Merge pull request #85 from willfindlay/tp_btf

aya/aya-bpf: implement btf tracepoint programs
3 years ago · 17b730c717
parent c4b6970774 6b6d4af932
commit 17b730c717
9 changed files with 241 additions and 9 deletions
--- a/aya/src/bpf.rs
+++ b/aya/src/bpf.rs
@ -20,9 +20,9 @@ use crate::{
        Object, ParseError, ProgramSection,
    },
    programs::{
-        CgroupSkb, CgroupSkbAttachType, KProbe, LircMode2, Lsm, PerfEvent, ProbeKind, Program,
-        ProgramData, ProgramError, RawTracePoint, SchedClassifier, SkMsg, SkSkb, SkSkbKind,
-        SockOps, SocketFilter, TracePoint, UProbe, Xdp,
+        BtfTracePoint, CgroupSkb, CgroupSkbAttachType, KProbe, LircMode2, Lsm, PerfEvent,
+        ProbeKind, Program, ProgramData, ProgramError, RawTracePoint, SchedClassifier, SkMsg,
+        SkSkb, SkSkbKind, SockOps, SocketFilter, TracePoint, UProbe, Xdp,
    },
    sys::bpf_map_update_elem_ptr,
    util::{possible_cpus, POSSIBLE_CPUS},
@ -306,6 +306,9 @@ impl<'a> BpfLoader<'a> {
                        Program::RawTracePoint(RawTracePoint { data })
                    }
                    ProgramSection::Lsm { .. } => Program::Lsm(Lsm { data }),
+                    ProgramSection::BtfTracePoint { .. } => {
+                        Program::BtfTracePoint(BtfTracePoint { data })
+                    }
                };

                (name, program)
--- a/aya/src/obj/mod.rs
+++ b/aya/src/obj/mod.rs
@ -87,6 +87,7 @@ pub enum ProgramSection {
    PerfEvent { name: String },
    RawTracePoint { name: String },
    Lsm { name: String },
+    BtfTracePoint { name: String },
 }

 impl ProgramSection {
@ -110,6 +111,7 @@ impl ProgramSection {
            ProgramSection::PerfEvent { name } => name,
            ProgramSection::RawTracePoint { name } => name,
            ProgramSection::Lsm { name } => name,
+            ProgramSection::BtfTracePoint { name } => name,
        }
    }
 }
@ -135,6 +137,7 @@ impl FromStr for ProgramSection {
            "uprobe" => UProbe { name },
            "uretprobe" => URetProbe { name },
            "xdp" => Xdp { name },
+            "tp_btf" => BtfTracePoint { name },
            _ if kind.starts_with("tracepoint") || kind.starts_with("tp") => {
                // tracepoint sections are named `tracepoint/category/event_name`,
                // and we want to parse the name as "category/event_name"
@ -579,6 +582,7 @@ fn is_program_section(name: &str) -> bool {
        "raw_tp",
        "raw_tracepoint",
        "lsm",
+        "tp_btf",
    ] {
        if name.starts_with(prefix) {
            return true;
@ -1046,4 +1050,21 @@ mod tests {
            })
        );
    }
+
+    #[test]
+    fn test_parse_section_btf_tracepoint() {
+        let mut obj = fake_obj();
+
+        assert_matches!(
+            obj.parse_section(fake_section("tp_btf/foo", bytes_of(&fake_ins()))),
+            Ok(())
+        );
+        assert_matches!(
+            obj.programs.get("foo"),
+            Some(Program {
+                section: ProgramSection::BtfTracePoint { .. },
+                ..
+            })
+        );
+    }
 }
--- a/aya/src/programs/lsm.rs
+++ b/aya/src/programs/lsm.rs
@ -32,16 +32,19 @@ use crate::{
 /// #     #[error(transparent)]
 /// #     LsmLoad(#[from] aya::programs::LsmLoadError),
 /// #     #[error(transparent)]
+/// #     BtfError(#[from] aya::BtfError),
+/// #     #[error(transparent)]
 /// #     Program(#[from] aya::programs::ProgramError),
 /// #     #[error(transparent)]
 /// #     Bpf(#[from] aya::BpfError),
 /// # }
 /// # let mut bpf = Bpf::load_file("ebpf_programs.o")?;
-/// use aya::{Bpf, programs::Lsm};
+/// use aya::{Bpf, programs::Lsm, BtfError, Btf};
 /// use std::convert::TryInto;
 ///
+/// let btf = Btf::from_sys_fs()?;
 /// let program: &mut Lsm = bpf.program_mut("lsm_prog")?.try_into()?;
-/// program.load("security_bprm_exec")?;
+/// program.load("security_bprm_exec", &btf)?;
 /// program.attach()?;
 /// # Ok::<(), LsmError>(())
 /// ```
@ -72,8 +75,7 @@ impl Lsm {
    ///
    /// * `lsm_hook_name` - full name of the LSM hook that the program should
    ///   be attached to
-    pub fn load(&mut self, lsm_hook_name: &str) -> Result<(), LsmLoadError> {
-        let btf = &Btf::from_sys_fs()?;
+    pub fn load(&mut self, lsm_hook_name: &str, btf: &Btf) -> Result<(), LsmLoadError> {
        self.data.expected_attach_type = Some(BPF_LSM_MAC);
        let type_name = format!("bpf_lsm_{}", lsm_hook_name);
        self.data.attach_btf_id =
--- a/aya/src/programs/mod.rs
+++ b/aya/src/programs/mod.rs
@ -49,6 +49,7 @@ mod sk_skb;
 mod sock_ops;
 mod socket_filter;
 pub mod tc;
+mod tp_btf;
 mod trace_point;
 mod uprobe;
 mod xdp;
@ -79,6 +80,7 @@ pub use sk_skb::{SkSkb, SkSkbKind};
 pub use sock_ops::SockOps;
 pub use socket_filter::{SocketFilter, SocketFilterError};
 pub use tc::{SchedClassifier, TcAttachType, TcError};
+pub use tp_btf::{BtfTracePoint, BtfTracePointError};
 pub use trace_point::{TracePoint, TracePointError};
 pub use uprobe::{UProbe, UProbeError};
 pub use xdp::{Xdp, XdpError, XdpFlags};
@ -171,6 +173,10 @@ pub enum ProgramError {
    /// An error occurred while working with a TC program.
    #[error(transparent)]
    TcError(#[from] TcError),
+
+    /// An error occurred while working with a BTF raw tracepoint program.
+    #[error(transparent)]
+    BtfTracePointError(#[from] BtfTracePointError),
 }

