 26 | log.Fatal(err) 27 | } 28 | defer objs.Close() 29 | 30 | kp, err := link.Kprobe(kernel_func_name, objs.KprobeDoSysOpenat2, nil) 31 | if err != nil { 32 | log.Println(err) 33 | return 34 | } 35 | defer kp.Close() 36 | 37 | reader, err := ringbuf.NewReader(objs.Events) 38 | if err != nil { 39 | log.Println(err) 40 | return 41 | } 42 | defer reader.Close() 43 | 44 | log.Println("Waiting for events...") 45 | 46 | for { 47 | record, err := reader.Read() 48 | if err != nil { 49 | if errors.Is(err, ringbuf.ErrClosed) { 50 | log.Println("Received signal, exiting...") 51 | return 52 | } 53 | log.Printf("reading from reader: %s", err) 54 | continue 55 | } 56 | var event BpfEvent 57 | if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil { 58 | log.Printf("parse event: %s", err) 59 | continue 60 | } 61 | log.Printf("pid %d, file: %s", event.Pid, GoString(event.Filename[:])) 62 | 63 | } 64 | } 65 | 66 | func GoString(cstring []int8) string { 67 | var bs strings.Builder 68 | 69 | for _, i := range cstring { 70 | b := byte(i) 71 | if b == '\x00' { 72 | break 73 | } 74 | bs.WriteByte(b) 75 | } 76 | 77 | return bs.String() 78 | } 79 | -------------------------------------------------------------------------------- /28-kprobe-hello/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "errors" 7 | "log" 8 | 9 | "github.com/cilium/ebpf/link" 10 | "github.com/cilium/ebpf/ringbuf" 11 | "github.com/cilium/ebpf/rlimit" 12 | "golang.org/x/sys/unix" 13 | ) 14 | 15 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 16 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 17 | 18 | type Event struct { 19 | Pid uint64 20 | Ret int64 21 | FileName [256]byte 22 | } 23 | 24 | func main() { 25 | if err := rlimit.RemoveMemlock(); err != nil { 26 | log.Fatal(err) 27 | } 28 | 29 | objs := bpfObjects{} 30 | if err := loadBpfObjects(&objs, nil); err != nil { 31 | log.Fatal(err) 32 | } 33 | defer objs.Close() 34 | 35 | kp, err := link.Kprobe("do_sys_openat2", objs.KprobeDoSysOpenat2, nil) 36 | if err != nil { 37 | log.Println(err) 38 | return 39 | } 40 | defer kp.Close() 41 | krp, err := link.Kretprobe("do_sys_openat2", objs.KretprobeDoSysOpenat2, nil) 42 | if err != nil { 43 | log.Println(err) 44 | return 45 | } 46 | defer krp.Close() 47 | 48 | reader, err := ringbuf.NewReader(objs.Events) 49 | if err != nil { 50 | log.Println(err) 51 | return 52 | } 53 | defer reader.Close() 54 | 55 | log.Println("Waiting for events...") 56 | 57 | for { 58 | record, err := reader.Read() 59 | if err != nil { 60 | if errors.Is(err, ringbuf.ErrClosed) { 61 | log.Println("Received signal, exiting...") 62 | return 63 | } 64 | log.Printf("reading from reader: %s", err) 65 | continue 66 | } 67 | var event Event 68 | if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil { 69 | log.Printf("parse event: %s", err) 70 | continue 71 | } 72 | log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret) 73 | 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /29-kprobe-hello-with-macro/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "errors" 7 | "log" 8 | 9 | "github.com/cilium/ebpf/link" 10 | "github.com/cilium/ebpf/ringbuf" 11 | "github.com/cilium/ebpf/rlimit" 