github.com/dylandreimerink/gobpfld@v0.6.1-0.20220205171531-e79c330ad608/cmd/examples/kprobe_execve_stats/bpf/tracex1_kern.c (about)

     1  #include "vmlinux.h"
     2  
     3  /*
     4   * bpf_map_lookup_elem
     5   *
     6   * 	Perform a lookup in *map* for an entry associated to *key*.
     7   *
     8   * Returns
     9   * 	Map value associated to *key*, or **NULL** if no entry was
    10   * 	found.
    11   */
    12  static void *(*bpf_map_lookup_elem)(void *map, const void *key) = (void *) 1;
    13  
    14  struct bpf_map_def {
    15  	unsigned int type;
    16  	unsigned int key_size;
    17  	unsigned int value_size;
    18  	unsigned int max_entries;
    19  	unsigned int map_flags;
    20  };
    21  
    22  #define SEC(name) __attribute__((section(name), used)) 
    23  
    24  /* LLVM maps __sync_fetch_and_add() as a built-in function to the BPF atomic add
    25   * instruction (that is BPF_STX | BPF_XADD | BPF_W for word sizes)
    26   */
    27  #ifndef lock_xadd
    28  #define lock_xadd(ptr, val)	((void) __sync_fetch_and_add(ptr, val))
    29  #endif
    30  
    31  struct bpf_map_def SEC("maps") execve_stats = {
    32  	.type        = BPF_MAP_TYPE_ARRAY,
    33  	.key_size    = sizeof(__u32),
    34  	.value_size  = sizeof(__u64),
    35  	.max_entries = 1,
    36  };
    37  
    38  /* kprobe is NOT a stable ABI
    39   * kernel functions can be removed, renamed or completely change semantics.
    40   * Number of arguments and their positions can change, etc.
    41   * In such case this bpf+kprobe example will no longer be meaningful
    42   */
    43  SEC("kprobe/__x64_sys_execve")
    44  int bpf_prog1(struct pt_regs *ctx)
    45  {
    46  	__u64 *counter;
    47  	__u32 key = 0;
    48  	counter = bpf_map_lookup_elem(&execve_stats, &key);
    49  	if (!counter)
    50  		return 0;
    51  
    52  	lock_xadd(counter, 1);
    53  
    54  	return 0;
    55  }
    56  
    57  char _license[] SEC("license") = "GPL";