GOAL: print Hello every time a system call is executed.
CODE:
_kern.c
#include <linux/bpf.h>
#include "bpf_helpers.h"
SEC("tracepoint/syscalls/sys_enter")
int bpf_sys(struct syscalls_enter_open_args *ctx)
{
char fmt[] = "Hello\n";
bpf_trace_printk(fmt, sizeof(fmt));
return 0;
}
char _license[] SEC("license") = "GPL";
_user.c
#include <linux/bpf.h>
#include "libbpf.h"
#include <unistd.h>
#include <fcntl.h>
int main(int ac, char **argv)
{
int prog_fd, fd;
struct bpf_object *obj;
if (bpf_prog_load("tracesys_kern.o", BPF_PROG_TYPE_TRACEPOINT,
&obj, &prog_fd))
return 1;
fd = open("mine_user.c", O_RDONLY);
close(fd);
//fork();
return 0;
}
PROBLEM: when I run the program it just terminates without print "Hello" also if open system call is invoked.
QUESTION: what am I missing? I've tried also sys_enter_open instead of sys_enter
As for other program types, loading a BPF program takes two steps. First there is the actual load (injecting the program from user space to kernel space, where it passes the verifier), that you performed with
bpf_prog_load()in your case. Then, the program is to be attached to one of the BPF hooks, here a tracepoint.In your sample code, your program is loaded, but not attached to the tracepoint just yet. See how
bpf_load.c, for example, uses libbpf to load a program and then attaches it to the tracepoint.I think recent versions of libbpf now provide
bpf_program__attach_tracepoint()as a simpler way to attach the program to the tracepoint.As pchaigno mentioned, you can list the tracepoints available on your system with
sudo perf list tracepoint(you may have to install theperfutility).