Feature fix libbpf examples

attach/syscall_trace_attach_impl/generate_syscall_id_table.sh

@@ -1,5 +1,19 @@
-echo "static const char* table=R\"(`
-echo -e '#include <sys/syscall.h>' | \
-cpp -dM | grep '#define __NR_.*[0-9]$' | \
-cut -d' ' -f 2,3 | cut -d_ -f 4-
-`)\";" > $1
+#! /bin/sh
+
+# script to print all the syscalls in a system
+# usage <script_name> <file_name>
+# usage ./generate_syscall_id_table syscalls.txt
+if [ "$(uname)" = "Linux" ]; then
+    echo "static const char* table=R\"(`
+    echo -e '#include <sys/syscall.h>' | \
+    cpp -dM | grep '#define __NR_.*[0-9]$' | \
+    cut -d' ' -f 2,3 | cut -d_ -f 4-
+    `)\";" > $1
+elif [ "$(uname)" = "Darwin" ]; then
+    echo "static const char* table=R\"(`
+    echo '#include <sys/syscall.h>' | \
+    gcc -E -dM - | grep '#define SYS_.*[0-9]$' | \
+    sed 's/#define SYS_//' | \
+    awk '{print $1, $2}'
+    `)\";" > $1
+fi

example/bpfmap/Makefile

@@ -0,0 +1,16 @@
+CXX = g++
+
+CXXFLAGS = -I../../runtime/include \
+           -I../../vm/compat/include \
+		   -I../../third_party/spdlog/include \
+		   -I../../vm/vm-core/include
+
+SRC = main.cpp
+TGT = main
+
+main: $(SRC)
+	$(CXX) $(SRC) -o $(TGT) $(CXXFLAGS) 
+
+.PHONY: clean
+clean:
+	rm -rf $(TGT)

example/bpfmap/README.md

@@ -0,0 +1,5 @@
+## BPF map example
+
+This example tries to create a bpf program which doesn't have to rely on libbpf and which can be tested on systems
+that do not have support from libbpf.
+

example/bpfmap/main.cpp

@@ -0,0 +1,71 @@
+#include <iostream>
+#include <unistd.h>
+#if __linux__
+#include <linux/bpf.h>
+#include <sys/syscall.h>
+#elif defined(__APPLE__)
+#include "bpftime_epoll.h"
+#endif
+
+
+#if defined(__APPLE__)
+using namespace bpftime_epoll;
+#endif
+
+static struct bpf_insn prog[] = {
+    BPF_MOV64_IMM(BPF_REG_0, 0),
+    BPF_EXIT_INSN(),
+};
+
+static long bpf(int cmd, union bpf_attr *attr, unsigned int size) {
+    #if __linux__
+    return syscall(__NR_bpf, cmd, attr, size);
+    #endif
+}
+
+int main() {
+    union bpf_attr attr = {};
+    int prog_fd, map_fd;
+
+    attr.prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
+    attr.insns = (unsigned long) prog;
+    attr.insn_cnt = sizeof(prog) / sizeof(prog[0]);
+    attr.license = (unsigned long) "GPL";
+
+    prog_fd = bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
+    if (prog_fd < 0) {
+        std::cerr<<"Failed to load eBPF program";
+        return 1;
+    }
+    printf("eBPF program loaded and fd: %d\n",prog_fd);
+
+    attr = (union bpf_attr){0};
+    attr.map_type = BPF_MAP_TYPE_ARRAY;
+    attr.key_size = sizeof(int);
+    attr.value_size = sizeof(int);
+    attr.max_entries = 1;
+
+    map_fd = bpf(BPF_MAP_CREATE, &attr, sizeof(attr));
+    if(map_fd < 0) {
+        std::cerr<<"Failed to create eBPF map";
+        return 1;
+    }
+    printf("eBPF map created with fd:%d\n", map_fd);
+    int key = 0, value = 42;
+
+    attr = (union bpf_attr){0};
+    attr.map_fd = map_fd;
+    attr.key = (unsigned long)&key;
+    attr.value = (unsigned long)&value;
+    attr.flags = BPF_XDP;
+
+    if(bpf(BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr)) < 0) {
+        std::cerr<<"Error in updating eBPF map\n";
+        return 1;
+    }
+    printf("Map updated successfully\n");
+
+    close(prog_fd);
+    close(map_fd);
+    return 0;
+}

