This patch should be applied on iovisor/bcc.
Signed-off-by: Francis Laniel <flaniel@xxxxxxxxxxxxxxxxxxx>
---
libbpf-tools/Makefile | 1 +
libbpf-tools/toy.bpf.c | 32 ++++++++++++++++++++
libbpf-tools/toy.c | 67 ++++++++++++++++++++++++++++++++++++++++++
libbpf-tools/toy.h | 4 +++
4 files changed, 104 insertions(+)
create mode 100644 libbpf-tools/toy.bpf.c
create mode 100644 libbpf-tools/toy.c
create mode 100644 libbpf-tools/toy.h
diff --git a/libbpf-tools/Makefile b/libbpf-tools/Makefile
index c3bbac27..904e7712 100644
--- a/libbpf-tools/Makefile
+++ b/libbpf-tools/Makefile
@@ -62,6 +62,7 @@ APPS = \
tcplife \
tcprtt \
tcpsynbl \
+ toy \
vfsstat \
#
diff --git a/libbpf-tools/toy.bpf.c b/libbpf-tools/toy.bpf.c
new file mode 100644
index 00000000..b6b8f92b
--- /dev/null
+++ b/libbpf-tools/toy.bpf.c
@@ -0,0 +1,32 @@
+#include <linux/types.h>
+#include <bpf/bpf_helpers.h>
+#include <linux/bpf.h>
+#include "toy.h"
+
+
+struct {
+ __uint(type, BPF_MAP_TYPE_RINGBUF);
+ __uint(max_entries, 4096);
+ __uint(map_flags, 1U << 13);
+} buffer SEC(".maps");
+
+static __u32 count = 0;
+
+SEC("tracepoint/syscalls/sys_enter_execve")
+int sys_enter_execve(void) {
+ count++;
+ struct event *event = bpf_ringbuf_reserve(&buffer, sizeof(struct event), 0);
+ if (!event) {
+ return 1;
+ }
+
+ event->count = count;
+ bpf_ringbuf_submit(event, 0);
+
+ bpf_printk("addr: %p; count: %u\n", event, count);
+ bpf_printk("available: %lu; cons pos: %lu; prod pos: %lu\n", bpf_ringbuf_query(&buffer, 0), bpf_ringbuf_query(&buffer, BPF_RB_CONS_POS), bpf_ringbuf_query(&buffer, BPF_RB_PROD_POS));
+
+ return 0;
+}
+
+char _license[] SEC("license") = "GPL";
\ No newline at end of file
diff --git a/libbpf-tools/toy.c b/libbpf-tools/toy.c
new file mode 100644
index 00000000..7e4f7fdf
--- /dev/null
+++ b/libbpf-tools/toy.c
@@ -0,0 +1,67 @@
+#include <bpf/libbpf.h>
+#include <stdio.h>
+#include <unistd.h>
+#include "toy.h"
+#include "toy.skel.h"
+#include "btf_helpers.h"
+
+
+static int buf_process_sample(void *ctx, void *data, size_t len) {
+ struct event *evt = (struct event *)data;
+ printf("%d\n", evt->count);
+
+ return 0;
+}
+
+int main(void) {
+ LIBBPF_OPTS(bpf_object_open_opts, open_opts);
+ int buffer_map_fd = -1;
+ struct toy_bpf *obj;
+ int err;
+
+ libbpf_set_strict_mode(LIBBPF_STRICT_ALL);
+
+ err = ensure_core_btf(&open_opts);
+ if (err) {
+ fprintf(stderr, "failed to fetch necessary BTF for CO-RE: %s\n", strerror(-err));
+ return 1;
+ }
+
+ obj = toy_bpf__open_opts(&open_opts);
+ if (!obj) {
+ fprintf(stderr, "failed to open BPF object\n");
+ return 1;
+ }
+
+ err = toy_bpf__load(obj);
+ if (err) {
+ fprintf(stderr, "failed to load BPF object: %d\n", err);
+ return 1;
+ }
+
+ struct ring_buffer *ring_buffer;
+
+ buffer_map_fd = bpf_object__find_map_fd_by_name(obj->obj, "buffer");
+ ring_buffer = ring_buffer__new(buffer_map_fd, buf_process_sample, NULL, NULL);
+
+ if(!ring_buffer) {
+ fprintf(stderr, "failed to create ring buffer\n");
+ return 1;
+ }
+
+ err = toy_bpf__attach(obj);
+ if (err) {
+ fprintf(stderr, "failed to attach BPF programs\n");
+ return 1;
+ }
+
+ puts("Press any key to begin consuming!");
+ getchar();
+
+ while(1) {
+ ring_buffer__consume(ring_buffer);
+ sleep(1);
+ }
+
+ return 0;
+}
diff --git a/libbpf-tools/toy.h b/libbpf-tools/toy.h
new file mode 100644
index 00000000..36998170
--- /dev/null
+++ b/libbpf-tools/toy.h
@@ -0,0 +1,4 @@
+struct event {
+ __u32 count;
+ char filler[4096 / 8 - sizeof(__u32)];
+};
\ No newline at end of file
--
2.25.1
