??? 123123123123 .....................................................................................................................................??? 123123123123 .....................................................................................................................................3 :)gh @sddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl m Z mZmZmZmZddlmZmZmZmZmZddlmZddlmZmZmZmZmZddl m!Z!dd l"m#Z#m$Z$dd l%m&Z&m'Z'ye(Wne)k re*Z(YnXd Z+da,d d Z-dZ.dZ/dZ0dZ1dZ2dZ3dZ4Gddde5Z6GdddZ7GdddZ8GdddZ9GdddZ:GdddZ;Gd d!d!ZGd&d'd'e5Z?dS)()print_functionN)lib bcc_symbolbcc_symbol_optionbcc_stacktrace_build_id _SYM_CB_TYPE)TablePerfEventArrayRingBufBPF_MAP_TYPE_QUEUEBPF_MAP_TYPE_STACK)Perf)get_online_cpusprintb_assert_is_bytes ArgString StrcmpRewrite) __version__)disassemble_prog decode_map)USDT USDTExceptionicCstS)N)_num_open_probesrr/usr/lib/python3.6/__init__.py_get_num_open_probes+srz/sys/kernel/debug/tracing c@s$eZdZddZddZddZdS) SymbolCachecCs tj|tjdtjt|_dS)N)rZbcc_symcache_newctcastPOINTERrcache)selfpidrrr__init__AszSymbolCache.__init__cCst}|r"tj|j|tj|}ntj|j|tj|}|dkrp|jrf|jrfd|jtj |jtj j fSd|dfS|r|j }tj tj|n|j}||jtj |jtj j fS)a Return a tuple of the symbol (function), its offset from the beginning of the function, and the module in which it lies. For example: ("start_thread", 0x202, "/usr/lib/.../libpthread-2.24.so") If the symbol cannot be found but we know which module it is in, return the module name and the offset from the beginning of the module. If we don't even know the module, return the absolute address as the offset. rN)rrZbcc_symcache_resolver&r#byrefZ bcc_symcache_resolve_no_demanglemoduleoffsetr$c_char_pvalueZ demangle_nameZbcc_symbol_free_demangle_namename)r'addrdemanglesymresZname_resrrrresolveEs     zSymbolCache.resolvecCs>t|}t|}tj}tj|j||tj|dkr8dS|jS)Nrr)rr# c_ulonglongrZbcc_symcache_resolve_namer&r*r.)r'r+r/r0rrr resolve_namebs zSymbolCache.resolve_nameN)__name__ __module__ __qualname__r)r4r7rrrrr"@sr"c@s$eZdZdZdZdZdZdZdZdS)PerfTyperrrrN) r8r9r:ZHARDWAREZSOFTWARE TRACEPOINTZHW_CACHERAWZ BREAKPOINTrrrrr;ks r;c@s4eZdZdZdZdZdZdZdZdZ dZ d Z d Z d S) PerfHWConfigrrrr<rr=r N) r8r9r:Z CPU_CYCLESZ INSTRUCTIONSZCACHE_REFERENCESZ CACHE_MISSESZBRANCH_INSTRUCTIONSZ BRANCH_MISSESZ BUS_CYCLESZSTALLED_CYCLES_FRONTENDZSTALLED_CYCLES_BACKENDZREF_CPU_CYCLESrrrrr@tsr@c@s8eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d S) PerfSWConfigrrrr<rr=rArBrrC N)r8r9r:Z CPU_CLOCKZ TASK_CLOCKZ PAGE_FAULTSZCONTEXT_SWITCHESZCPU_MIGRATIONSZPAGE_FAULTS_MINZPAGE_FAULTS_MAJZALIGNMENT_FAULTSZEMULATION_FAULTSZDUMMYZ BPF_OUTPUTrrrrrDsrDc@speZdZdZdZdZdZdZd Zd!Z d"Z d#Z d$Z d%Z d&Zd'Zd(Zd)Zd*Zd+Zd,Zd-Zd.Zd/Zd0Zd1Zd2Zd3ZdS)4PerfEventSampleFormatrrrr<rr=rArBrrCrE r Nrrrrr r!@iiiii i@iiiiiii i@ii)r8r9r:ZIPZTIDZTIMEZADDRZREADZ CALLCHAINZIDZCPUZPERIODZ STREAM_IDr?Z BRANCH_STACKZ REGS_USERZ STACK_USERZWEIGHTZDATA_SRCZ IDENTIFIERZ TRANSACTIONZ REGS_INTRZ PHYS_ADDRZAUXZCGROUPZDATA_PAGE_SIZEZCODE_PAGE_SIZEZ WEIGHT_STRUCTrrrrrFs2rFc@s`eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdS) BPFProgTyperrr<rr=rArBrrCrErGrHrIrJrKr rLrMN)r8r9r: SOCKET_FILTERKPROBE SCHED_CLS SCHED_ACTr>XDP PERF_EVENT CGROUP_SKB CGROUP_SOCKLWT_INLWT_OUTLWT_XMITSOCK_OPSSK_SKB CGROUP_DEVICESK_MSGRAW_TRACEPOINTCGROUP_SOCK_ADDRZCGROUP_SOCKOPTTRACINGLSMrrrrrWs*rWc@seZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(d'Z)d(S)) BPFAttachTyperrrr<rr=rArBrrCrErGrHrIrJrKr rLrMrNrOrPrQrRrSrXrYrZr!!"