aya/bpf/aya-bpf-macros/src/lib.rs

mod expand;

use expand::{
    Args, BtfTracePoint, Lsm, Map, PerfEvent, Probe, ProbeKind, RawTracePoint, SchedClassifier,
    SkMsg, SockOps, TracePoint, Xdp,
};
use proc_macro::TokenStream;
use syn::{parse_macro_input, ItemFn, ItemStatic};

use crate::expand::CgroupSkb;

#[proc_macro_attribute]
pub fn map(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemStatic);

    Map::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

#[proc_macro_attribute]
pub fn kprobe(attrs: TokenStream, item: TokenStream) -> TokenStream {
    probe(ProbeKind::KProbe, attrs, item)
}

#[proc_macro_attribute]
pub fn kretprobe(attrs: TokenStream, item: TokenStream) -> TokenStream {
    probe(ProbeKind::KRetProbe, attrs, item)
}

#[proc_macro_attribute]
pub fn uprobe(attrs: TokenStream, item: TokenStream) -> TokenStream {
    probe(ProbeKind::UProbe, attrs, item)
}

#[proc_macro_attribute]
pub fn uretprobe(attrs: TokenStream, item: TokenStream) -> TokenStream {
    probe(ProbeKind::URetProbe, attrs, item)
}

#[proc_macro_attribute]
pub fn sock_ops(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    SockOps::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

#[proc_macro_attribute]
pub fn sk_msg(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    SkMsg::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

#[proc_macro_attribute]
pub fn xdp(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    Xdp::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

#[proc_macro_attribute]
pub fn classifier(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    SchedClassifier::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

#[proc_macro_attribute]
pub fn cgroup_skb(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    CgroupSkb::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

fn probe(kind: ProbeKind, attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    Probe::from_syn(kind, args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

#[proc_macro_attribute]
pub fn tracepoint(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    TracePoint::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

#[proc_macro_attribute]
pub fn perf_event(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    PerfEvent::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

/// Marks a function as a raw tracepoint eBPF program that can be attached at a
/// pre-defined kernel trace point.
///
/// The kernel provides a set of pre-defined trace points that eBPF programs can
/// be attached to. See `/sys/kernel/debug/tracing/events` for a list of which
/// events can be traced.
///
/// # Minimum kernel version
///
/// The minimum kernel version required to use this feature is 4.7.
///
/// # Examples
///
/// ```no_run
/// use aya_bpf::{macros::raw_tracepoint, programs::RawTracePointContext};
///
/// #[raw_tracepoint(name = "sys_enter")]
/// pub fn sys_enter(ctx: RawTracePointContext) -> i32 {
///     match unsafe { try_sys_enter(ctx) } {
///         Ok(ret) => ret,
///         Err(ret) => ret,
///     }
/// }
///
/// unsafe fn try_sys_enter(_ctx: RawTracePointContext) -> Result<i32, i32> {
///     Ok(0)
/// }
/// ```
#[proc_macro_attribute]
pub fn raw_tracepoint(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    RawTracePoint::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

/// Marks a function as an LSM program that can be attached to Linux LSM hooks.
/// Used to implement security policy and audit logging.
///
/// LSM probes can be attached to the kernel's [security hooks][1] to implement mandatory
/// access control policy and security auditing.
///
/// LSM probes require a kernel compiled with `CONFIG_BPF_LSM=y` and `CONFIG_DEBUG_INFO_BTF=y`.
/// In order for the probes to fire, you also need the BPF LSM to be enabled through your
/// kernel's boot paramters (like `lsm=lockdown,yama,bpf`).
///
/// # Minimum kernel version
///
/// The minimum kernel version required to use this feature is 5.7.
///
/// # Examples
///
/// ```no_run
/// use aya_bpf::{macros::lsm, programs::LsmContext};
///
/// #[lsm(name = "file_open")]
/// pub fn file_open(ctx: LsmContext) -> i32 {
///     match unsafe { try_file_open(ctx) } {
///         Ok(ret) => ret,
///         Err(ret) => ret,
///     }
/// }
///
/// unsafe fn try_file_open(_ctx: LsmContext) -> Result<i32, i32> {
///     Ok(0)
/// }
/// ```
#[proc_macro_attribute]
pub fn lsm(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    Lsm::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}

