github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/pkg/ebpftracer/c/headers/maps.h (about) 1 #ifndef __MAPS_H__ 2 #define __MAPS_H__ 3 4 #include <vmlinux.h> 5 6 #include <bpf/bpf_helpers.h> 7 8 #include <types.h> 9 10 #define MAX_STACK_ADDRESSES 1024 // max amount of diff stack trace addrs to buffer 11 #define MAX_STACK_DEPTH 20 // max depth of each stack trace to track 12 13 #define BPF_MAP(_name, _type, _key_type, _value_type, _max_entries) \ 14 struct { \ 15 __uint(type, _type); \ 16 __uint(max_entries, _max_entries); \ 17 __type(key, _key_type); \ 18 __type(value, _value_type); \ 19 } _name SEC(".maps"); 20 21 #define BPF_MAP_NO_KEY(_name, _type, _value_type, _max_entries) \ 22 struct { \ 23 __uint(type, _type); \ 24 __uint(max_entries, _max_entries); \ 25 __type(value, _value_type); \ 26 } _name SEC(".maps"); 27 28 #define BPF_HASH(_name, _key_type, _value_type, _max_entries) \ 29 BPF_MAP(_name, BPF_MAP_TYPE_HASH, _key_type, _value_type, _max_entries) 30 31 #define BPF_HASH_OF_MAPS(_name, _key_type, _value_type, _max_entries) \ 32 BPF_MAP(_name, BPF_MAP_TYPE_HASH_OF_MAPS, _key_type, _value_type, _max_entries) 33 34 #define BPF_LRU_HASH(_name, _key_type, _value_type, _max_entries) \ 35 BPF_MAP(_name, BPF_MAP_TYPE_LRU_HASH, _key_type, _value_type, _max_entries) 36 37 #define BPF_ARRAY(_name, _value_type, _max_entries) \ 38 BPF_MAP(_name, BPF_MAP_TYPE_ARRAY, u32, _value_type, _max_entries) 39 40 #define BPF_PERCPU_ARRAY(_name, _value_type, _max_entries) \ 41 BPF_MAP(_name, BPF_MAP_TYPE_PERCPU_ARRAY, u32, _value_type, _max_entries) 42 43 #define BPF_PROG_ARRAY(_name, _max_entries) \ 44 BPF_MAP(_name, BPF_MAP_TYPE_PROG_ARRAY, u32, u32, _max_entries) 45 46 #define BPF_PERF_OUTPUT(_name, _max_entries) \ 47 BPF_MAP(_name, BPF_MAP_TYPE_PERF_EVENT_ARRAY, int, __u32, _max_entries) 48 49 #define BPF_QUEUE(_name, _value_type, _max_entries) \ 50 BPF_MAP_NO_KEY(_name, BPF_MAP_TYPE_QUEUE, _value_type, _max_entries) 51 52 #define BPF_STACK(_name, _value_type, _max_entries) \ 53 BPF_MAP_NO_KEY(_name, BPF_MAP_TYPE_STACK, _value_type, _max_entries) 54 55 // stack traces: the value is 1 big byte array of the stack addresses 56 typedef __u64 stack_trace_t[MAX_STACK_DEPTH]; 57 #define BPF_STACK_TRACE(_name, _max_entries) \ 58 BPF_MAP(_name, BPF_MAP_TYPE_STACK_TRACE, u32, stack_trace_t, _max_entries) 59 60 enum tail_call_id_e { 61 TAIL_VFS_WRITE, 62 TAIL_VFS_WRITEV, 63 TAIL_SEND_BIN, 64 TAIL_SEND_BIN_TP, 65 TAIL_KERNEL_WRITE, 66 TAIL_SCHED_PROCESS_EXEC_EVENT_SUBMIT, 67 TAIL_VFS_READ, 68 TAIL_VFS_READV, 69 TAIL_EXEC_BINPRM1, 70 TAIL_EXEC_BINPRM2, 71 TAIL_HIDDEN_KERNEL_MODULE_PROC, 72 TAIL_HIDDEN_KERNEL_MODULE_KSET, 73 TAIL_HIDDEN_KERNEL_MODULE_MOD_TREE, 74 TAIL_HIDDEN_KERNEL_MODULE_NEW_MOD_ONLY, 75 MAX_TAIL_CALL 76 }; 77 78 // clang-format off 79 80 BPF_HASH(kconfig_map, u32, u32, 10240); // kernel config variables 81 BPF_HASH(containers_map, u32, u8, 10240); // map cgroup id to container status {EXISTED, CREATED, STARTED} 82 BPF_HASH(args_map, u64, args_t, 10240); // persist args between function entry and return 83 BPF_HASH(sys_32_to_64_map, u32, u32, 1024); // map 32bit to 64bit syscalls 84 BPF_LRU_HASH(proc_info_map, u32, proc_info_t, 30720); // holds data for every process 85 BPF_LRU_HASH(task_info_map, u32, task_info_t, 10240); // holds data for every task 86 BPF_HASH(ksymbols_map, ksym_name_t, u64, 1024); // holds the addresses of some kernel symbols 87 BPF_ARRAY(config_map, config_entry_t, 1); // various configurations 88 BPF_ARRAY(file_write_path_filter, path_filter_t, 3); // filter file write captures 89 BPF_ARRAY(file_read_path_filter, path_filter_t, 3); // filter file read captures 90 BPF_ARRAY(file_type_filter, file_type_filter_t, 2); // filter file types 91 BPF_ARRAY(netconfig_map, netconfig_entry_t, 