#$%&N)*r8r9r:ZCGROUP_INET_INGRESSZCGROUP_INET_EGRESSZCGROUP_INET_SOCK_CREATEZCGROUP_SOCK_OPSZSK_SKB_STREAM_PARSERZSK_SKB_STREAM_VERDICTrhZSK_MSG_VERDICTZCGROUP_INET4_BINDZCGROUP_INET6_BINDZCGROUP_INET4_CONNECTZCGROUP_INET6_CONNECTZCGROUP_INET4_POST_BINDZCGROUP_INET6_POST_BINDZCGROUP_UDP4_SENDMSGZCGROUP_UDP6_SENDMSGZ LIRC_MODE2ZFLOW_DISSECTORZ CGROUP_SYSCTLZCGROUP_UDP4_RECVMSGZCGROUP_UDP6_RECVMSGZCGROUP_GETSOCKOPTZCGROUP_SETSOCKOPTZ TRACE_RAW_TPZ TRACE_FENTRYZ TRACE_FEXITZ MODIFY_RETURNZLSM_MACZ TRACE_ITERZCGROUP_INET4_GETPEERNAMEZCGROUP_INET6_GETPEERNAMEZCGROUP_INET4_GETSOCKNAMEZCGROUP_INET6_GETSOCKNAMEZ XDP_DEVMAPZCGROUP_INET_SOCK_RELEASEZ XDP_CPUMAPZ SK_LOOKUPr_ZSK_SKB_VERDICTrrrrrnsNrnc@s eZdZdZdZdZdZdZdS) XDPActionrrrr<rN)r8r9r: XDP_ABORTEDXDP_DROPXDP_PASSXDP_TX XDP_REDIRECTrrrrrys ryc@s eZdZdZdZd Zd Zd ZdS) XDPFlagsrrrr<rNrrrrr )r8r9r:UPDATE_IF_NOEXISTSKB_MODEDRV_MODEHW_MODEREPLACErrrrrs rc@seZdZejZejZejZejZejZej Z ej Z ej Z ej Z ej Z ejZejZejZejZejZejZejZejZejZejZejZejZejZejZejZejZ ej!Z"ej#Z$ej%Z&ej'Z(e)j*dZ+iZ,e-j.Z/dgddgddgdgdd gd Z0d d d ddddgZ1dZ2Gddde3j4Z5e3j6dddZ7e7j8Z9e3j:e3j;e5ge9_e=ddZ?e@Z@GdddeAZBeCddZDeCd d!ZEd"d"d#d$ggdd#d%f d&d'ZFefd(d)ZGdd*d+ZHd,d-ZId.d/ZJdd0d1ZKe3jLe3jMe3jNe3jOe3jPe3jQe3j:e3jRe3jSe3jTe3jUe3jVe3jWe3jXe3jYe3jZd2e3j[d2d3Z\eCd4d5Z]dd6d7Z^d8d9Z_d:d;Z`dd?Zbd@dAZceCddBdCZdeCdDdEZeeCdFdGZfeCdHdIZgdJdKZheCdLdMZidNdOZjdPdQZkdRdSZldTdUZmdVdWZndXdYZodZd[Zpdd\d]Zqdd^d_Zrd`daZsdbdcZtddddeZuddfdgZveCddhdiZweCddjdkZxe=ddldmZyeCdndoZzeCdpdqZ{eCdrdsZ|ddtduZ}ddvdwZ~ddxdyZeCdzd{ZeCd|d}ZeCd~dZdddZdddZdddZdddZdddZdddZeCddZeCddZeCddZdddZddZdddZddZdddZdddZeCddZeCddZeCddZddZdddZd ddZddZd ddZd ddZddZdddZdddZdddZdddZeCddZeCdddZeCdddZeCddZddÄZddńZddDŽZdddɄZdd˄Zddd̈́ZdddτZdddфZddӄZddՄZeCddׄZddلZddۄZdd݄Zdd߄ZddZd#S(BPFs [^a-zA-Z0-9_]ZtimeZfsfileZbioZrequestZallocZsk_buffZ net_device)z linux/time.hz linux/fs.hzlinux/blkdev.hz linux/slab.hzlinux/netdevice.hssys_s __x64_sys_s__x32_compat_sys_s__ia32_compat_sys_s __arm64_sys_s __s390x_sys_s __s390_sys_rc@s eZdZdejfdejfgZdS)z BPF.timespectv_sectv_nsecN)r8r9r:r#c_long_fields_rrrrtimespec@srz librt.so.1T)Z use_errnocCsH|j}|j|jtj|dkr8tj}t|tj||j d|j S)zmonotonic_time() Returns the system monotonic time from clock_gettime, using the CLOCK_MONOTONIC constant. The time returned is in nanoseconds. rgeA) r_clock_gettimeCLOCK_MONOTONICr#r* get_errnoOSErrorosstrerrorrr)clsterrnorrrmonotonic_timeGs zBPF.monotonic_timecCsXd}xN|jjD]@\}}x6|D].}x(|D] }||kr(||kr(|d|7}q(WqWqW|S)a1 Generates #include statements automatically based on a set of recognized types such as sk_buff and bio. The input is all the words that appear in the BPF program, and the output is a (possibly empty) string of #include statements, such as "#include ". z#include <%s> )_auto_includesitems)rZ program_wordsZheadersheaderkeywordskeywordZwordrrrgenerate_auto_includesSs  zBPF.generate_auto_includesc@seZdZddZdS)z BPF.FunctioncCs||_||_||_dS)N)bpfr/fd)r'rr/rrrrr)gszBPF.Function.__init__N)r8r9r:r)rrrrFunctionfsrcCsb|r^tjj|s^ttjd}djtjjtjj|j |g}tjj|rR|}n t d||S)z1 If filename is invalid, search in ./ of argv[0] r/zCould not find file %s) rpathisfilersysargvjoinabspathdirname __bytes__ Exception)filenameZargv0rrrr _find_filels "  zBPF._find_filecCsrdd}tjj|\}}|r*||rn|SnDxBtjdjtjD],}|jd}tjj|j|}||r>|Sq>WdS)a find_exe(bin_path) Traverses the PATH environment variable, looking for the first directory that contains an executable file named bin_path, and returns the full path to that file, or None if no such file can be found. This is meant to replace invocations of the "which" shell utility, which doesn't have portable semantics for skipping aliases. cSstjj|otj|tjS)N)rrraccessX_OK)fpathrrris_exes zBPF.find_exe..is_exePATH"N)rrsplitenvironpathsepstriprencode)Zbin_pathrrZfnamerZexe_filerrrfind_exeys  z BPF.find_exeNrFc Cst|}t|}t|}|o| s&ti|_i|_i|_i|_i|_i|_i|_i|_ i|_ d|_ d|_ t j|j||_i|_i|_d|_tjt|} x$t|D]\} } tt| | | <qW|rtj|}tj|}|rt|dd} | j}WdQRXtjt|}x(t|D]\} }tj|j|| <qWt j!