12 | "golang.org/x/sys/unix" 13 | ) 14 | 15 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 16 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 17 | 18 | type Event struct { 19 | Pid uint64 20 | Ret int64 21 | FileName [256]byte 22 | } 23 | 24 | func main() { 25 | if err := rlimit.RemoveMemlock(); err != nil { 26 | log.Fatal(err) 27 | } 28 | 29 | objs := bpfObjects{} 30 | if err := loadBpfObjects(&objs, nil); err != nil { 31 | log.Fatal(err) 32 | } 33 | defer objs.Close() 34 | 35 | kp, err := link.Kprobe("do_sys_openat2", objs.KprobeDoSysOpenat2, nil) 36 | if err != nil { 37 | log.Println(err) 38 | return 39 | } 40 | defer kp.Close() 41 | krp, err := link.Kretprobe("do_sys_openat2", objs.KretprobeDoSysOpenat2, nil) 42 | if err != nil { 43 | log.Println(err) 44 | return 45 | } 46 | defer krp.Close() 47 | 48 | reader, err := ringbuf.NewReader(objs.Events) 49 | if err != nil { 50 | log.Println(err) 51 | return 52 | } 53 | defer reader.Close() 54 | 55 | log.Println("Waiting for events...") 56 | 57 | for { 58 | record, err := reader.Read() 59 | if err != nil { 60 | if errors.Is(err, ringbuf.ErrClosed) { 61 | log.Println("Received signal, exiting...") 62 | return 63 | } 64 | log.Printf("reading from reader: %s", err) 65 | continue 66 | } 67 | var event Event 68 | if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil { 69 | log.Printf("parse event: %s", err) 70 | continue 71 | } 72 | log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret) 73 | 74 | } 75 | } 76 | -------------------------------------------------------------------------------- /init.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | set -e 3 | 4 | # base on https://github.com/aquasecurity/tracee/blob/main/Vagrantfile 5 | 6 | GO_VERSION="1.21.7" 7 | 8 | apt-get update 9 | apt-get install --yes build-essential pkgconf libelf-dev llvm-12 clang-12 bpftrace linux-tools-generic 10 | 11 | for tool in "clang" "llc" "llvm-strip" 12 | do 13 | path=$(which $tool-12) 14 | sudo ln -fs $path ${path%-*} 15 | done 16 | 17 | snap install microk8s --classic 18 | # microk8s status --wait-ready 19 | usermod -a -G microk8s vagrant 20 | microk8s enable dns 21 | 22 | mkdir -p /home/vagrant/.kube/ 23 | microk8s kubectl config view --raw > /home/vagrant/.kube/config 24 | microk8s stop 25 | 26 | apt-get install --yes apt-transport-https ca-certificates curl 27 | #curl -fsSLo /usr/share/keyrings/kubernetes-archive-keyring.gpg https://packages.cloud.google.com/apt/doc/apt-key.gpg 28 | #echo "deb [signed-by=/usr/share/keyrings/kubernetes-archive-keyring.gpg] https://apt.kubernetes.io/ kubernetes-xenial main" | tee /etc/apt/sources.list.d/kubernetes.list 29 | #apt-get update 30 | #apt-get install --yes kubectl 31 | #echo 'source <(kubectl completion bash)' >> /home/vagrant/.bashrc 32 | 33 | apt-get install --yes linux-tools-$(uname -r) 34 | 35 | apt-get install --yes docker.io 36 | usermod -aG docker vagrant 37 | 38 | wget https://go.dev/dl/go$GO_VERSION.linux-amd64.tar.gz 39 | tar -C /usr/local -xzf go$GO_VERSION.linux-amd64.tar.gz 40 | echo 'export PATH=$PATH:/usr/local/go/bin' >> /home/vagrant/.profile 41 | echo 'export PATH=$PATH:/usr/local/go/bin && export