example/map-op/.gitignore

@@ -0,0 +1 @@
+*.dSYM

example/map-op/Makefile

@@ -0,0 +1,22 @@
+CXX = clang
+CFLAGS = -nostdinc \
+         -I../../third_party/macos \
+         -I../../runtime/include \
+         -I../../vm/compat/include \
+         -I../../third_party/spdlog/include \
+         -I../../vm/vm-core/include \
+         -D__KERNEL__ \
+         -D__BPF_TRACING__ \
+         -D__TARGET_ARCH_bpf \
+         -DCONFIG_64BIT
+
+SRC = mapop.bpf.c
+TGT = main
+
+main: $(SRC)
+	$(CXX) -g $(CFLAGS) -target bpf -Wall -O2 -c $(SRC) -o $(TGT)
+
+.PHONY: clean
+
+clean:
+	rm -rf $(TGT)

example/map-op/README.md

@@ -0,0 +1,9 @@
+## BPF map example
+
+This example tries to create a bpf program which doesn't have to rely on libbpf and which can be tested on systems
+that do not have support from libbpf.
+
+To use this program, you would typically need to compile it with an eBPF-capable compiler (like clang with appropriate options),
+load it into the kernel using an eBPF loader(`bpftime load` can come to rescue here),
+and attach it to the execve system call tracepoint.
+The program will then count execve calls per process, which could be read from user space using the exec_count map

example/map-op/main.cpp

@@ -0,0 +1,72 @@
+#include <iostream>
+#include <unistd.h>
+#if __linux__
+#include <linux/bpf.h>
+#include <sys/syscall.h>
+#elif defined(__APPLE__)
+#include "bpftime_epoll.h"
+#endif
+
+
+#if defined(__APPLE__)
+using namespace bpftime_epoll;
+#endif
+
+static struct bpf_insn prog[] = {
+    BPF_MOV64_IMM(BPF_REG_0, 0),
+    BPF_EXIT_INSN(),
+};
+
+static long bpf(int cmd, union bpf_attr *attr, unsigned int size) {
+    #if __linux__
+    return syscall(__NR_bpf, cmd, attr, size);
+    #endif
+    return 0;
+}
+
+int main() {
+    union bpf_attr attr = {};
+    int prog_fd, map_fd;
+
+    attr.prog_type = BPF_PROG_TYPE_SOCKET_FILTER;
+    attr.insns = (unsigned long) prog;
+    attr.insn_cnt = sizeof(prog) / sizeof(prog[0]);
+    attr.license = (unsigned long) "GPL";
+
+    prog_fd = bpf(BPF_PROG_LOAD, &attr, sizeof(attr));
+    if (prog_fd < 0) {
+        std::cerr<<"Failed to load eBPF program";
+        return 1;
+    }
+    printf("eBPF program loaded and fd: %d\n",prog_fd);
+
+    attr = (union bpf_attr){0};
+    attr.map_type = BPF_MAP_TYPE_ARRAY;
+    attr.key_size = sizeof(int);
+    attr.value_size = sizeof(int);
+    attr.max_entries = 1;
+
+    map_fd = bpf(BPF_MAP_CREATE, &attr, sizeof(attr));
+    if(map_fd < 0) {
+        std::cerr<<"Failed to create eBPF map";
+        return 1;
+    }
+    printf("eBPF map created with fd:%d\n", map_fd);
+    int key = 0, value = 42;
+
+    attr = (union bpf_attr){0};
+    attr.map_fd = map_fd;
+    attr.key = (unsigned long)&key;
+    attr.value = (unsigned long)&value;
+    attr.flags = BPF_XDP;
+
+    if(bpf(BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr)) < 0) {
+        std::cerr<<"Error in updating eBPF map\n";
+        return 1;
+    }
+    printf("Map updated successfully\n");
+
+    close(prog_fd);
+    close(map_fd);
+    return 0;
+}

