fu lddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl m Z mZmZmZmZddlmZmZmZmZmZddlmZddlmZmZmZmZmZddl m!Z!dd l"m#Z#m$Z$dd l%m&Z&m'Z' e(d Z+da,d Z-d Z.ej^jae.dZ1ej^jee1sdZ1dZ3dZ4dZ5dZ6dZ7dZ8Gdde9Z:GddZ;GddZ<GddZ=GddZ>Gdd Z?Gd!d"Z@Gd#d$ZAGd%d&ZBGd'd(e9ZCy#e)$re*Z(YwxYw)))print_functionN)lib bcc_symbolbcc_symbol_optionbcc_stacktrace_build_id _SYM_CB_TYPE)TablePerfEventArrayRingBufBPF_MAP_TYPE_QUEUEBPF_MAP_TYPE_STACK)Perf)get_online_cpusprintb_assert_is_bytes ArgString StrcmpRewrite) __version__)disassemble_prog decode_map)USDT USDTExceptionictSN)_num_open_probes./usr/lib/python3/dist-packages/bcc/__init__.py_get_num_open_probesr +s rz/sys/kernel/debugtracingz/sys/kernel/tracing ceZdZdZdZdZy) SymbolCachec tj|tjdtjt |_yr)rbcc_symcache_newctcastPOINTERrcache)selfpids r__init__zSymbolCache.__init__Ds/))RWWT2::.?#@AC rct}|r5tj|j|t j |}n4tj |j|t j |}|dkrb|jrQ|jrEd|jt j|jtjjfSd|dfS|r5|j}tjt j |n |j}||jt j|jtjjfS)a Return a tuple of the symbol (function), its offset from the beginning of the function, and the module in which it lies. For example: ("start_thread", 0x202, "/usr/lib/.../libpthread-2.24.so") If the symbol cannot be found but we know which module it is in, return the module name and the offset from the beginning of the module. If we don't even know the module, return the absolute address as the offset. rN)rrbcc_symcache_resolver.r+byref bcc_symcache_resolve_no_demanglemoduleoffsetr,c_char_pvalue demangle_namebcc_symbol_free_demangle_namename)r/addrdemanglesymresname_ress rresolvezSymbolCache.resolveHsl **4::tRXXc]KC66tzz479xx}FC 7zzcjjcjj BKK8>>@@$% % ((H  - -bhhsm <xxH#**bggcjj"++&F&L&LMMrct|}t|}tj}tj|j ||tj |dkry|jS)Nr)rr+ c_ulonglongrbcc_symcache_resolve_namer.r4r9)r/r6r<r=s r resolve_namezSymbolCache.resolve_nameesZ!&)%~~  ( (VT "# $zzrN)__name__ __module__ __qualname__r1rBrGrrrr(r(CsCN:rr(c$eZdZdZdZdZdZdZdZy)PerfTyperrr"r#N) rHrIrJHARDWARESOFTWARE TRACEPOINTHW_CACHERAW BREAKPOINTrrrrLrLns HHJH CJrrLc4eZdZdZdZdZdZdZdZdZ dZ d Z d Z y ) PerfHWConfigrrr"rMr#rNr$ N) rHrIrJ CPU_CYCLES INSTRUCTIONSCACHE_REFERENCES CACHE_MISSESBRANCH_INSTRUCTIONS BRANCH_MISSES BUS_CYCLESSTALLED_CYCLES_FRONTENDSTALLED_CYCLES_BACKENDREF_CPU_CYCLESrrrrVrVws8JLLMJNrrVc8eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z y ) PerfSWConfigrrr"rMr#rNrWrXr$rY N)rHrIrJ CPU_CLOCK TASK_CLOCK PAGE_FAULTSCONTEXT_SWITCHESCPU_MIGRATIONSPAGE_FAULTS_MINPAGE_FAULTS_MAJALIGNMENT_FAULTSEMULATION_FAULTSDUMMY BPF_OUTPUTrrrreres<IJKNOO EJrrecpeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZy)PerfEventSampleFormatrr"r#r$r%r&@iiii i@iiiiiii i@iiN)rHrIrJIPTIDTIMEADDRREAD CALLCHAINIDCPUPERIOD STREAM_IDrS BRANCH_STACK REGS_USER STACK_USERWEIGHTDATA_SRC IDENTIFIER TRANSACTION REGS_INTR PHYS_ADDRAUXCGROUPDATA_PAGE_SIZECODE_PAGE_SIZE WEIGHT_STRUCTrrrrsrss B C D D DI B CFI CLIJFHJKII CFNNMrrsc`eZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZy) BPFProgTyperr"rMr#rNrWrXr$rYrf r%N)rHrIrJ SOCKET_FILTERKPROBE SCHED_CLS SCHED_ACTrQXDP PERF_EVENT CGROUP_SKB CGROUP_SOCKLWT_INLWT_OUTLWT_XMITSOCK_OPSSK_SKB CGROUP_DEVICESK_MSGRAW_TRACEPOINTCGROUP_SOCK_ADDRCGROUP_SOCKOPTTRACINGLSMrrrrrslM FIIJ CJJK FGHH FM FNNG CrrceZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(d'Z)y()) BPFAttachTyperrr"rMr#rNrWrXr$rYrfrrrrrr%rrrrrr&!"