GOPATH=/go_workshop' >> /root/.profile 42 | 43 | echo 'PROMPT_COMMAND="history -a; $PROMPT_COMMAND"' >> /home/vagrant/.profile 44 | echo 'export PS1="$PS1\n\$ "' >> /home/vagrant/.profile 45 | echo 'export PS1="$PS1\n\$ "' >> /root/.profile 46 | cat < 0 { 57 | log.Printf("lost %d events", record.LostSamples) 58 | continue 59 | } 60 | 61 | var event BpfEvent 62 | if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil { 63 | log.Printf("parse event: %s", err) 64 | continue 65 | } 66 | log.Printf("pid %d, file: %s", event.Pid, GoString(event.Filename[:])) 67 | 68 | } 69 | } 70 | 71 | func GoString(cstring []int8) string { 72 | var bs strings.Builder 73 | 74 | for _, i := range cstring { 75 | b := byte(i) 76 | if b == '\x00' { 77 | break 78 | } 79 | bs.WriteByte(b) 80 | } 81 | 82 | return bs.String() 83 | } 84 | -------------------------------------------------------------------------------- /32-fentry-hello/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "errors" 7 | "log" 8 | 9 | "github.com/cilium/ebpf" 10 | "github.com/cilium/ebpf/link" 11 | "github.com/cilium/ebpf/ringbuf" 12 | "github.com/cilium/ebpf/rlimit" 13 | "golang.org/x/sys/unix" 14 | ) 15 | 16 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 17 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS bpf ../main.bpf.c -- -I../ -I../output 18 | 19 | type Event struct { 20 | Pid uint64 21 | Ret int64 22 | FileName [256]byte 23 | } 24 | 25 | func main() { 26 | if err := rlimit.RemoveMemlock(); err != nil { 27 | log.Fatal(err) 28 | } 29 | 30 | objs := bpfObjects{} 31 | if err := loadBpfObjects(&objs, nil); err != nil { 32 | log.Fatal(err) 33 | } 34 | defer objs.Close() 35 | 36 | t1, err := link.AttachTracing(link.TracingOptions{ 37 | Program: objs.FentryDoSysOpenat2, 38 | AttachType: ebpf.AttachTraceFEntry, 39 | }) 40 | if err != nil { 41 | log.Println(err) 42 | return 43 | } 44 | defer t1.Close() 45 | t2, err := link.AttachTracing(link.TracingOptions{ 46 | Program: objs.FexitDoSysOpenat2, 47 | AttachType: ebpf.AttachTraceFExit, 48 | }) 49 | if err != nil { 50 | log.Println(err) 51 | return 52 | } 53 | defer t2.Close() 54 | 55 | reader, err := ringbuf.NewReader(objs.Events) 56 | if err != nil { 57 | log.Println(err) 58 | return 59 | } 60 | defer reader.Close() 61 | 62 | log.Println("Waiting for events...") 63 | 64 | for { 65 | record, err := reader.Read() 66 | if err != nil { 67 | if errors.Is(err, ringbuf.ErrClosed) { 68 | log.Println("Received signal, exiting...") 69 | return 70 | } 71 | log.Printf("reading from reader: %s", err) 72 | continue 73 | } 74 | var event Event 75 | if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil { 76 | log.Printf("parse event: %s", err) 77 | continue 78 | } 79 | log.Printf("pid %d, file: %s, ret: %d", event.Pid, unix.ByteSliceToString(event.FileName[:]), event.Ret) 80 | 81 | } 82 | } 83 | -------------------------------------------------------------------------------- /Vagrantfile: -------------------------------------------------------------------------------- 1 | # -*- mode: ruby -*- 2 | # vi: set ft=ruby : 3 | 4 | # base on https://github.com/aquasecurity/tracee/blob/main/Vagrantfile 5 | Vagrant.configure("2") do |config| 6 | # config.vm.box = "ubuntu/focal64" # Ubuntu 20.04 Focal Fossa (non CO-RE) 7 | # config.vm.box = "ubuntu/hirsute64" # Ubuntu 21.04 Hirsute Hippo (CO-RE) 8 | # config.vm.box = "ubuntu/impish64" # Ubuntu 21.10 Impish Indri (CO-RE) 9 | config.vm.box = "ubuntu/jammy64" # Ubuntu 22.04 Jammy Jellyfish (CO-RE) 10 | config.vm.box_version = "20220902.0.0" 11 | 12 | # config.ssh.username = "vagrant" 13 | config.ssh.extra_args = ["-t", "cd /vagrant; bash --login"] 14 | 15 | # Forward MkDocs dev server to preview documentation on the host at http://localhost:8000/tracee 16 | # config.vm.network :forwarded_port, guest: 8000, host: 8000 17 | 18 | # Forward MicroK8s dashboard to access it on the host at https://localhost:10443 19 | # 20 | # To access the Kubernetes dashboard from the host run the following command: 21 | # kubectl port-forward --address 0.0.0.0 -n kube-system service/kubernetes-dashboard 10443:443 22 | # 23 | # To sing in use the token retrieved with 24 | # token=$(microk8s kubectl -n kube-system get secret | grep default-token | cut -d " " -f1) 25 | # kubectl -n kube-system describe secret $token 26 | # 27 | # TIP For Google Chrome you may allow insecure TLS connections at chrome://flags/#allow-insecure-localhost 28 | # config.vm.network :forwarded_port, guest: 10443, host: 10443 29 | 30 | config.vm.provider "virtualbox" do |vb| 31 | vb.gui = false 32 | vb.memory = "2048" 33 | end 34 | 35 | config.vm.provision "shell", path: "init.sh" 36 | config.vm.synced_folder ENV["GOPATH"], "/go_workshop" 37 | 38 | # If a 'Vagrantfile.local' file exists, import any configuration settings 39 | # defined there into here. Vagrantfile.local is ignored in version control, 40 | # so this can be used to add configuration specific to this computer. 41 | if File.exist? "Vagrantfile.local" 42 | instance_eval File.read("Vagrantfile.local"), "Vagrantfile.local" 43 | end 44 | end 45 | -------------------------------------------------------------------------------- /18-socket-filter-capture-icmp-traffic-kernel-parse/main.bpf.c: -------------------------------------------------------------------------------- 1 | #include "vmlinux.h" 2 | 3 | #include 4 | #include 5 | #include 6 | #include 7 | #include "common.h" 8 | 9 | #define ETH_P_IP 0x0800 /* Internet Protocol packet */ // ipv4 10 | #define ETH_HLEN 14 /* Total octets in header. */ 11 | 12 | unsigned long long load_byte(void *skb, 13 | unsigned long long off) asm("llvm.bpf.load.byte"); 14 | unsigned long long load_half(void *skb, 15 | unsigned long long off) asm("llvm.bpf.load.half"); 16 | unsigned long long load_word(void *skb, 17 | unsigned long long off) asm("llvm.bpf.load.word"); 18 | 19 | /* BPF ringbuf map */ 20 | struct { 21 | __uint(type, BPF_MAP_TYPE_RINGBUF); 22 | __uint(max_entries, 16 * 1024 /* 16 KB */); 23 | } events SEC(".maps"); 24 | 25 | SEC("socket") 26 | int socket__filter_icmp(struct __sk_buff *skb) 27 | { 28 | // Skip non-IP packets 29 | if (load_half(skb, offsetof(struct ethhdr, h_proto)) != ETH_P_IP) 30 | return 0; 31 | 32 | // Skip non-ICMP packets 33 | if (load_byte(skb, ETH_HLEN + offsetof(struct iphdr, protocol)) != IPPROTO_ICMP) 34 | return 0; 