 pub trait ProgramFd {
@ -194,6 +200,7 @@ pub enum Program {
    PerfEvent(PerfEvent),
    RawTracePoint(RawTracePoint),
    Lsm(Lsm),
+    BtfTracePoint(BtfTracePoint),
 }

 impl Program {
@ -229,6 +236,7 @@ impl Program {
            Program::PerfEvent(_) => BPF_PROG_TYPE_PERF_EVENT,
            Program::RawTracePoint(_) => BPF_PROG_TYPE_RAW_TRACEPOINT,
            Program::Lsm(_) => BPF_PROG_TYPE_LSM,
+            Program::BtfTracePoint(_) => BPF_PROG_TYPE_TRACING,
        }
    }

@ -258,6 +266,7 @@ impl Program {
            Program::PerfEvent(p) => &p.data,
            Program::RawTracePoint(p) => &p.data,
            Program::Lsm(p) => &p.data,
+            Program::BtfTracePoint(p) => &p.data,
        }
    }

@ -277,6 +286,7 @@ impl Program {
            Program::PerfEvent(p) => &mut p.data,
            Program::RawTracePoint(p) => &mut p.data,
            Program::Lsm(p) => &mut p.data,
+            Program::BtfTracePoint(p) => &mut p.data,
        }
    }
 }
@ -590,6 +600,7 @@ impl_program_fd!(
    PerfEvent,
    Lsm,
    RawTracePoint,
+    BtfTracePoint,
 );

 macro_rules! impl_try_from_program {
@ -635,6 +646,7 @@ impl_try_from_program!(
    PerfEvent,
    Lsm,
    RawTracePoint,
+    BtfTracePoint,
 );