|t|}|dkrZt"d ||}t j#||j| t| |||_|jst"d|pd x|D]}|j$|| qW|j%dS) aZCreate a new BPF module with the given source code. Note: All fields are marked as optional, but either `src_file` or `text` must be supplied, and not both. Args: src_file (Optional[str]): Path to a source file for the module hdr_file (Optional[str]): Path to a helper header file for the `src_file` text (Optional[str]): Contents of a source file for the module debug (Optional[int]): Flags used for debug prints, can be |'d together See "Debug flags" for explanation Nrb)modez%can't generate USDT probe arguments; z%possible cause is missing pid when a z&probe in a shared object has multiple Z locationszFailed to compile BPF module %szzJcan't generate USDT probe arguments; possible cause is missing pid when a zpcan't generate USDT probe arguments; possible cause is missing pid when a probe in a shared object has multiple zycan't generate USDT probe arguments; possible cause is missing pid when a probe in a shared object has multiple locations)&rAssertionError kprobe_fds uprobe_fdstracepoint_fdsraw_tracepoint_fdskfunc_entry_fdskfunc_exit_fdslsm_fds perf_buffersopen_perf_events_ringbuf_manager tracefileatexitregistercleanupdebugfuncstablesr+r#r-len enumeratebytesrrropenreadc_void_pZ get_contextrZbcc_usdt_genargsrZbpf_module_create_c_from_stringZattach_uprobes_trace_autoload)r'Zsrc_fileZhdr_filetextrZcflagsZ usdt_contextsZ allow_rlimitdeviceZattach_usdt_ignore_pidZ cflags_arrayisrZ ctx_arrayusdtZ usdt_textZ usdt_contextrrrr)s^      z BPF.__init__cCsDg}x:tdtj|jD]$}tj|j|}|j|j||qW|S)zload_funcs(prog_type=KPROBE) Load all functions in this BPF module with the given type. Returns a list of the function handles.r)rangerbpf_num_functionsr+bpf_function_nameappend load_func)r' prog_typefnsr func_namerrr load_funcss zBPF.load_funcsc Cst|}||jkr|j|Stj|j|s6td|d}|jt@rJd}n|jt@rXd}tj |j||tj|j|tj |j|tj |jtj |j|dd|| }|dkrt j|jtjtjkrtdtjtj}td||ftj|||}||j|<|S)NzUnknown program %srrrz!Need super-user privileges to runz!Failed to load BPF program %s: %s)rrrbpf_function_startr+rrDEBUG_BPF_REGISTER_STATE DEBUG_BPFZ bcc_func_loadbpf_function_sizeZbpf_module_licenseZbpf_module_kern_versionrr donothingr#rrEPERMrrrr) r'rrr attach_typeZ log_levelrerrstrfnrrrrs4             z BPF.load_funccCsJt|}tj|j|s"td|tj|j|}tj|j|}tj||S)zR Return the eBPF bytecodes for the specified function as a string zUnknown program %s)rrrr+rrr#Z string_at)r'rstartsizerrr dump_funcs  z BPF.dump_funccCs|j|}t||S)N)rr)r'rZbpfstrrrrdisassemble_funcs zBPF.disassemble_funccCs(||}tj|j|j}t||||dS)N)sizeinfo)rbpf_table_type_idr+map_idr)r'Z table_namerZ table_objZ table_typerrr decode_table#szBPF.decode_tabler)Z_BoolcharZwchar_tz unsigned charZshortzunsigned shortintz unsigned intZlongz unsigned longz long longzunsigned long longfloatZdoublez long doubleZ__int128zunsigned __int128cCst|trtj|Sg}g}xN|dD]@}t|dkrX|j|dtj|dfq(t|dkrZt|dtr|j|dtj|d|ddfnt|dtr|j|dtj|d|dfnt|dtrH|ddks |ddks |ddkrH|d}|dkr2d t|}|j||j|tj|fnt d t |q(t d t |q(Wt j }d }t|dkr|ddkrt j }n.|ddkrt j }n|ddkrt j }d }|rtt |d|ft|d|d }ntt |d|ft||d}|S)Nrrrr<unionstructZ struct_packedrz__anon%dzFailed to decode type %sFT) _anonymous_Z_pack_r)rr) isinstance basestringr str2ctyperr_decode_table_typelistrrstrr# StructureZUniontypedict)ZdescZanonfieldsrr/baseZ is_packedrrrrr;sL   *$     zBPF._decode_table_typec Cst|}tj|j|}tj|j|}tj|j|ttgk}|dkrFt| r| rtj |j|j d}|svt d|t j tj|}|stj|j|j d} | st d|t j tj| }t|||||||dS)Nrzutf-8z$Failed to load BPF Table %s key descz%Failed to load BPF Table %s leaf desc)reducer)rrZ bpf_table_idr+Z bpf_table_fdrr r KeyErrorZbpf_table_key_descdecoderrrjsonloadsZbpf_table_leaf_descr ) r'r/ZkeytypeZleaftyperrmap_fdZ is_queuestackZkey_descZ leaf_descrrr get_tablegs"   z BPF.get_tablecCs$||jkr|j||j|<|j|S)N)rr )r'keyrrr __getitem__zs zBPF.__getitem__cCs||j|<dS)N)r)r'r Zleafrrr __setitem__szBPF.__setitem__cCs t|jS)N)rr)r'rrr__len__sz BPF.__len__cCs |j|=dS)N)r)r'r rrr __delitem__szBPF.__delitem__cCs |jjS)N)r__iter__)r'rrrrsz BPF.