GOAL: print Hello every time a system call is executed.
CODE:
_kern.c
#include <linux/bpf.h>
#include "bpf_helpers.h"
SEC("tracepoint/syscalls/sys_enter")
int bpf_sys(struct syscalls_enter_open_args *ctx)
{
char fmt[] = "Hello\n";
bpf_trace_printk(fmt, sizeof(fmt));
return 0;
}
char _license[] SEC("license") = "GPL";
_user.c
#include <linux/bpf.h>
#include "libbpf.h"
#include <unistd.h>
#include <fcntl.h>
int main(int ac, char **argv)
{
int prog_fd, fd;
struct bpf_object *obj;
if (bpf_prog_load("tracesys_kern.o", BPF_PROG_TYPE_TRACEPOINT,
&obj, &prog_fd))
return 1;
fd = open("mine_user.c", O_RDONLY);
close(fd);
//fork();
return 0;
}
PROBLEM: when I run the program it just terminates without print "Hello" also if open system call is invoked.
QUESTION: what am I missing? I've tried also sys_enter_open instead of sys_enter
As for other program types, loading a BPF program takes two steps. First there is the actual load (injecting the program from user space to kernel space, where it passes the verifier), that you performed with bpf_prog_load() in your case. Then, the program is to be attached to one of the BPF hooks, here a tracepoint.
In your sample code, your program is loaded, but not attached to the tracepoint just yet. See how bpf_load.c, for example, uses libbpf to load a program and then attaches it to the tracepoint.
I think recent versions of libbpf now provide bpf_program__attach_tracepoint() as a simpler way to attach the program to the tracepoint.
As pchaigno mentioned, you can list the tracepoints available on your system with sudo perf list tracepoint (you may have to install the perf utility).