 /// Provides information about a loaded program, like name, id and statistics
--- a/aya/src/programs/tp_btf.rs
+++ b/aya/src/programs/tp_btf.rs
@ -0,0 +1,103 @@
+//! BTF-enabled raw tracepoints.
+use std::os::unix::io::RawFd;
+
+use thiserror::Error;
+
+use crate::{
+    generated::{bpf_attach_type::BPF_TRACE_RAW_TP, bpf_prog_type::BPF_PROG_TYPE_TRACING},
+    obj::btf::{Btf, BtfError, BtfKind},
+    programs::{load_program, FdLink, LinkRef, ProgramData, ProgramError},
+    sys::bpf_raw_tracepoint_open,
+};
+
+/// Marks a function as a [BTF-enabled raw tracepoint][1] eBPF program that can be attached at
+/// a pre-defined kernel trace point.
+///
+/// The kernel provides a set of pre-defined trace points that eBPF programs can
+/// be attached to. See `/sys/kernel/debug/tracing/events` for a list of which
+/// events can be traced.
+///
+/// # Minimum kernel version
+///
+/// The minimum kernel version required to use this feature is 5.5.
+///
+/// # Examples
+///
+/// ```no_run
+/// # #[derive(thiserror::Error, Debug)]
+/// # enum Error {
+/// #     #[error(transparent)]
+/// #     BtfTracePointError(#[from] aya::programs::BtfTracePointError),
+/// #     #[error(transparent)]
+/// #     BtfError(#[from] aya::BtfError),
+/// #     #[error(transparent)]
+/// #     Program(#[from] aya::programs::ProgramError),
+/// #     #[error(transparent)]
+/// #     Bpf(#[from] aya::BpfError),
+/// # }
+/// # let mut bpf = Bpf::load_file("ebpf_programs.o")?;
+/// use aya::{Bpf, programs::BtfTracePoint, BtfError, Btf};
+/// use std::convert::TryInto;
+///
+/// let btf = Btf::from_sys_fs()?;
+/// let program: &mut BtfTracePoint = bpf.program_mut("sched_process_fork")?.try_into()?;
+/// program.load("sched_process_fork", &btf)?;
+/// program.attach()?;
+/// # Ok::<(), Error>(())
+/// ```
+///
+/// [1]: https://github.com/torvalds/linux/commit/9e15db66136a14cde3f35691f1d839d950118826
+#[derive(Debug)]
+#[doc(alias = "BPF_TRACE_RAW_TP")]
+#[doc(alias = "BPF_PROG_TYPE_TRACING")]
+pub struct BtfTracePoint {
+    pub(crate) data: ProgramData,
+}
+
+/// Error type returned when loading LSM programs.
+#[derive(Debug, Error)]
+pub enum BtfTracePointError {
+    /// An error occured while working with BTF.
+    #[error(transparent)]
+    Btf(#[from] BtfError),
+}
+
+impl BtfTracePoint {
+    /// Loads the program inside the kernel.
+    ///
+    /// See also [`Program::load`](crate::programs::Program::load).
+    ///
+    /// # Arguments
+    ///
+    /// * `tracepoint` - full name of the tracepoint that we should attach to
+    /// * `btf` - btf information for the target system
+    pub fn load(&mut self, tracepoint: &str, btf: &Btf) -> Result<(), ProgramError> {
+        self.data.expected_attach_type = Some(BPF_TRACE_RAW_TP);
+        let type_name = format!("btf_trace_{}", tracepoint);
+        self.data.attach_btf_id = Some(
+            btf.id_by_type_name_kind(type_name.as_str(), BtfKind::Typedef)
+                .map_err(BtfTracePointError::from)?,
+        );
+        load_program(BPF_PROG_TYPE_TRACING, &mut self.data)
+    }
+
+    /// Returns the name of the program.
+    pub fn name(&self) -> String {
+        self.data.name.to_string()
+    }
+
+    /// Attaches the program.
+    pub fn attach(&mut self) -> Result<LinkRef, ProgramError> {
+        let prog_fd = self.data.fd_or_err()?;
+
+        // BTF programs specify their attach name at program load time
+        let pfd = bpf_raw_tracepoint_open(None, prog_fd).map_err(|(_code, io_error)| {
+            ProgramError::SyscallError {
+                call: "bpf_raw_tracepoint_open".to_owned(),
+                io_error,
+            }
+        })? as RawFd;
+
+        Ok(self.data.link(FdLink { fd: Some(pfd) }))
+    }
+}
--- a/bpf/aya-bpf-macros/src/expand.rs
+++ b/bpf/aya-bpf-macros/src/expand.rs
@ -412,3 +412,32 @@ impl Lsm {
        })
    }
 }
+
+pub struct BtfTracePoint {
+    item: ItemFn,
+    name: String,
+}
+
+impl BtfTracePoint {
+    pub fn from_syn(mut args: Args, item: ItemFn) -> Result<BtfTracePoint> {
+        let name = name_arg(&mut args)?.unwrap_or_else(|| item.sig.ident.to_string());
+
+        Ok(BtfTracePoint { item, name })
+    }
+
+    pub fn expand(&self) -> Result<TokenStream> {
+        let section_name = format!("tp_btf/{}", self.name);
+        let fn_name = &self.item.sig.ident;
+        let item = &self.item;
+        Ok(quote! {
+            #[no_mangle]
+            #[link_section = #section_name]
+            fn #fn_name(ctx: *mut ::core::ffi::c_void) -> i32 {
+                let _ = #fn_name(::aya_bpf::programs::BtfTracePointContext::new(ctx));
+                return 0;
+
+                #item
+            }
+        })
+    }
+}
--- a/bpf/aya-bpf-macros/src/lib.rs
+++ b/bpf/aya-bpf-macros/src/lib.rs
@ -1,8 +1,8 @@
 mod expand;