__iter__cCsJt|tjstdtj|j|||}|dkrFtdj|tj | dS)Nz"arg 1 must be of type BPF.Functionrz7Failed to attach BPF function with attach_type {0}: {1}) rrrrrZbpf_prog_attachrformatrr)r attachable_fdrflagsr3rrr attach_funcs  zBPF.attach_funccCsHt|tjstdtj|j||}|dkrDtdj|tj | dS)Nz"arg 1 must be of type BPF.Functionrz7Failed to detach BPF function with attach_type {0}: {1}) rrrrrZbpf_prog_detach2rrrr)rrrr3rrr detach_funcs  zBPF.detach_funccCst|}t|tjstdtj|}|dkrLtjt j }td||ftj ||j }|dkrtjt j }td||f||_ dS)Nz"arg 1 must be of type BPF.Functionrz Failed to open raw device %s: %sz%Failed to attach BPF to device %s: %s)rrrrrrZbpf_open_raw_sockrrr#rZbpf_attach_socketrsock)rdevrrr3rrrattach_raw_sockets   zBPF.attach_raw_socketc Csdt}y,t|d}tdd|D}WdQRXWn:tk rn}z|jtjkrV|tg}WYdd}~XnXg}d}d}tdd}x |D]} | jjdd\} } |dkr| d krd}qn|dkr| d krd }q|dkr | d krd}qn| d kr"d }qn|dkr"| d krd }q| jdr2qn:| jds| jdrLqn | jdr\qnt j d| rlq| j dkrt j || r| |kr|j | qWWdQRXt|S)Nz%s/../kprobes/blacklistrcSsg|]}|jjdqS)r)rstripr).0linerrr sz,BPF.get_kprobe_functions..rz/proc/kallsymsrr<s __init_begins __init_endrs__irqentry_text_starts__irqentry_text_ends _kbl_addr_s__perfsperf_s__SCT__s^.*\.cold(\.\d+)?$tw)rr)TRACEFSrsetIOErrorrrrr startswithrematchlower fullmatchr) event_reZblacklist_fileZ blacklist_fZ blacklisterZin_init_sectionZin_irq_sectionZ avail_filerrrrrrget_kprobe_functionssZ        zBPF.get_kprobe_functionscCst|tjkrtddS)Nz/Number of open probes would exceed global quota)rrget_probe_limitr)r'Znum_new_probesrrr_check_probe_quotaszBPF._check_probe_quotacCs(tjjd}|r |jr t|StSdS)NZBCC_PROBE_LIMIT)rrgetisdigitr_default_probe_limit)Zenv_probe_limitrrrr*s  zBPF.get_probe_limitcCs.||jkri|j|<||j||<td7adS)Nr)rr)r'ev_namefn_namerrrr_add_kprobe_fds  zBPF._add_kprobe_fdcCs|j||=td8adS)Nr)rr)r'r/r0rrr_del_kprobe_fds zBPF._del_kprobe_fdcCs||j|<td7adS)Nr)rr)r'r/rrrr_add_uprobe_fd s zBPF._add_uprobe_fdcCs|j|=td8adS)Nr)rr)r'r/rrr_del_uprobe_fdszBPF._del_uprobe_fdcCs0x$|jD]}|jd|dkr|SqW|jdS)Ns%sbpfrrr5)_syscall_prefixesksymname)r'prefixrrrget_syscall_prefixs zBPF.get_syscall_prefixcCst|}|j|S)N)rr8)r'r/rrrget_syscall_fnname szBPF.get_syscall_fnnamecCs<t|}x.|jD]$}|j|r|j|t|dSqW|S)N)rr5r"r9r)r'r/r7rrrfix_syscall_fnname's   zBPF.fix_syscall_fnnamec Cst|}t|}t|}|rtj|}|jt|d}g}x>|D]6}y|j||dWqB|d7}|j|YqBXqBW|t|krtd|dj|fdS|jd|j |tj } d|j ddj d d} t j | jd| ||d} | dkrtd||f|j| || |S) Nr)eventr0rzwFailed to attach BPF program %s to kprobe %s, it's not traceable (either non-existing, inlined, or marked as "notrace")/sp_+_.)rrr)r+r attach_kproberrrrr\replacerbpf_attach_kproberr1) r'r;Z event_offr0r'matchesfailedprobesrrr/rrrrr@.s6      zBPF.attach_kprobec Cst|}t|}t|}|rtj|}d}g}x@|D]8}y|j|||dWq4|d7}|j|Yq4Xq4W|t|krtd|dj|fdS|jd|j |tj } d|j ddj d d} t j | jd| |d|} | dkrtd||f|j| || |S) Nr)r;r0 maxactiverzzFailed to attach BPF program %s to kretprobe %s, it's not traceable (either non-existing, inlined, or marked as "notrace")r<sr_r=r>r?)rrr)attach_kretproberrrrr+rr\rArrBrr1) r'r;r0r'rFrCrDrErrr/rrrrrGPs6      zBPF.attach_kretprobecCs8t|}t|j|j}x|D]}|j||q WdS)N)rrrkeysdetach_kprobe_event_by_fn)r'r/Zfn_namesr0rrrdetach_kprobe_eventrs zBPF.detach_kprobe_eventcCst|}t|}||jkr&td|tj|j||}|dkrJtd|j||t|j|dkrtj|}|dkrtddS)NzKprobe %s is not attachedrzFailed to close kprobe FDz Failed to detach BPF from kprobe)rrrrbpf_close_perf_event_fdr2rZbpf_detach_kprobe)r'r/r0r3rrrrIxs    zBPF.detach_kprobe_event_by_fncCsHt|}d|jddjdd}|r:t|}|j||n |j|dS)Nsp_r=r>r?)rrArIrJ)r'r;r0r/rrr detach_kprobes zBPF.detach_kprobecCsHt|}d|jddjdd}|r:t|}|j||n |j|dS)Nsr_r=r>r?)rrArIrJ)r'r;r0r/rrrdetach_kretprobes zBPF.detach_kretprobecCsnt|}t|tjstdtj||j|}|dkrjtj }|t j krPtdnt j |}td||fdS)zt This function attaches a BPF function to a device on the device driver level (XDP) z"arg 1 must be of type BPF.Functionrz-Internal error while attaching BPF to device,z try increasing the debug level!z%Failed to attach BPF to device %s: %sNzMInternal error while attaching BPF to device, try increasing the debug level!)rrrrrrbpf_attach_xdprr#rrZEBADMSGrr)rrrr3Zerr_norrrr attach_xdps   zBPF.attach_xdpcCs@t|}tj|d|}|dkrqxRtj|D]D}tjj||}tjj|rJd||f}tj|j|rJ|j |qJWqW|S)Neventsz%s:%s) rrrrlistdirisdirr#r$rr)tp_reresultsZ events_dircategoryZcat_dirr;evt_dirtprrrget_tracepointss   zBPF.get_tracepointscCstjjtd||}tjj|S)NrU)rrrrrW)rZr;r[rrrtracepoint_existsszBPF.tracepoint_existscCst|}t|}t|}|rBx tj|D]}|j||dq(WdS|j|tj}|jd\}}tj|j ||}|dkrt d||f||j |<|S)aattach_tracepoint(tp="", tp_re="", fn_name="") Run the bpf function