#$%&N)*rHrIrJCGROUP_INET_INGRESSCGROUP_INET_EGRESSCGROUP_INET_SOCK_CREATECGROUP_SOCK_OPSSK_SKB_STREAM_PARSERSK_SKB_STREAM_VERDICTrSK_MSG_VERDICTCGROUP_INET4_BINDCGROUP_INET6_BINDCGROUP_INET4_CONNECTCGROUP_INET6_CONNECTCGROUP_INET4_POST_BINDCGROUP_INET6_POST_BINDCGROUP_UDP4_SENDMSGCGROUP_UDP6_SENDMSG LIRC_MODE2FLOW_DISSECTOR CGROUP_SYSCTLCGROUP_UDP4_RECVMSGCGROUP_UDP6_RECVMSGCGROUP_GETSOCKOPTCGROUP_SETSOCKOPT TRACE_RAW_TP TRACE_FENTRY TRACE_FEXIT MODIFY_RETURNLSM_MAC TRACE_ITERCGROUP_INET4_GETPEERNAMECGROUP_INET6_GETPEERNAMECGROUP_INET4_GETSOCKNAMECGROUP_INET6_GETSOCKNAME XDP_DEVMAPCGROUP_INET_SOCK_RELEASE XDP_CPUMAP SK_LOOKUPrSK_SKB_VERDICTrrrrrsOMNJNMLLKMGJ!!!!J!JI CNrrc eZdZdZdZdZdZdZy) XDPActionrrr"rMr#N)rHrIrJ XDP_ABORTEDXDP_DROPXDP_PASSXDP_TX XDP_REDIRECTrrrrrsKHH FLrrc eZdZdZdZdZdZdZy)XDPFlagsrr"r#r$r%N)rHrIrJUPDATE_IF_NOEXISTSKB_MODEDRV_MODEHW_MODEREPLACErrrrrs HHGGrrc eZdZejZej Zej ZejZejZejZ ejZ ejZ ejZ ejZ ejZejZej Zej"Zej$Zej&Zej(Zej*Zej,Zej.Zej2Zej4Zej6Zej8Zej:Zej>Z ejBZ"ejFZ$ejJZ&ejNZ(e)jTdZ+iZ,e-j\Z/dgddgddgdgdd gd Z0gd Z1d Z2Gd de3jhZ5e3jlddZ7e7jpZ9e3jte3jve5ge9_<e=dZ>e=dZ?e@Z@GddeAZBeCdZDeCdZEddddggdddf dZFefdZGddZHdZId ZJdd!ZKid"e3jd#e3jd$e3jd%e3jd&e3jd'e3jd(e3jtd)e3jd*e3jd+e3jd,e3jd-e3jd.e3jd/e3jd0e3jd1e3jd2zd3e3jd2zZ\eCd4Z]dd5Z^d6Z_d7Z`d8Zad9Zbd:ZceCdd;ZdeCd<ZeeCd=ZfeCd>Zgd?ZheCd@ZidAZjdBZkdCZldDZmdEZndFZodGZpddHZqddIZrdJZsdKZtddLZuddMZveCddNZweCddOZxe=ddPZyeCdQZzeCdRZ{eCdSZ|ddTZ}ddUZ~ddVZeCdWZeCdXZeCdYZddZZdd[Zdd\Zdd]Zdd^Zdd_ZeCd`ZeCdaZeCdbZddcZddZ ddeZdfZddgZddhZeCdiZeCdjZeCdkZdlZ ddmZ ddnZdoZddpZddqZdrZddsZddtZdduZddvZeCdwZeCddxZeCddyZeCdzZd{Zd|Zd}Zdd~ZdZddZddZddZdZdZeCdZdZdZdZdZdZy)BPFs [^a-zA-Z0-9_]timefsfilebiorequestallocsk_buff net_device)z linux/time.hz linux/fs.hzlinux/blkdev.hz linux/slab.hzlinux/netdevice.h)ssys_s __x64_sys_s__x32_compat_sys_s__ia32_compat_sys_s __arm64_sys_s __s390x_sys_s __s390_sys_rcDeZdZdejfdejfgZy) BPF.timespectv_sectv_nsecN)rHrIrJr+c_long_fields_rrrtimespecrCsryy)Iryy+ABrrz librt.so.1T) use_errnoc$|j}|j|jtj|dk7r3tj }t |tj||jdz|jzS)zmonotonic_time() Returns the system monotonic time from clock_gettime, using the CLOCK_MONOTONIC constant. The time returned is in nanoseconds. rgeA) r_clock_gettimeCLOCK_MONOTONICr+r4 get_errnoOSErrorosstrerrorrr)clsterrnos rmonotonic_timezBPF.monotonic_timeJsj LLN   c11288A; ?1 DLLNE%U!34 4xx#~ ))rcd}|jjD]%\}}|D]}|D]}||vs||vs |d|zz }'|S)a1 Generates #include statements automatically based on a set of recognized types such as sk_buff and bio. The input is all the words that appear in the BPF program, and the output is a (possibly empty) string of #include statements, such as "#include ". z#include <%s> )_auto_includesitems)r program_wordsheadersheaderkeywordskeywordwords rgenerate_auto_includeszBPF.generate_auto_includesVso # 2 2 8 8 : > FH# >)>D$6+@#4v#==> > > rceZdZdZy) BPF.Functionc.