/* * CGroupTest Demonstrate how to use BPF cgroup API to collect file open event * * Basic example of cgroup and BPF kprobes. * * USAGE: CGroupTest cgroup2_path * * EXAMPLES: * 1. Create a directory under cgroup2 mountpoint: * $ sudo mkdir /sys/fs/cgroup/unified/test * 2. Add current bash into the testing cgroup: * $ sudo echo $$ | sudo tee -a /sys/fs/cgroup/unified/test/cgroup.procs * 3. Open another bash window, and start CGroupTest as: * $ sudo ./examples/cpp/CGroupTest /sys/fs/cgroup/unified/test * 4. Run file open activity from previous bash window should be printed. * * Copyright (c) Jinshan Xiong * Licensed under the Apache License, Version 2.0 (the "License") */ #include #include #include #include #include #include #include "BPF.h" const std::string BPF_PROGRAM = R"( #include #include #include BPF_CGROUP_ARRAY(cgroup, 1); int on_vfs_open(struct pt_regs *ctx, struct path *path) { if (cgroup.check_current_task(0) > 0) bpf_trace_printk("file '%s' was opened!\n", path->dentry->d_name.name); return 0; } )"; int main(int argc, char** argv) { if (argc != 2) { std::cerr << argv[0] << ": requires _one_ cgroup path" << std::endl; return 1; } ebpf::BPF bpf; auto init_res = bpf.init(BPF_PROGRAM); if (init_res.code() != 0) { std::cerr << init_res.msg() << std::endl; return 1; } auto cgroup_array = bpf.get_cgroup_array("cgroup"); auto update_res = cgroup_array.update_value(0, argv[1]); if (update_res.code() != 0) { std::cerr << update_res.msg() << std::endl; return 1; } auto attach_res = bpf.attach_kprobe("vfs_open", "on_vfs_open"); if (attach_res.code() != 0) { std::cerr << attach_res.msg() << std::endl; return 1; } std::ifstream pipe("/sys/kernel/debug/tracing/trace_pipe"); std::string line; std::cout << "Started tracing open event, hit Ctrl-C to terminate." << std::endl; while (std::getline(pipe, line)) std::cout << line << std::endl; auto detach_res = bpf.detach_kprobe("vfs_open"); if (detach_res.code() != 0) { std::cerr << detach_res.msg() << std::endl; return 1; } return 0; }