denoted by fn_name every time the kernel tracepoint specified by 'tp' is hit. The optional parameters pid, cpu, and group_fd can be used to filter the probe. The tracepoint specification is simply the tracepoint category and the tracepoint name, separated by a colon. For example: sched:sched_switch, syscalls:sys_enter_bind, etc. Instead of a tracepoint name, a regular expression can be provided in tp_re. The program will then attach to tracepoints that match the provided regular expression. To obtain a list of kernel tracepoints, use the tplist tool or cat the file /sys/kernel/debug/tracing/available_events. Examples: BPF(text).attach_tracepoint(tp="sched:sched_switch", fn_name="on_switch") BPF(text).attach_tracepoint(tp_re="sched:.*", fn_name="on_switch") )r\r0N:rz0Failed to attach BPF program %s to tracepoint %s) rrr]attach_tracepointrr>rrZbpf_attach_tracepointrrr)r'r\rXr0r tp_categorytp_namerrrrr`s  zBPF.attach_tracepointcCs`t|}||jkrtd|t|}|j|tj}tj|j|}|dkrRtd||j|<|S)aattach_raw_tracepoint(self, tp=b"", fn_name=b"") Run the bpf function denoted by fn_name every time the kernel tracepoint specified by 'tp' is hit. The bpf function should be loaded as a RAW_TRACEPOINT type. The fn_name is the kernel tracepoint name, e.g., sched_switch, sys_enter_bind, etc. Examples: BPF(text).attach_raw_tracepoint(tp="sched_switch", fn_name="on_switch") z#Raw tracepoint %s has been attachedrz&Failed to attach BPF to raw tracepoint) rrrrrrjrZbpf_attach_raw_tracepointr)r'r\r0rrrrrattach_raw_tracepoints    zBPF.attach_raw_tracepointcCs:t|}||jkrtd|tj|j||j|=dS)zdetach_raw_tracepoint(tp="") Stop running the bpf function that is attached to the kernel tracepoint specified by 'tp'. Example: bpf.detach_raw_tracepoint("sched_switch") z!Raw tracepoint %s is not attachedN)rrrrclose)r'r\rrrdetach_raw_tracepoint)s   zBPF.detach_raw_tracepointcCs|j|s||}|S)N)r")r7r/rrr add_prefix8s zBPF.add_prefixcCs2tjdkrdStjsdStjddkr.dSdS)NZx86_64FZbpf_trampoline_link_progrTr5)platformmachinerbpf_has_kernel_btfrr6rrrr support_kfunc>s zBPF.support_kfunccCs"tjs dStjddkrdSdS)NFs bpf_lsm_bpfrTr5)rrirr6rrrr support_lsmJs zBPF.support_lsmcCsFt|}tjd|}||jkr*td|tj|j||j|=dS)Nskfunc__z$Kernel entry func %s is not attached)rrrfrrrrd)r'r0rrr detach_kfuncSs    zBPF.detach_kfunccCsFt|}tjd|}||jkr*td|tj|j||j|=dS)Ns kretfunc__z#Kernel exit func %s is not attached)rrrfrrrrd)r'r0rrrdetach_kretfunc\s    zBPF.detach_kretfunccCsbt|}tjd|}||jkr*td||j|tj}tj|j }|dkrTtd||j|<|S)Nskfunc__z&Kernel entry func %s has been attachedrz)Failed to attach BPF to entry kernel func) rrrfrrrrlrbpf_attach_kfuncr)r'r0rrrrr attach_kfunces     zBPF.attach_kfunccCsbt|}tjd|}||jkr*td||j|tj}tj|j }|dkrTtd||j|<|S)Ns kretfunc__z%Kernel exit func %s has been attachedrz(Failed to attach BPF to exit kernel func) rrrfrrrrlrrnr)r'r0rrrrrattach_kretfuncss     zBPF.attach_kretfunccCsFt|}tjd|}||jkr*td|tj|j||j|=dS)Nslsm__zLSM %s is not attached)rrrfrrrrd)r'r0rrr detach_lsms    zBPF.detach_lsmcCsbt|}tjd|}||jkr*td||j|tj}tj|j }|dkrTtd||j|<|S)Nslsm__zLSM %s has been attachedrzFailed to attach LSM) rrrfrrrrmrZbpf_attach_lsmr)r'r0rrrrr attach_lsms     zBPF.attach_lsmcCs$tjddkstjddkr dSdS)NZbpf_find_raw_tracepointrZbpf_get_raw_tracepointTFr5r5)rr6rrrrsupport_raw_tracepointszBPF.support_raw_tracepointc CsZd}t|D}x<|D]4}|jjdd\}}}|jdd}|dkrdSqWdSQRXdS) Nz/proc/kallsyms r rZbpf_trace_modulesTF)rrr)ZkallsymsZsymsr_r/rrr support_raw_tracepoint_in_modules  z$BPF.support_raw_tracepoint_in_modulecCst|}t|}tj||S)N)rrkernel_struct_has_field)Z struct_nameZ field_namerrrrxszBPF.kernel_struct_has_fieldcCstt|}||jkrtd|tj|j|}|dkr>td|jd\}}tj||}|dkrhtd|j|=dS)zdetach_tracepoint(tp="") Stop running a bpf function that is attached to the kernel tracepoint specified by 'tp'. Example: bpf.detach_tracepoint("sched:sched_switch") zTracepoint %s is not attachedrz$Failed to detach BPF from tracepointr_N)rrrrrKrZbpf_detach_tracepoint)r'r\r3rarbrrrdetach_tracepoints    zBPF.detach_tracepointc