||_||_||_yr)bpfr<fd)r/r r<r!s rr1zBPF.Function.__init__jsDHDIDGrN)rHrIrJr1rrrFunctionris rr"c|rtjj|sttj d}dj tjjtjj|j|g}tjj|r|}|Std|z|S)z1 If filename is invalid, search in ./ of argv[0] r/zCould not find file %s) r pathisfilersysargvjoinabspathdirname __bytes__ Exception)filenameargv0rs r _find_filezBPF._find_fileos 77>>(+!#((1+.IIrwwrwwu?P/QRT\]^77>>!$ H$$.is_exes.77>>%(* %) *rPATH"N)r r%splitenvironpathsepstripr)encode)bin_pathr6r5fnamer%exe_files rfind_exez BPF.find_exe|s *ww}}X. u h  6*00< $zz#77<< x@(##O  $ rrNrFc t|}t|}t|}|r|rJi|_i|_i|_i|_i|_i|_i|_i|_i|_ d|_ d|_ tj|j||_i|_i|_d|_t'j(t+|z} t-|D]\} } t/t1| | | <|r*t2j5|}t2j5|}|r&t7|d5} | j9}dddt'j:t+|z}t-|D]+\} }t'j:|j=|| <-t?j@|t+|}| tCd||z}t?jD||j| t+| |||_|j$stCd|xsdz|D]}|jG|| |jIy#1swYxYw)aZCreate a new BPF module with the given source code. Note: All fields are marked as optional, but either `src_file` or `text` must be supplied, and not both. Args: src_file (Optional[str]): Path to a source file for the module hdr_file (Optional[str]): Path to a helper header file for the `src_file` text (Optional[str]): Contents of a source file for the module debug (Optional[int]): Flags used for debug prints, can be |'d together See "Debug flags" for explanation Nrb)modezycan't generate USDT probe arguments; possible cause is missing pid when a probe in a shared object has multiple locationszFailed to compile BPF module %sz)%r kprobe_fds uprobe_fdstracepoint_fdsraw_tracepoint_fdskfunc_entry_fdskfunc_exit_fdslsm_fds perf_buffersopen_perf_events_ringbuf_manager tracefileatexitregistercleanupdebugfuncstablesr6r+r8len enumeratebytesrrr0openreadc_void_p get_contextrbcc_usdt_genargsr-bpf_module_create_c_from_stringattach_uprobes_trace_autoload)r/src_filehdr_filetextrScflags usdt_contexts allow_rlimitdeviceattach_usdt_ignore_pid cflags_arrayisr ctx_arrayusdt usdt_text usdt_contexts rr1z BPF.__init__s9"$H-#H-%X&& "$!   " $ %     c&k14 f%LDAqy|9L|AL ~~h/H~~h/H hT* #dyy{ #[[3}#558  / ;GAt;;t'7'7'9:IaL ;((C 4FG  () )499$:>**:FLHY:FP {{=AUXVW W) FL  ' '.D E F 9 # #s 5IIcg}tdtj|jD]C}tj|j|}|j |j ||E|S)zload_funcs(prog_type=KPROBE) Load all functions in this BPF module with the given type. Returns a list of the function handles.r)rangerbpf_num_functionsr6bpf_function_nameappend load_func)r/ prog_typefnsrj func_names r load_funcszBPF.load_funcssb q#// <= =A--dkk1=I JJt~~i; < = rct|}||jvr|j|Stj|j|st d|zd}|j tzrd}n|j tzrd}tj|j||tj|j|tj|j|tj|jtj|j|dd|| }|dkrtj|jt!j"t$j&k(r t dt)j*t!j"}t d|d|t,j/|||}||j|<|S)NUnknown program %srr"rz!Need super-user privileges to runzFailed to load BPF program : )rrTrbpf_function_startr6r-rSDEBUG_BPF_REGISTER_STATE DEBUG_BPF bcc_func_loadbpf_function_sizebpf_module_licensebpf_module_kern_versionrPrQ donothingr+r rEPERMr r rr") r/rxrvrg attach_type log_levelr!errstrfns rruz BPF.load_funcsn$Y/  "::i( (%%dkk9=09<= = JJ1 1Ijj9$I   t{{Iy&&t{{I>%%dkk9=&&t{{3++DKK84FK 9 6 OODNN +||~, CDD[[0F&01 1\\$ 2 . " 9 rc t|}tj|j|st d|ztj|j|}tj |j|}t j||S)zR Return the eBPF bytecodes for the specified function as a string r{)rrr}r6r-rr+ string_at)r/rxstartsizes r dump_funcz BPF.dump_funcsp%Y/ %%dkk9=09<= ='' Y?