 use expand::{
-    Args, Lsm, Map, PerfEvent, Probe, ProbeKind, RawTracePoint, SchedClassifier, SkMsg, SockOps,
-    TracePoint, Xdp,
+    Args, BtfTracePoint, Lsm, Map, PerfEvent, Probe, ProbeKind, RawTracePoint, SchedClassifier,
+    SkMsg, SockOps, TracePoint, Xdp,
 };
 use proc_macro::TokenStream;
 use syn::{parse_macro_input, ItemFn, ItemStatic};
@ -207,3 +207,44 @@ pub fn lsm(attrs: TokenStream, item: TokenStream) -> TokenStream {
        .unwrap_or_else(|err| err.to_compile_error())
        .into()
 }
+
+/// Marks a function as a [BTF-enabled raw tracepoint][1] eBPF program that can be attached at
+/// a pre-defined kernel trace point.
+///
+/// The kernel provides a set of pre-defined trace points that eBPF programs can
+/// be attached to. See `/sys/kernel/debug/tracing/events` for a list of which
+/// events can be traced.
+///
+/// # Minimum kernel version
+///
+/// The minimum kernel version required to use this feature is 5.5.
+///
+/// # Examples
+///
+/// ```no_run
+/// use aya_bpf::{macros::btf_tracepoint, programs::BtfTracePointContext};
+///
+/// #[btf_tracepoint(name = "sched_process_fork")]
+/// pub fn sched_process_fork(ctx: BtfTracePointContext) -> u32 {
+///     match unsafe { try_sched_process_fork(ctx) } {
+///         Ok(ret) => ret,
+///         Err(ret) => ret,
+///     }
+/// }
+///
+/// unsafe fn try_sched_process_fork(_ctx: BtfTracePointContext) -> Result<u32, u32> {
+///     Ok(0)
+/// }
+/// ```
+///
+/// [1]: https://github.com/torvalds/linux/commit/9e15db66136a14cde3f35691f1d839d950118826
+#[proc_macro_attribute]
+pub fn btf_tracepoint(attrs: TokenStream, item: TokenStream) -> TokenStream {
+    let args = parse_macro_input!(attrs as Args);
+    let item = parse_macro_input!(item as ItemFn);
+
+    BtfTracePoint::from_syn(args, item)
+        .and_then(|u| u.expand())
+        .unwrap_or_else(|err| err.to_compile_error())
+        .into()
+}
--- a/bpf/aya-bpf/src/programs/mod.rs
+++ b/bpf/aya-bpf/src/programs/mod.rs
@ -5,6 +5,7 @@ pub mod raw_tracepoint;
 pub mod sk_msg;
 pub mod sk_skb;
 pub mod sock_ops;
+pub mod tp_btf;
 pub mod tracepoint;
 pub mod xdp;

@ -15,5 +16,6 @@ pub use raw_tracepoint::RawTracePointContext;
 pub use sk_msg::SkMsgContext;
 pub use sk_skb::SkSkbContext;
 pub use sock_ops::SockOpsContext;
+pub use tp_btf::BtfTracePointContext;
 pub use tracepoint::TracePointContext;
 pub use xdp::XdpContext;
--- a/bpf/aya-bpf/src/programs/tp_btf.rs
+++ b/bpf/aya-bpf/src/programs/tp_btf.rs
@ -0,0 +1,19 @@
+use core::ffi::c_void;
+
+use crate::BpfContext;
+
+pub struct BtfTracePointContext {
+    ctx: *mut c_void,
+}
+
+impl BtfTracePointContext {
+    pub fn new(ctx: *mut c_void) -> BtfTracePointContext {
+        BtfTracePointContext { ctx }
+    }
+}
+
+impl BpfContext for BtfTracePointContext {
+    fn as_ptr(&self) -> *mut c_void {
+        self.ctx
+    }
+}