Cs,tj||||||||} | dkr(td| S)Nrz"Failed to attach BPF to perf event)rZbpf_attach_perf_eventr) r'progfdev_type ev_config sample_period sample_freqr(cpugroup_fdr3rrr_attach_perf_events  zBPF._attach_perf_eventc Cst|}|j|tj} i} |dkrB|j| j|||||||| |<n.x,tD]"} |j| j|||||| || | <qJW| |j||f<dS)Nr)rrrr`rrrr) r'r{r|r0r}r~r(rrrr3rrrrattach_perf_events   zBPF.attach_perf_eventcCs.tj|tj||||d}|dkr*td|S)Nrz&Failed to attach BPF to perf raw event)rZbpf_attach_perf_event_rawr#r*r)r'rzattrr(rrr3rrr_attach_perf_event_raws  zBPF._attach_perf_event_rawc Cszt|}|j|tj}i}|dkr<|j|j||||||<n(x&tD]}|j|j||||||<qDW||j|j|j f<dS)Nr) rrrr`rrrrrconfig) r'rr0r(rrrr3rrrrattach_perf_event_raws   zBPF.attach_perf_event_rawc Cs|y|j||f}Wn$tk r6tdj||YnXd}x|jD]}tj|pV|}qFW|dkrltd|j||f=dS)Nz)Perf event type {} config {} not attachedrz$Failed to detach BPF from perf event)rrrrvaluesrrK)r'r{r|Zfdsr3rrrrdetach_perf_eventszBPF.detach_perf_eventcCstddtj||DS)NcSsg|] \}}|qSrr)rr/rvrrrrsz*BPF.get_user_functions..)r r get_user_functions_and_addresses)r/sym_rerrrget_user_functionsszBPF.get_user_functionscCstddtj||DS)a We are returning addresses here instead of symbol names because it turns out that the same name may appear multiple times with different addresses, and the same address may appear multiple times with the same name. We can't attach a uprobe to the same address more than once, so it makes sense to return the unique set of addresses that are mapped to a symbol that matches the provided regular expression. cSsg|] \}}|qSrr)rrvZaddressrrrrsz*BPF.get_user_addresses..)r rr)r/rrrrget_user_addressess zBPF.get_user_addressescsNt|}tgfdd}tj|t|}|dkrJtd||fS)Ncs"|}tj|rj||fdS)Nr)r#r$r)Zsym_namer0Zdname) addressesrrrsym_cbs z4BPF.get_user_functions_and_addresses..sym_cbrz"Error %d enumerating symbols in %s)rrZbcc_foreach_function_symbolrr)r/rrr3r)rrrrsz$BPF.get_user_functions_and_addressescCs>|dkr d||jjd||fSd||jjd|||fSdS)Nrs %s_%s_0x%xr>s %s_%s_0x%x_%dr5) _probe_replsub)r'r7rr0r(rrr_get_uprobe_evname!szBPF._get_uprobe_evnamecCs|dks t|dk r$|dks$tdt|}t|}t|}t|}|rtj||}|jt|x|D]} |j|| ||dqhWdStj|||||\} }|jd|j|tj } |j d| ||} t j | j d| | ||} | dkrtd|j| | |S)aattach_uprobe(name="", sym="", sym_re="", addr=None, fn_name="" pid=-1, sym_off=0) Run the bpf function denoted by fn_name every time the symbol sym in the library or binary 'name' is encountered. Optional parameters pid, cpu, and group_fd can be used to filter the probe. If sym_off is given, attach uprobe to offset within the symbol. The real address addr may be supplied in place of sym, in which case sym must be set to its default value. If the file is a non-PIE executable, addr must be a virtual address, otherwise it must be an offset relative to the file load address. Instead of a symbol name, a regular expression can be provided in sym_re. The uprobe will then attach to symbols that match the provided regular expression. Libraries can be given in the name argument without the lib prefix, or with the full path (/usr/lib/...). Binaries can be given only with the full path (/bin/sh). If a PID is given, the uprobe will attach to the version of the library used by the process. Example: BPF(text).attach_uprobe("c", "malloc") BPF(text).attach_uprobe("/usr/bin/python", "main") rNz!offset with addr is not supported)r/r0r0r(rpzFailed to attach BPF to uprobe)rrrrr+r attach_uproberSrr\rrbpf_attach_uproberrr3)r'r/r2rr0r0r(rRrsym_addrrrr/rrrrr)s.     zBPF.attach_uprobec Cst|}t|}t|}t|}|rPx&tj||D]}|j||||dq2WdStj||||\}}|jd|j|tj} |jd|||} t j | j d| |||} | dkrt d|j | | |S)a6attach_uretprobe(name="", sym="", sym_re="", addr=None, fn_name="" pid=-1) Run the bpf function denoted by fn_name every time the symbol sym in the library or binary 'name' finishes execution. See attach_uprobe for meaning of additional parameters. )r/r0r0r(Nrrrz!Failed to attach BPF to uretprobe)rrrattach_uretproberSr+rr\rrrrrr3) r'r/r2rr0r0r(rrrr/rrrrrbs$   zBPF.attach_uretprobecCs^||jkrtd|tj|j|}|dkr6tdtj|}|dkrPtd|j|dS)NzUprobe %s is