1); // network related configurations 92 BPF_PERCPU_ARRAY(bufs, buf_t, MAX_BUFFERS); // percpu global buffer variables 93 BPF_PROG_ARRAY(prog_array, MAX_TAIL_CALL); // store programs for tail calls 94 BPF_PROG_ARRAY(prog_array_tp, MAX_TAIL_CALL); // store programs for tail calls 95 BPF_PROG_ARRAY(sys_enter_tails, MAX_EVENT_ID); // store syscall specific programs for tail calls from sys_enter 96 BPF_PROG_ARRAY(sys_exit_tails, MAX_EVENT_ID); // store syscall specific programs for tail calls from sys_exit 97 BPF_PROG_ARRAY(sys_enter_submit_tail, MAX_EVENT_ID); // store program for submitting syscalls from sys_enter 98 BPF_PROG_ARRAY(sys_exit_submit_tail, MAX_EVENT_ID); // store program for submitting syscalls from sys_exit 99 BPF_PROG_ARRAY(sys_enter_init_tail, MAX_EVENT_ID); // store program for performing syscall tracking logic in sys_enter 100 BPF_PROG_ARRAY(sys_exit_init_tail, MAX_EVENT_ID); // store program for performing syscall tracking logic in sys_exits 101 BPF_STACK_TRACE(stack_addresses, MAX_STACK_ADDRESSES); // store stack traces 102 BPF_LRU_HASH(fd_arg_path_map, u64, fd_arg_path_t, 1024); // store fds paths by task 103 BPF_LRU_HASH(bpf_attach_map, u32, bpf_used_helpers_t, 1024); // holds bpf prog info 104 BPF_LRU_HASH(bpf_attach_tmp_map, u32, bpf_used_helpers_t, 1024); // temporarily hold bpf_used_helpers_t 105 BPF_LRU_HASH(bpf_prog_load_map, u32, void *, 1024); // store bpf prog aux pointer between bpf_check and security_bpf_prog 106 BPF_PERCPU_ARRAY(event_data_map, event_data_t, 1); // persist event related data 107 BPF_PERCPU_ARRAY(signal_data_map, controlplane_signal_t, 1); // signal scratch map 108 BPF_PERCPU_ARRAY(netflows_data_map, event_data_t, 1); // netflows scratch map 109 BPF_HASH(logs_count, bpf_log_t, bpf_log_count_t, 4096); // logs count 110 BPF_PERCPU_ARRAY(scratch_map, scratch_t, 2); // scratch space to avoid allocating stuff on the stack 111 BPF_LRU_HASH(file_modification_map, file_mod_key_t, int, 10240); // hold file data to decide if should submit file modification event 112 BPF_LRU_HASH(io_file_path_cache_map, file_id_t, path_buf_t, 5); // store cache for IO operations path 113 BPF_LRU_HASH(elf_files_map, file_id_t, bool, 64); // store cache for file ELF type check 114 BPF_HASH(uid_filter, u32, eq_t, 256); // filter events by UID, for specific UIDs either by == or != 115 BPF_HASH(pid_filter, u32, eq_t, 256); // filter events by PID 116 BPF_HASH(mnt_ns_filter, u64, eq_t, 256); // filter events by mount namespace id 117 BPF_HASH(pid_ns_filter, u64, eq_t, 256); // filter events by pid namespace id 118 BPF_HASH(uts_ns_filter, string_filter_t, eq_t, 256); // filter events by uts namespace name 119 BPF_HASH(comm_filter, string_filter_t, eq_t, 256); // filter events by command name 120 BPF_HASH(cgroup_id_filter, u32, eq_t, 256); // filter events by cgroup id 121 BPF_HASH(binary_filter, binary_t, eq_t, 256); // filter events by binary path and mount namespace 122 BPF_HASH(process_tree_map, u32, eq_t, 10240); // filter events by the ancestry of the traced process 123 BPF_HASH(events_map, u32, event_config_t, MAX_EVENT_ID); // map to persist event configuration data 124 BPF_LRU_HASH(syscall_stats_map, syscall_stats_key_t, u64, 65536); // holds syscalls stats per cgroup 125 126 BPF_HASH(oom_info, __u32, __u32, 1024); // marks PIDs as OOM 127 BPF_HASH(ignored_cgroups_map, u64, u64, 10240); // marks cgroup ids as ignored, causing no more events to be emited for actions in those cgroups 128 129 // clang-format on 130 131 BPF_PERF_OUTPUT(logs, 1024); // logs submission 132 BPF_PERF_OUTPUT(events, 8192); // events submission 133 BPF_PERF_OUTPUT(file_writes, 1024); // file writes events submission 134 BPF_PERF_OUTPUT(signals, 1024); // control plane signals submissions 135 136 #endif /* __MAPS_H__ */