example/map-op/mapop.bpf.c

@@ -0,0 +1,34 @@
+
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <linux/types.h>
+
+
+struct bpf_map_def {
+    unsigned int type;
+    unsigned int key_size;
+    unsigned int value_size;
+    unsigned int max_entries;
+};
+
+struct bpf_map_def exec_count __attribute__((section(".maps"))) = {
+    .type = BPF_MAP_TYPE_HASH,
+    .key_size = sizeof(uint32_t),
+    .value_size = sizeof(uint64_t),
+    .max_entries = 1024,
+};
+
+__attribute__((section("tracepoint/syscalls/sys_enter_execve")))
+int count_execve(void *ctx) {
+    uint32_t pid = bpf_get_current_pid_tgid() >> 32;
+    uint64_t *count = bpf_map_lookup_elem(&exec_count, &pid);
+    if (count) {
+        (*count)++;
+    } else {
+        uint64_t initial_count = 1;
+        bpf_map_update_elem(&exec_count, &pid, &initial_count, BPF_ANY);
+    }
+    return 0;
+}
+
+char LICENSE[] __attribute__((section("license"))) = "GPL";

runtime/include/bpftime_epoll.h

@@ -1040,6 +1040,15 @@ enum {
 	__MAX_BPF_REG,
 };
 
+enum bpf_map_type {
+	BPF_MAP_TYPE_UNSPEC = 0,
+	BPF_MAP_TYPE_HASH = 1,
+	BPF_MAP_TYPE_ARRAY = 2,
+	BPF_MAP_TYPE_PROG_ARRAY = 3,
+	BPF_MAP_TYPE_ARRAY_OF_MAPS = 12,
+	BPF_MAP_TYPE_RINGBUF = 27,
+};
+
 enum bpf_cmd {
 	BPF_MAP_CREATE,
 	BPF_MAP_LOOKUP_ELEM,

third_party/macos/asm/byteorder.h

@@ -0,0 +1,7 @@
+#include <libkern/OSByteOrder.h>
+
+#if defined(__LITTLE_ENDIAN__)
+#define __LITTLE_ENDIAN_BITFIELD
+#else
+#define __BIG_ENDIAN_BITFIELD
+#endif

third_party/macos/asm/errno.h

@@ -0,0 +1,3 @@
+#include <errno.h>
+
+#define	EUCLEAN		117	/* Structure needs cleaning */

third_party/macos/asm/types.h

@@ -0,0 +1,11 @@
+typedef __signed__ char __s8;
+typedef unsigned char __u8;
+
+typedef __signed__ short __s16;
+typedef unsigned short __u16;
+
+typedef __signed__ int __s32;
+typedef unsigned int __u32;
+
+__extension__ typedef __signed__ long long __s64;
+__extension__ typedef unsigned long long __u64;

third_party/macos/asm/unistd.h

@@ -0,0 +1,2 @@
+#define __NR_perf_event_open -1
+#define __NR_bpf -1

third_party/macos/byteswap.h

@@ -0,0 +1,11 @@
+#define bswap_16(value) \
+((((value) & 0xff) << 8) | ((value) >> 8))
+
+#define bswap_32(value) \
+(((uint32_t)bswap_16((uint16_t)((value) & 0xffff)) << 16) | \
+(uint32_t)bswap_16((uint16_t)((value) >> 16)))
+
+#define bswap_64(value) \
+(((uint64_t)bswap_32((uint32_t)((value) & 0xffffffff)) \
+<< 32) | \
+(uint64_t)bswap_32((uint32_t)((value) >> 32)))