-
由 Arnaldo Carvalho de Melo 提交于
We just check that the evsel is the one we associated with the bpf-output event associated with the "__augmented_syscalls__" eBPF map, to show that the formatting is done properly: # perf trace -e perf/tools/perf/examples/bpf/augmented_syscalls.c,openat cat /etc/passwd > /dev/null 0.000 ( ): __augmented_syscalls__:dfd: CWD, filename: 0x43e06da8, flags: CLOEXEC 0.006 ( ): syscalls:sys_enter_openat:dfd: CWD, filename: 0x43e06da8, flags: CLOEXEC 0.007 ( 0.004 ms): cat/11486 openat(dfd: CWD, filename: 0x43e06da8, flags: CLOEXEC ) = 3 0.029 ( ): __augmented_syscalls__:dfd: CWD, filename: 0x4400ece0, flags: CLOEXEC 0.030 ( ): syscalls:sys_enter_openat:dfd: CWD, filename: 0x4400ece0, flags: CLOEXEC 0.031 ( 0.004 ms): cat/11486 openat(dfd: CWD, filename: 0x4400ece0, flags: CLOEXEC ) = 3 0.249 ( ): __augmented_syscalls__:dfd: CWD, filename: 0xc3700d6 0.250 ( ): syscalls:sys_enter_openat:dfd: CWD, filename: 0xc3700d6 0.252 ( 0.003 ms): cat/11486 openat(dfd: CWD, filename: 0xc3700d6 ) = 3 # Now we just need to get the full blown enter/exit handlers to check if the evsel being processed is the augmented_syscalls one to go pick the pointer payloads from the end of the payload. We also need to state somehow what is the layout for multi pointer arg syscalls. Also handy would be to have a BTF file with the struct definitions used in syscalls, compact, generated at kernel built time and available for use in eBPF programs. Till we get there we can go on doing some manual coupling of the most relevant syscalls with some hand built beautifiers. Cc: Adrian Hunter <adrian.hunter@intel.com> Cc: David Ahern <dsahern@gmail.com> Cc: Jiri Olsa <jolsa@kernel.org> Cc: Namhyung Kim <namhyung@kernel.org> Cc: Wang Nan <wangnan0@huawei.com> Link: https://lkml.kernel.org/n/tip-r6ba5izrml82nwfmwcp7jpkm@git.kernel.orgSigned-off-by: NArnaldo Carvalho de Melo <acme@redhat.com>88cf7084