not attachedrz Failed to detach BPF from uprobe)rrrrKZbpf_detach_uprober4)r'r/r3rrrdetach_uprobe_events   zBPF.detach_uprobe_eventcCsDt|}t|}tj|||||\}}|jd|||}|j|dS)zdetach_uprobe(name="", sym="", addr=None, pid=-1) Stop running a bpf function that is attached to symbol 'sym' in library or binary 'name'. rN)rrrSrr)r'r/r2r0r(rRrr/rrr detach_uprobes zBPF.detach_uprobecCsBt|}t|}tj||||\}}|jd|||}|j|dS)zdetach_uretprobe(name="", sym="", addr=None, pid=-1) Stop running a bpf function that is attached to symbol 'sym' in library or binary 'name'. rN)rrrSrr)r'r/r2r0r(rr/rrrdetach_uretprobes zBPF.detach_uretprobecCsnxftdtj|jD]N}tj|j|}|jdrb|j|tj}|j |j |dd|j dq|jdr|j|tj}|j |j |dd|j dq|jdr|j|tj }|j tddjdd }|j||j d q|jd r|j|tj}|j td d}|j||j d q|jd r6|j|d q|jdrP|j|d q|jdr|j|d qWdS)Nrskprobe__r)r;r0s kretprobe__rGs tracepoint__s__r_)r\r0sraw_tracepoint__skfunc__)r0s kretfunc__slsm__)rrrr+rr"rrr\r@r:r/rGr>rrAr`rjrcrorprr)r'rrrr\rrrrs4         zBPF._trace_autoloadcCsN|jsHtdtd|_|rH|jj}tj|tj}tj|tj|tjB|jS)zWtrace_open(nonblocking=False) Open the trace_pipe if not already open z %s/trace_piper) rrrfilenofcntlZF_GETFLZF_SETFLr O_NONBLOCK)r' nonblockingrZflrrr trace_opens zBPF.trace_openc Csx|j|}| r|rd S|jdr(q|ddj}|dd}|jd}y|d|j\}}}}Wn$tk r} zwWYdd} ~ XnX|dd}||dd}|jd} || dd} y|t|t||t|| fStk r} zdSd} ~ XqXqWdS)ztrace_fields(nonblocking=False) Read from the kernel debug trace pipe and return a tuple of the fields (task, pid, cpu, flags, timestamp, msg) or None if no line was read (nonblocking=True) NrAsCPU:r rLr_rrUnknownr)N)NNNNNNr5)rrrrrr)trace_readliner"lstripfindrrrr) r'rrZtaskZts_endr(rrZtsr(Zsym_endmsgrrr trace_fieldss*       zBPF.trace_fieldsc Cs:|j|}d}y|jdj}Wntk r4YnX|S)ztrace_readline(nonblocking=False) Read from the kernel debug trace pipe and return one line If nonblocking is False, this will block until ctrl-C is pressed. Ni)rreadlinerr!)r'rZtracerrrrrs zBPF.trace_readlinecCsJxD|r$|jdd}|sq|j|}n |jdd}t|tjjqWdS)atrace_print(self, fmt=None) Read from the kernel debug trace pipe and print on stdout. If fmt is specified, apply as a format string to the output. See trace_fields for the members of the tuple example: trace_print(fmt="pid {1}, msg = {5}") F)rN)rrrprintrstdoutflush)r'Zfmtrrrrr trace_prints    zBPF.trace_printcCs6|dkr|dkrd}|tjkr,t|tj|<tj|S)z_sym_cache(pid) Returns a symbol cache for the specified PID. The kernel symbol cache is accessed by providing any PID less than zero. rrr5r5)r _sym_cachesr")r(rrr _sym_caches  zBPF._sym_cachec Cs6tt|}|jdd krt}t}|j|_|j|_|j|j_t j t j t j|t j|}|dkr|jr|jrd|jt j|jt jj} } } qd|d} } } q|j|jt j|jt jj} } } nt j|j||\} } } |r| dk rd| nd} | pd} | | } |r*| dk r*dtjj| nd} | | S) aysym(addr, pid, show_module=False, show_offset=False) Translate a memory address into a function name for a pid, which is returned. When show_module is True, the module name is also included. When show_offset is True, the instruction offset as a hexadecimal number is also included in the string. A pid of less than zero will access the kernel symbol cache. Example output when both show_module and show_offset are True: "start_thread+0x202 [libpthread-2.24.so]" Example output when both show_module and show_offset are False: "start_thread" Zbpf_stack_build_idrrNs+0x%xrs [unknown]s [%s]r5)rrrrrZstatusZbuild_idr,urZbcc_buildsymcache_resolver _bsymcacher#r*r+r$r-r.r/rr4rrbasename) r0r( show_module show_offsetr1Z typeofaddrr2br3r/r,r+rrrr2$s.     $zBPF.symcCstj|d||dS)aksym(addr) Translate a kernel memory address into a kernel function name, which is returned. When show_module is True, the module name ("kernel") is also included. When show_offset is true, the instruction offset as a hexadecimal number is also included in the string. Example output when both show_module and show_offset are True: "default_idle+0x0 [kernel]" rFr5)rr2)r0rrrrrksymUs zBPF.ksymcCstjdjd|S)zksymname(name) Translate a kernel name into an address. This is the reverse of ksym. Returns -1 when the function name is unknown.rNr5)rrr7)r/rrrr6csz BPF.ksymnamecCs t|jS)znum_open_kprobes() Get the number of open K[ret]probes. Can be useful for scenarios where event_re is used while attaching and detaching probes. )rr)r'rrrnum_open_kprobeskszBPF.num_open_kprobescCs t|jS)zInum_open_uprobes() Get the number of open U[ret]probes. )rr)r'rrrnum_open_uprobessszBPF.num_open_uprobescCs t|jS)zLnum_open_tracepoints() Get the number of open tracepoints. )rr)r'rrrnum_open_tracepointszszBPF.num_open_tracepointscCsLtjt|j}x"t|jjD]\}}|||<q"Wtjt|||dS)zperf_buffer_poll(self) Poll from all open perf ring buffers, calling the callback that was provided when calling open_perf_buffer for each entry. N)r#rrrrrrZperf_reader_poll)r'timeoutreadersrvrrrperf_buffer_polls zBPF.perf_buffer_pollcCsJtjt|j}x"t|jjD]\}}|||<q"Wtjt||dS)zperf_buffer_consume(self) Consume all open perf buffers, regardless of whether or not they currently contain events data. Necessary to catch 'remainder' events when wakeup_events > 1 is set in open_perf_buffer N)r#rrrrrrZperf_reader_consume)r'rrrrrrperf_buffer_consumes zBPF.perf_buffer_consumecCs|j|dS)zMkprobe_poll(self) Deprecated. Use perf_buffer_poll instead. N)r)r'rrrr kprobe_pollszBPF.kprobe_pollcCsL|js&tj||||_|jsHtdn"tj|j|||}|dkrHtddS)NzCould not open ring bufferr)rrZbpf_new_ringbufrZbpf_add_ringbuf)r'r rZctxretrrr_open_ring_buffers zBPF._open_ring_buffercCs |jstdtj|j|dS)zring_buffer_poll(self) Poll from all open ringbuf buffers, calling the callback that was provided when calling open_ring_buffer for each entry. zNo ring buffers to pollN)rrrZbpf_poll_ringbuf)r'rrrrring_buffer_pollszBPF.ring_buffer_pollcCs|jstdtj|jdS)a/ring_buffer_consume(self) Consume all open ringbuf buffers, regardless of whether or not they currently contain events data. This is best for use cases where low latency is desired, but it can impact performance. If you are unsure, use ring_buffer_poll instead. zNo ring buffers to pollN)rrrZbpf_consume_ringbuf)r'rrrring_buffer_consumeszBPF.ring_buffer_consumecCstjS)N)rZbcc_free_memory)r'rrrfree_bcc_memoryszBPF.free_bcc_memorycCsNytjtj|jWn2tk rH}ztdt|WYdd}~XnXdS)zJadd_module(modname) Add a library or exe to buildsym cache z&Error adding module to build sym cacheN)rZbcc_buildsymcache_add_modulerrrrrr)modnamer(rrr add_moduleszBPF.add_modulecCsdS)zthe do nothing exit handlerNr)r'rrrrsz BPF.donothingcCsLx.t|jjD]\}}tj|j|j|=qW|jrHtj|jd|_dS)zvclose(self) Closes all associated files descriptors. Attached BPF programs are not detached. N) rrrrrdrr+rZbpf_module_destroy)r'r/rrrrrds    z BPF.closecCsx$t|jjD]\}}|j|qWx$t|jjD]\}}|j|q6Wx$t|jjD]\}}|j|q\Wx$t|jjD]\}}|j |qWx$t|j jD]\}}|j |qWx$t|j jD]\}}|j |qWx$t|jjD]\}}|j|qWt|jj}x(|D] }t|j|tr|j|=qWx(t|jjD]\}}|j||qRW|jr|jjd|_|j|jrtj|jd|_dS)N)rrrrJrrrryrrerrlrrmrrqrrHrr rrrrdrrZbpf_free_ringbuf)r'krZ table_keysr r{r|rrrrs6   z BPF.cleanupcCs|S)Nr)r'rrr __enter__sz BPF.__enter__cCs |jdS)N)r)r'exc_typeZexc_valZexc_tbrrr__exit__sz BPF.__exit__r5)Nr5)F)NNN)r)rrrr)rrrr)N)N)r)r)r)rrr)rr)r)r)r)r)r)r)r)rr5r5r5r5r5)r5r5rrrr5r5r5r5r5r5r5)r5rr5r5r5r5r5)r5r5r5)rrrNrr5rr5)rrrNrr5r5)rrNr5rr5)rrNr5)F)F)F)N)FFT)FFr5)r5r5)r5)Nr5)r5)r8r9r:rWr[r\r]r^r>r_r`rarbrcrdrerfrgrhrirjrkrlrmryrzr{r|r}r~rrZXDP_FLAGS_UPDATE_IF_NOEXISTrZXDP_FLAGS_SKB_MODErZXDP_FLAGS_DRV_MODErZXDP_FLAGS_HW_MODErZXDP_FLAGS_REPLACEr#compilerrrZbcc_buildsymcache_newrrr5rr#rrZCDLLZ_librtZ clock_gettimerZc_intr%Zargtypes classmethodrrr objectr staticmethodrrr)rrrrrZc_boolZc_charZc_wcharZc_ubyteZc_shortZc_ushortZc_uintrZc_ulongZ c_longlongr6Zc_floatZc_doubleZ c_longdoubleZc_int64Zc_uint64rrr r r rrrrrrr)r+r*r1r2r3r4r8r9r:r@rGrJrIrLrMrOrPrSrTr]r^r`rcrerfrjrkrlrmrorprqrrrsrwrxryrrrrrrrrrrrrrrrrrrrrr2rr6rrrrrrrrrrrrrdrrrrrrrrsb     N    ,   B   " "       &              8   #   0       #r)@Z __future__rrZctypesr#rrrr#rrrgZlibbccrrrrrtabler r r r r ZperfrZutilsrrrrrversionrZ disassemblerrrrrrr NameErrorrr.rrrZ DEBUG_LLVM_IRrZDEBUG_PREPROCESSORZ DEBUG_SOURCErZ DEBUG_BTFrr"r;r@rDrFrWrnryrrrrrrsP    +  *