%%dkk9=||E4((rc<|j|}t||Sr)rr)r/rxbpfstrs rdisassemble_funczBPF.disassemble_func"s * 622rc~||}tj|j|j}t ||||S)N)sizeinfo)rbpf_table_type_idr6map_idr)r/ table_namer table_obj table_types r decode_tablezBPF.decode_table&s9$ **4;; 8H8HI *ihOOr_Boolcharwchar_tz unsigned charshortzunsigned shortintz unsigned intlongz unsigned longz long longzunsigned long longfloatdoublez long double__int128r"zunsigned __int128c t|trtj|Sg}g}|dD]}t |dk(r-|j |dtj |df?t |dk(r t|dtr6|j |dtj |d|ddzft|dtr1|j |dtj |d|dft|dtri|ddk(s|ddk(s|ddk(rQ|d}|dk(rd t |z}|j ||j |tj |fWtd t|ztd t|ztj}d }t |dkDrL|ddk(rtj}n3|ddk(rtj}n|ddk(rtj}d }|r(tt|d|ft|d| }|Stt|d|ft||}|S)Nrr"rrMunionstruct struct_packedrz__anon%dzFailed to decode type %sFT) _anonymous__pack_r)rr) isinstance basestringr str2ctyperVrt_decode_table_typelistrr-strr+ StructureUniontypedict)descanonfieldsrr<base is_packedrs rrzBPF._decode_table_type>sH dJ '==& &a EA1v{ qtS%;%;AaD%ABCQ1adD)MM1Q4)?)?!)E!Q)O"PQ!c*MM1Q4)?)?!)Eqt"LM!j1!(AaDI,=! 00Q4Drz)CI5 D)MM4)?)?)B"CD#$>Q$GHH :SV CDD' E(|| t9q=Aw("xxaI%||a,,|| s47|dWdtA/!"C  s47|dWdt/!"C rc t|}tj|j|}tj|j|}tj |j|t tfv}|dkrt|si|sgtj|j|jd}|std|ztjtj|}|sgtj |j|jd} | std|ztjtj| }t#|||||||S)Nrzutf-8z$Failed to load BPF Table %s key descz%Failed to load BPF Table %s leaf desc)reducer)rr bpf_table_idr6 bpf_table_fdrr rKeyErrorbpf_table_key_descdecoder-rrjsonloadsbpf_table_leaf_descr ) r/r<keytypeleaftyperrmap_fd is_queuestackkey_desc leaf_descs r get_tablez BPF.get_tablejs!%!!$++t4!!$++t4--dkk6BGY[mFnn A:N}--dkk4@GGPH F MNN,,TZZ-ABG// TBII'RI G$ NOO--djj.CDHT667HdGTTrcx||jvr|j||j|<|j|Sr)rUrr/keys r __getitem__zBPF.__getitem__}s4 dkk !#~~c2DKK {{3rc"||j|<yrrU)r/rleafs r __setitem__zBPF.__setitem__s Crc,t|jSr)rVrUr/s r__len__z BPF.__len__s4;;rc|j|=yrrrs r __delitem__zBPF.__delitem__s KK rc6|jjSr)rU__iter__rs rrz BPF.__iter__s{{##%%rct|tjs tdt j |j |||}|dkr/tdj|tj| y)N"arg 1 must be of type BPF.Functionrz7Failed to attach BPF function with attach_type {0}: {1}) rrr"r-rbpf_prog_attachr!formatr r )r attachable_fdrflagsr@s r attach_funczBPF.attach_funcsm"cll+@A A!!"%% UK 7''-vk2;;t;L'MO O rct|tjs tdt j |j ||}|dkr/tdj|tj| y)Nrrz7Failed to detach BPF function with attach_type {0}: {1}) rrr"r-rbpf_prog_detach2r!rr r )rrrr@s r detach_funczBPF.detach_funcsk"cll+@A A""255-E 7''-vk2;;t;L'MO O rct|}t|tjs t dt j |}|dkr8tjtj}t d|d|t j||j}|dkr8tjtj}t d|d|||_ y)NrrzFailed to open raw device r|Failed to attach BPF to device )rrrr"r-rbpf_open_raw_sockr r r+r bpf_attach_socketr!sock)rdevrrr@s rattach_raw_socketzBPF.attach_raw_socketss#"cll+@A A$$S) !8[[0F#vNO O##D"%%0 7[[0FF$% %rc<dtz} t|d5}t|Dcgc]#}|jj d%c}}ddddtz} t|d5}t|Dcgc]#}|jj d%c}}dddg} d} d} tdd5} | D]}|jj dd\} }| dk(r|dk(rd} 5| dk(r|d k(rd } B| dk(r|d k(rd} O|d k(rd } W| dk(r|d k(rd } d|jd rv|jds|jdr|jdrtjd|r| jdvstj||s|vs|vs| j|  dddt| Scc}w#1swYxYw#t $r5}|j t jk7r|tg}Yd}~d}~wwxYwcc}w#1swYxYw#t $r5}|j t jk7r|tg}Yd}~d}~wwxYw#1swYt| SxYw)Nz%s/kprobes/blacklistrCrz%%s/tracing/available_filter_functionsr/proc/kallsymsrMs __init_begins __init_endr"s__irqentry_text_starts__irqentry_text_ends _kbl_addr_s__perfsperf_s__SCT__s^.