diff --git a/ebpf/c/bpf_bpfeb.go b/ebpf/c/bpf_bpfeb.go index 16952e1..5644d36 100644 --- a/ebpf/c/bpf_bpfeb.go +++ b/ebpf/c/bpf_bpfeb.go @@ -157,11 +157,13 @@ type bpfProgramSpecs struct { SysEnterRecvfrom *ebpf.ProgramSpec `ebpf:"sys_enter_recvfrom"` SysEnterSendto *ebpf.ProgramSpec `ebpf:"sys_enter_sendto"` SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"` + SysEnterWritev *ebpf.ProgramSpec `ebpf:"sys_enter_writev"` SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"` SysExitRead *ebpf.ProgramSpec `ebpf:"sys_exit_read"` SysExitRecvfrom *ebpf.ProgramSpec `ebpf:"sys_exit_recvfrom"` SysExitSendto *ebpf.ProgramSpec `ebpf:"sys_exit_sendto"` SysExitWrite *ebpf.ProgramSpec `ebpf:"sys_exit_write"` + SysExitWritev *ebpf.ProgramSpec `ebpf:"sys_exit_writev"` } // bpfMapSpecs contains maps before they are loaded into the kernel. @@ -282,11 +284,13 @@ type bpfPrograms struct { SysEnterRecvfrom *ebpf.Program `ebpf:"sys_enter_recvfrom"` SysEnterSendto *ebpf.Program `ebpf:"sys_enter_sendto"` SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"` + SysEnterWritev *ebpf.Program `ebpf:"sys_enter_writev"` SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"` SysExitRead *ebpf.Program `ebpf:"sys_exit_read"` SysExitRecvfrom *ebpf.Program `ebpf:"sys_exit_recvfrom"` SysExitSendto *ebpf.Program `ebpf:"sys_exit_sendto"` SysExitWrite *ebpf.Program `ebpf:"sys_exit_write"` + SysExitWritev *ebpf.Program `ebpf:"sys_exit_writev"` } func (p *bpfPrograms) Close() error { @@ -310,11 +314,13 @@ func (p *bpfPrograms) Close() error { p.SysEnterRecvfrom, p.SysEnterSendto, p.SysEnterWrite, + p.SysEnterWritev, p.SysExitConnect, p.SysExitRead, p.SysExitRecvfrom, p.SysExitSendto, p.SysExitWrite, + p.SysExitWritev, ) } diff --git a/ebpf/c/bpf_bpfeb.o b/ebpf/c/bpf_bpfeb.o index 88a06fb..56a05a2 100644 Binary files a/ebpf/c/bpf_bpfeb.o and b/ebpf/c/bpf_bpfeb.o differ diff --git a/ebpf/c/bpf_bpfel.go b/ebpf/c/bpf_bpfel.go index 89db140..d7789f8 100644 --- a/ebpf/c/bpf_bpfel.go +++ b/ebpf/c/bpf_bpfel.go @@ -157,11 +157,13 @@ type bpfProgramSpecs struct { SysEnterRecvfrom *ebpf.ProgramSpec `ebpf:"sys_enter_recvfrom"` SysEnterSendto *ebpf.ProgramSpec `ebpf:"sys_enter_sendto"` SysEnterWrite *ebpf.ProgramSpec `ebpf:"sys_enter_write"` + SysEnterWritev *ebpf.ProgramSpec `ebpf:"sys_enter_writev"` SysExitConnect *ebpf.ProgramSpec `ebpf:"sys_exit_connect"` SysExitRead *ebpf.ProgramSpec `ebpf:"sys_exit_read"` SysExitRecvfrom *ebpf.ProgramSpec `ebpf:"sys_exit_recvfrom"` SysExitSendto *ebpf.ProgramSpec `ebpf:"sys_exit_sendto"` SysExitWrite *ebpf.ProgramSpec `ebpf:"sys_exit_write"` + SysExitWritev *ebpf.ProgramSpec `ebpf:"sys_exit_writev"` } // bpfMapSpecs contains maps before they are loaded into the kernel. @@ -282,11 +284,13 @@ type bpfPrograms struct { SysEnterRecvfrom *ebpf.Program `ebpf:"sys_enter_recvfrom"` SysEnterSendto *ebpf.Program `ebpf:"sys_enter_sendto"` SysEnterWrite *ebpf.Program `ebpf:"sys_enter_write"` + SysEnterWritev *ebpf.Program `ebpf:"sys_enter_writev"` SysExitConnect *ebpf.Program `ebpf:"sys_exit_connect"` SysExitRead *ebpf.Program `ebpf:"sys_exit_read"` SysExitRecvfrom *ebpf.Program `ebpf:"sys_exit_recvfrom"` SysExitSendto *ebpf.Program `ebpf:"sys_exit_sendto"` SysExitWrite *ebpf.Program `ebpf:"sys_exit_write"` + SysExitWritev *ebpf.Program `ebpf:"sys_exit_writev"` } func (p *bpfPrograms) Close() error { @@ -310,11 +314,13 @@ func (p *bpfPrograms) Close() error { p.SysEnterRecvfrom, p.SysEnterSendto, p.SysEnterWrite, + p.SysEnterWritev, p.SysExitConnect, p.SysExitRead, p.SysExitRecvfrom, p.SysExitSendto, p.SysExitWrite, + p.SysExitWritev, ) } diff --git a/ebpf/c/bpf_bpfel.o b/ebpf/c/bpf_bpfel.o index a8b1662..5ad616e 100644 Binary files a/ebpf/c/bpf_bpfel.o and b/ebpf/c/bpf_bpfel.o differ diff --git a/ebpf/c/l7.c b/ebpf/c/l7.c index d97f521..0d8a43d 100644 --- a/ebpf/c/l7.c +++ b/ebpf/c/l7.c @@ -858,6 +858,25 @@ int sys_enter_write(struct trace_event_raw_sys_enter_write* ctx) { return process_enter_of_syscalls_write_sendto(ctx, ctx->fd, 0, ctx->buf, ctx->count); } +// SEC("tracepoint/syscalls/sys_enter_writev") +// int sys_enter_writev(struct trace_event_raw_sys_enter_write* ctx) { +// return process_enter_of_syscalls_write_sendto(ctx, ctx->fd, 0, ctx->buf, ctx->count); +// } + + +struct iov { + char* buf; + __u64 size; +}; +SEC("tracepoint/syscalls/sys_enter_writev") +int sys_enter_writev(struct trace_event_raw_sys_enter_writev* ctx) { + struct iov iov0 = {}; + if (bpf_probe_read(&iov0, sizeof(struct iov), (void *)ctx->vec) < 0) { + return 0; + } + return process_enter_of_syscalls_write_sendto(ctx, ctx->fd, 0, iov0.buf, iov0.size); +} + SEC("tracepoint/syscalls/sys_enter_sendto") int sys_enter_sendto(struct trace_event_raw_sys_enter_sendto* ctx) { return process_enter_of_syscalls_write_sendto(ctx, ctx->fd, 0 ,ctx->buff, ctx->len); @@ -868,6 +887,11 @@ int sys_exit_write(struct trace_event_raw_sys_exit_write* ctx) { return process_exit_of_syscalls_write_sendto(ctx, ctx->ret); } +SEC("tracepoint/syscalls/sys_exit_writev") +int sys_exit_writev(struct trace_event_raw_sys_exit_writev* ctx) { + return process_exit_of_syscalls_write_sendto(ctx, ctx->ret); +} + SEC("tracepoint/syscalls/sys_exit_sendto") int sys_exit_sendto(struct trace_event_raw_sys_exit_sendto* ctx) { return process_exit_of_syscalls_write_sendto(ctx, ctx->ret); diff --git a/ebpf/headers/l7_req.h b/ebpf/headers/l7_req.h index 8289623..fdd21a6 100644 --- a/ebpf/headers/l7_req.h +++ b/ebpf/headers/l7_req.h @@ -56,6 +56,12 @@ struct trace_event_raw_sys_exit_sendto { __s64 ret; }; + +struct trace_event_raw_sys_exit_writev { + __u64 unused; + __s32 id; + __s64 ret; +}; struct trace_event_raw_sys_enter_write { struct trace_entry ent; __s32 __syscall_nr; @@ -64,6 +70,14 @@ struct trace_event_raw_sys_enter_write { __u64 count; }; +struct trace_event_raw_sys_enter_writev { + struct trace_entry ent; + __s32 __syscall_nr; + __u64 fd; + struct iovec * vec; // struct iovec * + __u64 vlen; +}; + // TODO: remove unused fields ? struct trace_event_raw_sys_enter_sendto { struct trace_entry ent; diff --git a/ebpf/l7_req/l7.go b/ebpf/l7_req/l7.go index 873b7d8..afc81df 100644 --- a/ebpf/l7_req/l7.go +++ b/ebpf/l7_req/l7.go @@ -388,6 +388,18 @@ func (l7p *L7Prog) Attach() { log.Logger.Fatal().Err(err).Msg("link sys_exit_write tracepoint") } l7p.links["syscalls/sys_exit_write"] = l7 + + l8, err := link.Tracepoint("syscalls", "sys_enter_writev", c.BpfObjs.SysEnterWritev, nil) + if err != nil { + log.Logger.Fatal().Err(err).Msg("link sys_enter_writev tracepoint") + } + l7p.links["syscalls/sys_enter_writev"] = l8 + + l9, err := link.Tracepoint("syscalls", "sys_exit_writev", c.BpfObjs.SysExitWritev, nil) + if err != nil { + log.Logger.Fatal().Err(err).Msg("link sys_exit_writev tracepoint") + } + l7p.links["syscalls/sys_exit_writev"] = l9 } func (l7p *L7Prog) InitMaps() {