1/* Copyright (c) 2013-2015 PLUMgrid, http://plumgrid.com
  2 *
  3 * This program is free software; you can redistribute it and/or
  4 * modify it under the terms of version 2 of the GNU General Public
  5 * License as published by the Free Software Foundation.
  6 */
  7#include <linux/skbuff.h>
  8#include <linux/netdevice.h>
  9#include <linux/version.h>
 10#include <uapi/linux/bpf.h>
 11#include "bpf_helpers.h"
 12
 13struct bpf_map_def SEC("maps") my_map = {
 14	.type = BPF_MAP_TYPE_HASH,
 15	.key_size = sizeof(long),
 16	.value_size = sizeof(long),
 17	.max_entries = 1024,
 18};
 19
 20/* kprobe is NOT a stable ABI. If kernel internals change this bpf+kprobe
 21 * example will no longer be meaningful
 22 */
 23SEC("kprobe/kfree_skb")
 24int bpf_prog2(struct pt_regs *ctx)
 25{
 26	long loc = 0;
 27	long init_val = 1;
 28	long *value;
 29
 30	/* read ip of kfree_skb caller.
 31	 * non-portable version of __builtin_return_address(0)
 32	 */
 33	BPF_KPROBE_READ_RET_IP(loc, ctx);
 34
 35	value = bpf_map_lookup_elem(&my_map, &loc);
 36	if (value)
 37		*value += 1;
 38	else
 39		bpf_map_update_elem(&my_map, &loc, &init_val, BPF_ANY);
 40	return 0;
 41}
 42
 43static unsigned int log2(unsigned int v)
 44{
 45	unsigned int r;
 46	unsigned int shift;
 47
 48	r = (v > 0xFFFF) << 4; v >>= r;
 49	shift = (v > 0xFF) << 3; v >>= shift; r |= shift;
 50	shift = (v > 0xF) << 2; v >>= shift; r |= shift;
 51	shift = (v > 0x3) << 1; v >>= shift; r |= shift;
 52	r |= (v >> 1);
 53	return r;
 54}
 55
 56static unsigned int log2l(unsigned long v)
 57{
 58	unsigned int hi = v >> 32;
 59	if (hi)
 60		return log2(hi) + 32;
 61	else
 62		return log2(v);
 63}
 64
 65struct hist_key {
 66	char comm[16];
 67	u64 pid_tgid;
 68	u64 uid_gid;
 69	u32 index;
 70};
 71
 72struct bpf_map_def SEC("maps") my_hist_map = {
 73	.type = BPF_MAP_TYPE_PERCPU_HASH,
 74	.key_size = sizeof(struct hist_key),
 75	.value_size = sizeof(long),
 76	.max_entries = 1024,
 77};
 78
 79SEC("kprobe/sys_write")
 80int bpf_prog3(struct pt_regs *ctx)
 81{
 82	long write_size = PT_REGS_PARM3(ctx);
 83	long init_val = 1;
 84	long *value;
 85	struct hist_key key = {};
 86
 87	key.index = log2l(write_size);
 88	key.pid_tgid = bpf_get_current_pid_tgid();
 89	key.uid_gid = bpf_get_current_uid_gid();
 90	bpf_get_current_comm(&key.comm, sizeof(key.comm));
 91
 92	value = bpf_map_lookup_elem(&my_hist_map, &key);
 93	if (value)
 94		__sync_fetch_and_add(value, 1);
 95	else
 96		bpf_map_update_elem(&my_hist_map, &key, &init_val, BPF_ANY);
 97	return 0;
 98}
 99char _license[] SEC("license") = "GPL";
100u32 _version SEC("version") = LINUX_VERSION_CODE;

  1/* Copyright (c) 2013-2015 PLUMgrid, http://plumgrid.com
  2 *
  3 * This program is free software; you can redistribute it and/or
  4 * modify it under the terms of version 2 of the GNU General Public
  5 * License as published by the Free Software Foundation.
  6 */
  7#include <linux/skbuff.h>
  8#include <linux/netdevice.h>
  9#include <linux/version.h>
 10#include <uapi/linux/bpf.h>
 11#include "bpf_helpers.h"
 12
 13struct bpf_map_def SEC("maps") my_map = {
 14	.type = BPF_MAP_TYPE_HASH,
 15	.key_size = sizeof(long),
 16	.value_size = sizeof(long),
 17	.max_entries = 1024,
 18};
 19
 20/* kprobe is NOT a stable ABI. If kernel internals change this bpf+kprobe
 21 * example will no longer be meaningful
 22 */
 23SEC("kprobe/kfree_skb")
 24int bpf_prog2(struct pt_regs *ctx)
 25{
 26	long loc = 0;
 27	long init_val = 1;
 28	long *value;
 29
 30	/* read ip of kfree_skb caller.
 31	 * non-portable version of __builtin_return_address(0)
 32	 */
 33	BPF_KPROBE_READ_RET_IP(loc, ctx);
 34
 35	value = bpf_map_lookup_elem(&my_map, &loc);
 36	if (value)
 37		*value += 1;
 38	else
 39		bpf_map_update_elem(&my_map, &loc, &init_val, BPF_ANY);
 40	return 0;
 41}
 42
 43static unsigned int log2(unsigned int v)
 44{
 45	unsigned int r;
 46	unsigned int shift;
 47
 48	r = (v > 0xFFFF) << 4; v >>= r;
 49	shift = (v > 0xFF) << 3; v >>= shift; r |= shift;
 50	shift = (v > 0xF) << 2; v >>= shift; r |= shift;
 51	shift = (v > 0x3) << 1; v >>= shift; r |= shift;
 52	r |= (v >> 1);
 53	return r;
 54}
 55
 56static unsigned int log2l(unsigned long v)
 57{
 58	unsigned int hi = v >> 32;
 59	if (hi)
 60		return log2(hi) + 32;
 61	else
 62		return log2(v);
 63}
 64
 65struct hist_key {
 66	char comm[16];
 67	u64 pid_tgid;
 68	u64 uid_gid;
 69	u64 index;
 70};
 71
 72struct bpf_map_def SEC("maps") my_hist_map = {
 73	.type = BPF_MAP_TYPE_PERCPU_HASH,
 74	.key_size = sizeof(struct hist_key),
 75	.value_size = sizeof(long),
 76	.max_entries = 1024,
 77};
 78
 79SEC("kprobe/sys_write")
 80int bpf_prog3(struct pt_regs *ctx)
 81{
 82	long write_size = PT_REGS_PARM3(ctx);
 83	long init_val = 1;
 84	long *value;
 85	struct hist_key key;
 86
 87	key.index = log2l(write_size);
 88	key.pid_tgid = bpf_get_current_pid_tgid();
 89	key.uid_gid = bpf_get_current_uid_gid();
 90	bpf_get_current_comm(&key.comm, sizeof(key.comm));
 91
 92	value = bpf_map_lookup_elem(&my_hist_map, &key);
 93	if (value)
 94		__sync_fetch_and_add(value, 1);
 95	else
 96		bpf_map_update_elem(&my_hist_map, &key, &init_val, BPF_ANY);
 97	return 0;
 98}
 99char _license[] SEC("license") = "GPL";
100u32 _version SEC("version") = LINUX_VERSION_CODE;