*.cold(.d+)?$)tw)DEBUGFSrYsetrstripr9IOErrorrr startswithrematchlower fullmatchrt)event_reblacklist_file blacklist_fline blacklisteavail_filter_fileavail_filter_f avail_filterrwin_init_sectionin_irq_section avail_filerrs rget_kprobe_functionszBPF.get_kprobe_functionss/'9 nd+ T{k Rd!4!4!6q!9 RS  TDgM #'. Z."#XDKKM$7$7$9!$<#XY  Z "D )1 #Z"0 #++---/!4B#a'_,*+ $)]**+"Q&55)* 55)* #q(33)* ==/]]9-x1H]]:.XX0"5GGI-2<<"3M)+l*JJrNa0 #1 #d3xK!S T T ww%++%BI $Y Z Z #ww%++%r7L #1 #d3xs G4 G'(G" G'G4" I. H:8(H5 H:'ICJJ0J5J:J"G''G1,G44 H2=*H--H25H::I?I J*JJJcVt|ztjkDr tdy)Nz/Number of open probes would exceed global quota)rrget_probe_limitr-)r/num_new_probess r_check_probe_quotazBPF._check_probe_quotas* n ,s/B/B/D DMN N Erctjjd}|r|jr t |St S)NBCC_PROBE_LIMIT)r r:getisdigitr_default_probe_limit)env_probe_limits rrzBPF.get_probe_limits4**..):; 668' '' 'rct||jvri|j|<||j||<tdz ayNrrEr)r/ev_namefn_namer!s r_add_kprobe_fdzBPF._add_kprobe_fd s: $// )')DOOG $,. )Arc6|j||=tdzayrr)r/rrs r_del_kprobe_fdzBPF._del_kprobe_fds OOG $W -Arc4||j|<tdz ayrrFr)r/r<r!s r_add_uprobe_fdzBPF._add_uprobe_fds "Arc0|j|=tdzayrrr/r<s r_del_uprobe_fdzBPF._del_uprobe_fds OOD !Arcx|jD]}|jd|zdk7s|cS|jdS)Ns%sbpfrDr)_syscall_prefixesksymname)r/prefixs rget_syscall_prefixzBPF.get_syscall_prefix$sE,, F}}X./25  %%a((rc>t|}|j|zSr)rrrs rget_syscall_fnnamezBPF.get_syscall_fnname-s %&&(4//rct|}|jD]2}|j|s|j|t |dcS|Sr)rrrr!rV)r/r<rs rfix_syscall_fnnamezBPF.fix_syscall_fnname4sR%,, CFv&..tCKL/ABB C rct|}t|}t|}|r~tj|}|jt |d}g}|D]} |j |||t |k(r!td|ddj|dy|jd|j|tj} d|jd d jd d z} tj| jd| ||d} | dkrtd|d|d|j| || |S#|dz }|j |Y xYw) NreventrrFailed to attach BPF program z to kprobe /K, it's not traceable (either non-existing, inlined, or marked as "notrace")p_+_.)rrrrrV attach_kprobertr-r)rurreplacerbpf_attach_kprober!r) r/r& event_offrrmatchesfailedprobesrrrr!s rr.zBPF.attach_kprobe;s` '"7+#H- ..x8G  # #CL 1FF ((&&T7&C ( W%!(#((6*:!<==  " ^^GSZZ 0%--d3;;D$GG  " "255!WeY J 6$e-. . GWb1 %(aKFMM$'s EE#ct|}t|}t|}|retj|}d}g}|D]} |j||||t |k(r!t d|ddj|dy|jd|j|tj} d|jd d jd d z} tj| jd| |d|} | dkrt d|d|d|j| || |S#|dz }|j |Y xYw) Nr)r&r maxactiverr'z to kretprobe r(r)r_r+r,r-)rrrattach_kretprobertrVr-r)rrurr/rr0r!r) r/r&rrr6r2r3r4rrrr!s rr8zBPF.attach_kretprobe]sU '"7+#H- ..x8GFF (())g4=*? (W%!(#((6*:!<==  " ^^GSZZ 0%--d3;;D$GG  " "255!WeQ J 6$e-. . GWb1 %(aKFMM$'s D//E ct|}t|j|j}|D]}|j ||yr)rrrEkeysdetach_kprobe_event_by_fn)r/rfn_namesrs rdetach_kprobe_eventzBPF.detach_kprobe_eventsG"7+05578 =G  * *7G < =rcxt|}t|}||jvrtd|ztj|j||}|dkr td|j ||t |j|dk(r&tj|}|dkr tdyy)NzKprobe %s is not attachedrzFailed to close kprobe FDz Failed to detach BPF from kprobe)rrEr-rbpf_close_perf_event_fdrrVbpf_detach_kprobe)r/rrr@s rr;zBPF.detach_kprobe_event_by_fns"7+"7+ $// )7'AB B))$//'*B7*KL 778 8 GW- tw' (A -''0CQw BCC .rct|}d|jddjddz}|rt|}|j||y|j|y)Nr*r+r,r-rr/r;r=r/r&rrs r detach_kprobezBPF.detach_kprobeY '%--d3;;D$GG &w/G  * *7G <  $ $W -rct|}d|jddjddz}|rt|}|j||y|j|y)Nr7r+r,r-rBrCs