35 | 36 | u32 src_addr = load_word(skb, ETH_HLEN + offsetof(struct iphdr, saddr)); 37 | u32 dst_addr = load_word(skb, ETH_HLEN + offsetof(struct iphdr, daddr)); 38 | u8 type = load_byte(skb, ETH_HLEN + sizeof(struct iphdr) + offsetof(struct icmphdr, type)); 39 | u8 code = load_byte(skb, ETH_HLEN + sizeof(struct iphdr) + offsetof(struct icmphdr, code)); 40 | 41 | struct event_t *event; 42 | event = bpf_ringbuf_reserve(&events, sizeof(*event), 0); 43 | if (!event) { 44 | return 0; 45 | } 46 | 47 | event->src_addr = bpf_ntohl(src_addr); 48 | event->dst_addr = bpf_ntohl(dst_addr); 49 | event->type = type; 50 | event->code = code; 51 | 52 | char fmt[] = "ICMP packet: %pI4 -> %pI4 %d"; 53 | bpf_trace_printk(fmt, sizeof(fmt), &event->src_addr, &event->dst_addr, event->type); 54 | bpf_ringbuf_submit(event, 0); 55 | return 0; 56 | } 57 | 58 | char _license[] SEC("license") = "GPL"; 59 | -------------------------------------------------------------------------------- /07-tracepoint-args/cilium-ebpf/main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | import ( 4 | "bytes" 5 | "encoding/binary" 6 | "errors" 7 | "log" 8 | "strconv" 9 | "strings" 10 | 11 | "github.com/cilium/ebpf/link" 12 | "github.com/cilium/ebpf/ringbuf" 13 | "github.com/cilium/ebpf/rlimit" 14 | ) 15 | 16 | // $BPF_CLANG and $BPF_CFLAGS are set by the Makefile 17 | //go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc $BPF_CLANG -cflags $BPF_CFLAGS --type event_t Bpf ../main.bpf.c -- -I../ -I../output 18 | 19 | func main() { 20 | if err := rlimit.RemoveMemlock(); err != nil { 21 | log.Fatal(err) 22 | } 23 | 24 | objs := BpfObjects{} 25 | if err := LoadBpfObjects(&objs, nil); err != nil { 26 | log.Fatal(err) 27 | } 28 | defer objs.Close() 29 | 30 | tp, err := link.Tracepoint("syscalls", "sys_enter_fchmodat", objs.TracepointSyscallsSysEnterFchmodat, nil) 31 | if err != nil { 32 | log.Println(err) 33 | return 34 | } 35 | defer tp.Close() 36 | 37 | reader, err := ringbuf.NewReader(objs.Events) 38 | if err != nil { 39 | log.Println(err) 40 | return 41 | } 42 | defer reader.Close() 43 | 44 | log.Println("Waiting for events...") 45 | 46 | for { 47 | record, err := reader.Read() 48 | if err != nil { 49 | if errors.Is(err, ringbuf.ErrClosed) { 50 | log.Println("Received signal, exiting...") 51 | return 52 | } 53 | log.Printf("reading from reader: %s", err) 54 | continue 55 | } 56 | var event BpfEventT 57 | if err := binary.Read(bytes.NewBuffer(record.RawSample), binary.LittleEndian, &event); err != nil { 58 | log.Printf("parse event: %s", err) 59 | continue 60 | } 61 | 62 | // strconv.FormatUint(uint64(e.Mod), 8) 63 | log.Printf(`HostPid: %d, HostPpid: %d, Comm: %s, Mod: %s, File: %s`, 64 | event.HostPid, event.HostPpid, GoString(event.Comm[:]), 65 | strconv.FormatUint(uint64(event.Mode), 8), 66 | GoString(event.Filename[:])) 67 | 68 | } 69 | } 70 | 71 | func GoString(cstring []int8) string { 72 | var bs strings.Builder 73 | 74 | for _, i := range cstring { 75 | b := byte(i) 76 | if b == '\x00' { 77 | break 78 | } 79 | bs.WriteByte(b) 80 | } 81 | 82 | return bs.String() 83 | } 84 | --------------------------------------------------------------------------------