/// Marks a function as a [BTF-enabled raw tracepoint][1] eBPF program that can be attached at
/// a pre-defined kernel trace point.
///
/// The kernel provides a set of pre-defined trace points that eBPF programs can
/// be attached to. See `/sys/kernel/debug/tracing/events` for a list of which
/// events can be traced.
///
/// # Minimum kernel version
///
/// The minimum kernel version required to use this feature is 5.5.
///
/// # Examples
///
/// ```no_run
/// use aya_bpf::{macros::btf_tracepoint, programs::BtfTracePointContext};
///
/// #[btf_tracepoint(name = "sched_process_fork")]
/// pub fn sched_process_fork(ctx: BtfTracePointContext) -> u32 {
///     match unsafe { try_sched_process_fork(ctx) } {
///         Ok(ret) => ret,
///         Err(ret) => ret,
///     }
/// }
///
/// unsafe fn try_sched_process_fork(_ctx: BtfTracePointContext) -> Result<u32, u32> {
///     Ok(0)
/// }
/// ```
///
/// [1]: https://github.com/torvalds/linux/commit/9e15db66136a14cde3f35691f1d839d950118826
#[proc_macro_attribute]
pub fn btf_tracepoint(attrs: TokenStream, item: TokenStream) -> TokenStream {
    let args = parse_macro_input!(attrs as Args);
    let item = parse_macro_input!(item as ItemFn);

    BtfTracePoint::from_syn(args, item)
        .and_then(|u| u.expand())
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
}
bpf: initial bpf bindings 4 years ago			`mod expand;`

Add support for PerfEvent programs. 3 years ago			`use expand::{`
aya/aya-bpf: implement btf tracepoint programs 3 years ago			`Args, BtfTracePoint, Lsm, Map, PerfEvent, Probe, ProbeKind, RawTracePoint, SchedClassifier,`
			`SkMsg, SockOps, TracePoint, Xdp,`
Add support for PerfEvent programs. 3 years ago			`};`
bpf: initial bpf bindings 4 years ago			`use proc_macro::TokenStream;`
			`use syn::{parse_macro_input, ItemFn, ItemStatic};`

bpf: add support for BPF_PROG_TYPE_CGROUP_SKB programs Example: fn cgroup_skb_egress(skb: SkSkbContext) -> i32 { // allow data to go through 1 } 3 years ago			`use crate::expand::CgroupSkb;`

bpf: initial bpf bindings 4 years ago			`#[proc_macro_attribute]`
			`pub fn map(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemStatic);`

			`Map::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`

			`#[proc_macro_attribute]`
			`pub fn kprobe(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`probe(ProbeKind::KProbe, attrs, item)`
			`}`

			`#[proc_macro_attribute]`
			`pub fn kretprobe(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`probe(ProbeKind::KRetProbe, attrs, item)`
			`}`

			`#[proc_macro_attribute]`
			`pub fn uprobe(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`probe(ProbeKind::UProbe, attrs, item)`
			`}`

			`#[proc_macro_attribute]`
			`pub fn uretprobe(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`probe(ProbeKind::URetProbe, attrs, item)`
			`}`

bpf: add more bindings Initial support for Array, HashMap and SockHash maps, and for SkSkb, SkMsg, SockOps and XDP programs. 4 years ago			`#[proc_macro_attribute]`
			`pub fn sock_ops(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`SockOps::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`

			`#[proc_macro_attribute]`
			`pub fn sk_msg(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`SkMsg::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`

			`#[proc_macro_attribute]`
			`pub fn xdp(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`Xdp::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`

bpf: add support for BPF_PROG_TYPE_SCHED_CLS programs 4 years ago			`#[proc_macro_attribute]`
			`pub fn classifier(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`SchedClassifier::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`

bpf: add support for BPF_PROG_TYPE_CGROUP_SKB programs Example: fn cgroup_skb_egress(skb: SkSkbContext) -> i32 { // allow data to go through 1 } 3 years ago			`#[proc_macro_attribute]`
			`pub fn cgroup_skb(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`CgroupSkb::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`