rdetach_kretprobezBPF.detach_kretproberErc`t|}t|tjs t dt j ||j|}|dkrXtj}|tjk(r t dtj|}t d|d|y)zt This function attaches a BPF function to a device on the device driver level (XDP) rrzMInternal error while attaching BPF to device, try increasing the debug level!rr|N)rrrr"r-rbpf_attach_xdpr!r+r rEBADMSGr r )rrrr@err_nors r attach_xdpzBPF.attach_xdps s#"cll+@A A  beeU3 7\\^F&!788V,"F!,-- rct|}tj|d|}|dkr8tjt j }td|d|y)zw This function removes any BPF function from a device on the device driver level (XDP) rDrz!Failed to detach BPF from device r|N)rrrIr r r+r r-)rrr@rs r remove_xdpzBPF.remove_xdpsY s#  b%0 7[[0F"F,- - rc @t|}t|}t}|dk(rdn|}tj|||xsd|t j dt j tt j|dkr-td|jd|j|j|z}t j |jtjj} tj|j| |fS)NrDrz&could not determine address of symbol z in )rrrbcc_resolve_symnamer+r,r-rr4r-rr7r6r8r9bcc_procutils_free) rr6symnamer=r0sym_offr?c_pidnew_addr module_paths r_check_path_symbolzBPF._check_path_symbols!&)"7+lBYC  " " G KC GGD"**%67 8 HHSM     &~~/BC C::'ggcjj"++6<<  szz*H$$rct|}tj|d}|sytj|tj j }tj||SNr)rrbcc_procutils_which_sor+r,r8r9rQ)libnamer@libpaths r find_libraryzBPF.find_librarysQ"7+((!4''#r{{+11 s#rcPg}tjjtd}tj|D]}tjj||}tjj |sCtj|D]}tjj||}tjj |sC|d|}t j|j|so|j|j|S)Nevents:) r r%r)TRACEFSlistdirisdirrrrrtr=)tp_reresults events_dircategorycat_dirr&evt_dirtps rget_tracepointszBPF.get_tracepointssWW\\'84  :. 4Hggll:x8G77==)G, 4'',,w677==)%-u5Bxx 3ryy{3  4 4rctjjtd||}tjj |S)Nr_)r r%r)rarc)rgr&ris rtracepoint_existszBPF.tracepoint_existss-'',,w(EBww}}W%%rct|}t|}t|}|r.tj|D]}|j||y|j |tj }|j d\}}tj|j||}|dkrtd|d|||j|<|S)aattach_tracepoint(tp="", tp_re="", fn_name="") Run the bpf function denoted by fn_name every time the kernel tracepoint specified by 'tp' is hit. The optional parameters pid, cpu, and group_fd can be used to filter the probe. The tracepoint specification is simply the tracepoint category and the tracepoint name, separated by a colon. For example: sched:sched_switch, syscalls:sys_enter_bind, etc. Instead of a tracepoint name, a regular expression can be provided in tp_re. The program will then attach to tracepoints that match the provided regular expression. To obtain a list of kernel tracepoints, use the tplist tool or cat the file /sys/kernel/debug/tracing/available_events. Examples: BPF(text).attach_tracepoint(tp="sched:sched_switch", fn_name="on_switch") BPF(text).attach_tracepoint(tp_re="sched:.*", fn_name="on_switch") rjrN:rr'z to tracepoint ) rrrkattach_tracepointrurQr9rbpf_attach_tracepointr!r-rG)r/rjrdrr tp_categorytp_namer!s rrqzBPF.attach_tracepoints*b ! '"7+ ))%0 ?&&"g&> ?  ^^GS^^ 4!#$g  & &ruuk7 C 6$b*+ +"$B rc(t|}||jvrtd|zt|}|j|tj }t j|j|}|dkr td||j|<|S)aattach_raw_tracepoint(self, tp=b"", fn_name=b"") Run the bpf function denoted by fn_name every time the kernel tracepoint specified by 'tp' is hit. The bpf function should be loaded as a RAW_TRACEPOINT type. The fn_name is the kernel tracepoint name, e.g., sched_switch, sys_enter_bind, etc. Examples: BPF(text).attach_raw_tracepoint(tp="sched_switch", fn_name="on_switch") z#Raw tracepoint %s has been attachedrz&Failed to attach BPF to raw tracepoint) rrHr-rurrrbpf_attach_raw_tracepointr!)r/rjrrr!s rattach_raw_tracepointzBPF.attach_raw_tracepointsb ! (( (ABFG G"7+ ^^GS%7%7 8  * *255" 5 6DE E&(# rct|}||jvrtd|ztj|j||j|=y)zdetach_raw_tracepoint(tp="") Stop running the bpf function that is attached to the kernel tracepoint specified by 'tp'. Example: bpf.detach_raw_tracepoint("sched_switch") z!Raw tracepoint %s is not attachedN)rrHr-r close)r/rjs rdetach_raw_tracepointzBPF.detach_raw_tracepoint6sRb ! T,, ,?"DE E ((,-  # #B 'rc2|j|s||z}|Sr)r)rr<s r add_prefixzBPF.add_prefixEsv&D=D rctjdk7rytjsytj ddk7ryy)Nx86_64Fbpf_trampoline_link_progrDT)platformmachinerbpf_has_kernel_btfrrrrr support_kfunczBPF.support_kfuncKs?     )%%' <<2 3r 9rc`tjsytjddk7ryy)NFs bpf_lsm_bpfrDT)rrrrrrr support_lsmzBPF.support_lsmWs(%%' << '2 -rct|}tjd|}||jvrt d|zt j |j||j|=y)Nkfunc__z$Kernel entry func %s is not attached)rrr|rIr-r ryr/rs r detach_kfunczBPF.detach_kfunc`s`"7+..W5 $.. .BWLM M %%g./   )rct|}tjd|}||jvrt d|zt j |j||j|=y)N kretfunc__z#Kernel exit func %s is not attached)rrr|rJr-r ryrs rdetach_kretfunczBPF.detach_kretfuncis`"7+..8 $-- -AGKL L $$W-.    (rc<t|}tjd|}||jvrt d|z|j |tj }tj|j}|dkr t d||j|<|S)Nrz&Kernel entry func %s has been attachedrz)Failed to attach BPF to entry kernel func) rrr|rIr-rurrbpf_attach_kfuncr!r/rrr!s r attach_kfunczBPF.attach_kfuncrs"7+..W5 d** *DwNO O ^^GS[[ 1  ! !"%% ( 6GH H(*W% rc<t|}tjd|}||jvrt d|z|j |tj }tj|j}|dkr t d||j|<|S)Nrz%Kernel exit func %s has been attachedrz(Failed to attach BPF to exit kernel func) rrr|rJr-rurrrr!rs rattach_kretfunczBPF.attach_kretfuncs"7+..8 d)) )CgMN N ^^GS[[ 1  ! !"%% ( 6FG G')G$ rct|}tjd|}||jvrt d|zt j |j||j|=y)Nlsm__zLSM %s is not attached)rrr|rKr-r ryrs r detach_lsmzBPF.detach_lsmsZ"7+..73 $,, &4w>? ? g&' LL !rc<t|}tjd|}||jvrt d|z|j |tj }tj|j}|dkr t d||j|<|S)NrzLSM %s has been attachedrzFailed to attach LSM) rrr|rKr-rurrbpf_attach_lsmr!rs r attach_lsmzBPF.attach_lsms"7+..73 dll "6@A A ^^GSWW -    & 623 3 " W rcftjddk7stjddk7ryy)Nbpf_find_raw_tracepointrDbpf_get_raw_tracepointTF)rrrrrsupport_raw_tracepointzBPF.support_raw_tracepoints. <<1 2b 8 <<0 1R 7rcd}t|5}|D]I}|jjdd\}}}|jdd}|dk(sAdddy dddy#1swYyxYw) Nr r" rbpf_trace_modulesTF)rYrr9)kallsymssymsr_r<s r support_raw_tracepoint_in_modulez$BPF.support_raw_tracepoint_in_modules$ (^ t #{{}223: Atzz$'*..        sAA'A'A''A0cZt|}t|}tj||Sr)rrkernel_struct_has_field) struct_name field_names rrzBPF.kernel_struct_has_fields)&{3 %j1 **; CCrcDt|}||jvrtd|ztj|j|}|dkr td|j d\}}tj ||}|dkr td|j|=y)zdetach_tracepoint(tp="") Stop running a bpf function that is attached to the kernel tracepoint specified by 'tp'. Example: bpf.detach_tracepoint("sched:sched_switch") zTracepoint %s is not attachedrz$Failed to detach BPF from tracepointrpN)rrGr-rr?r9bpf_detach_tracepoint)r/rjr@rsrts rdetach_tracepointzBPF.detach_tracepointsb ! T(( (;b@A A))$*=*=b*AB 7BC C!