bpf: initial bpf bindings 4 years ago			`fn probe(kind: ProbeKind, attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`Probe::from_syn(kind, args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`
bpf: add support for tracepoint program (#29) This patch add initial support for tracepoint program type. Hope you enjoy. Signed-off-by: Tw <wei.tan@intel.com> 3 years ago
			`#[proc_macro_attribute]`
			`pub fn tracepoint(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`TracePoint::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`
Add support for PerfEvent programs. 3 years ago
			`#[proc_macro_attribute]`
			`pub fn perf_event(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`PerfEvent::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`
Add support for raw tracepoint and LSM programs This change adds support for the following program types: * raw tracepoint * LSM Supporting LSM programs involved a necessity of supporting more load_attrs for the BPF_PROG_LOAD operation, concretely: * expected_attach_type - for LSM programs, it has always to be set to BPF_LSM_MAC * attach_btf_obj_fd - it's often used to reference the file descriptor of program's BTF info, altough in case of LSM programs, it only has to contain the value 0, which means the vmlinux object file (usually /sys/kernel/btf/vmlinux) * attach_btf_id - ID of the BTF object, which in case of LSM programs is the ID of the function (the LSM hook) The example of LSM program using that functionality can be found here: https://github.com/vadorovsky/aya-example-lsm Fixes: #9 Signed-off-by: William Findlay <william@williamfindlay.com> Signed-off-by: Michal Rostecki <mrostecki@opensuse.org> 3 years ago
			`/// Marks a function as a raw tracepoint eBPF program that can be attached at a`
			`/// pre-defined kernel trace point.`
			`///`
			`/// The kernel provides a set of pre-defined trace points that eBPF programs can`
			/// be attached to. See `/sys/kernel/debug/tracing/events` for a list of which
			`/// events can be traced.`
			`///`
			`/// # Minimum kernel version`
			`///`
			`/// The minimum kernel version required to use this feature is 4.7.`
			`///`
			`/// # Examples`
			`///`
			/// ```no_run
			`/// use aya_bpf::{macros::raw_tracepoint, programs::RawTracePointContext};`
			`///`
			`/// #[raw_tracepoint(name = "sys_enter")]`
			`/// pub fn sys_enter(ctx: RawTracePointContext) -> i32 {`
			`/// match unsafe { try_sys_enter(ctx) } {`
			`/// Ok(ret) => ret,`
			`/// Err(ret) => ret,`
			`/// }`
			`/// }`
			`///`
			`/// unsafe fn try_sys_enter(_ctx: RawTracePointContext) -> Result<i32, i32> {`
			`/// Ok(0)`
			`/// }`
			/// ```
			`#[proc_macro_attribute]`
			`pub fn raw_tracepoint(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`RawTracePoint::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`

			`/// Marks a function as an LSM program that can be attached to Linux LSM hooks.`
			`/// Used to implement security policy and audit logging.`
			`///`
			`/// LSM probes can be attached to the kernel's [security hooks][1] to implement mandatory`
			`/// access control policy and security auditing.`
			`///`
			/// LSM probes require a kernel compiled with `CONFIG_BPF_LSM=y` and `CONFIG_DEBUG_INFO_BTF=y`.
			`/// In order for the probes to fire, you also need the BPF LSM to be enabled through your`
			/// kernel's boot paramters (like `lsm=lockdown,yama,bpf`).
			`///`
			`/// # Minimum kernel version`
			`///`
			`/// The minimum kernel version required to use this feature is 5.7.`
			`///`
			`/// # Examples`
			`///`
			/// ```no_run
			`/// use aya_bpf::{macros::lsm, programs::LsmContext};`
			`///`
			`/// #[lsm(name = "file_open")]`
			`/// pub fn file_open(ctx: LsmContext) -> i32 {`
			`/// match unsafe { try_file_open(ctx) } {`
			`/// Ok(ret) => ret,`
			`/// Err(ret) => ret,`
			`/// }`
			`/// }`
			`///`
			`/// unsafe fn try_file_open(_ctx: LsmContext) -> Result<i32, i32> {`
			`/// Ok(0)`
			`/// }`
			/// ```
			`#[proc_macro_attribute]`
			`pub fn lsm(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`Lsm::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`
aya/aya-bpf: implement btf tracepoint programs 3 years ago
			`/// Marks a function as a [BTF-enabled raw tracepoint][1] eBPF program that can be attached at`
			`/// a pre-defined kernel trace point.`
			`///`
			`/// The kernel provides a set of pre-defined trace points that eBPF programs can`
			/// be attached to. See `/sys/kernel/debug/tracing/events` for a list of which
			`/// events can be traced.`
			`///`
			`/// # Minimum kernel version`
			`///`
			`/// The minimum kernel version required to use this feature is 5.5.`
			`///`
			`/// # Examples`
			`///`
			/// ```no_run
			`/// use aya_bpf::{macros::btf_tracepoint, programs::BtfTracePointContext};`
			`///`
			`/// #[btf_tracepoint(name = "sched_process_fork")]`
			`/// pub fn sched_process_fork(ctx: BtfTracePointContext) -> u32 {`
			`/// match unsafe { try_sched_process_fork(ctx) } {`
			`/// Ok(ret) => ret,`
			`/// Err(ret) => ret,`
			`/// }`
			`/// }`
			`///`
			`/// unsafe fn try_sched_process_fork(_ctx: BtfTracePointContext) -> Result<u32, u32> {`
			`/// Ok(0)`
			`/// }`
			/// ```
			`///`
			`/// [1]: https://github.com/torvalds/linux/commit/9e15db66136a14cde3f35691f1d839d950118826`
			`#[proc_macro_attribute]`
			`pub fn btf_tracepoint(attrs: TokenStream, item: TokenStream) -> TokenStream {`
			`let args = parse_macro_input!(attrs as Args);`
			`let item = parse_macro_input!(item as ItemFn);`

			`BtfTracePoint::from_syn(args, item)`
			`.and_then(\|u\| u.expand())`
			`.unwrap_or_else(\|err\| err.to_compile_error())`
			`.into()`
			`}`