#$g'' W= 7BC C    #rc ^tj||||||||} | dkr td| S)Nrz"Failed to attach BPF to perf event)rbpf_attach_perf_eventr-) r/progfdev_type ev_config sample_period sample_freqr0cpugroup_fdr@s r_attach_perf_eventzBPF._attach_perf_events<''{Ch@ 7@A A rc >t|}|j|tj} i} |dk\r&|j | j |||||||| |<n4t D]'} |j | j |||||| || | <)| |j||f<yrY)rrurrrr!rrM) r/rrrrrr0rrrr@rjs rattach_perf_eventzBPF.attach_perf_events"7+ ^^GS^^ 4 !8..ruugy!;S(DCH%& F00%{CHFA F7:w 23rctj|tj||||d}|dkr t d|S)Nrz&Failed to attach BPF to perf raw event)rbpf_attach_perf_event_rawr+r4r-)r/rattrr0rrr@s r_attach_perf_event_rawzBPF._attach_perf_event_raws?++FBHHTNCXq" 7DE E rcZt|}|j|tj}i}|dk\r#|j |j ||||||<n1t D]$}|j |j ||||||<&||j|j|jf<yrY) rrurrrr!rrMrconfig) r/rrr0rrrr@rjs rattach_perf_event_rawzBPF.attach_perf_event_raws"7+ ^^GS^^ 4 !822255$h(CH%& *44RUUDQ*A *;>tyy$++67rc |j||f}d}|j D]}t j |xs|}|dk7r td|j||f=y#t$rtdj||wxYw)Nz)Perf event type {} config {} not attachedrz$Failed to detach BPF from perf event)rMrr-rvaluesrr?)r/rrfdsr@r!s rdetach_perf_eventzBPF.detach_perf_events %'')(<=C **, 9B--b18SC 9 !8BC C  ! !7I"6 7 %GNN$% % %s A##%Bcrttj||Dcgc]\}}| c}}Scc}}wrrr get_user_functions_and_addresses)r<sym_rers rget_user_functionszBPF.get_user_functions s<88vFHYdADHI IH 3 crttj||Dcgc]\}}| c}}Scc}}w)a We are returning addresses here instead of symbol names because it turns out that the same name may appear multiple times with different addresses, and the same address may appear multiple times with the same name. We can't attach a uprobe to the same address more than once, so it makes sense to return the unique set of addresses that are mapped to a symbol that matches the provided regular expression. r)r<rraddresss rget_user_addresseszBPF.get_user_addressess>88vFH GGHI IHrct|}tgfd}tj|t|}|dkrt d||fzS)Nc\|}tj|rj||fyrY)rrrt)sym_namer=dname addressesrs rsym_cbz4BPF.get_user_functions_and_addresses..sym_cb#s+Exx&  %/rrz"Error %d enumerating symbols in %s)rrbcc_foreach_function_symbolr r-)r<rrr@rs ` @rrz$BPF.get_user_functions_and_addressess\%!&)   --dL4HI 7@C;NO Orc|dk(r"d||jjd||fzSd||jjd|||fzS)NrDs %s_%s_0x%xr,s %s_%s_0x%x_%d) _probe_replsub)r/rr%r=r0s r_get_uprobe_evnamezBPF._get_uprobe_evname.sY "9 FD,<,<,@,@t,Ld#SS S$vt/?/?/C/CD$/OQUWZ&[[ [rct|dk\sJ| |dk(sJdt|}t|}t|}t|}|rMtj||}|jt ||D]} |j || ||ytj |||||\} }|jd|j|tj} |jd| ||} tj| jd| | ||} | dkr td|j| | |S)aattach_uprobe(name="", sym="", sym_re="", addr=None, fn_name="" pid=-1, sym_off=0) Run the bpf function denoted by fn_name every time the symbol sym in the library or binary 'name' is encountered. Optional parameters pid, cpu, and group_fd can be used to filter the probe. If sym_off is given, attach uprobe to offset within the symbol. The real address addr may be supplied in place of sym, in which case sym must be set to its default value. If the file is a non-PIE executable, addr must be a virtual address, otherwise it must be an offset relative to the file load address. Instead of a symbol name, a regular expression can be provided in sym_re. The uprobe will then attach to symbols that match the provided regular expression. Libraries can be given in the name argument without the lib prefix, or with the full path (/usr/lib/...). Binaries can be given only with the full path (/bin/sh). If a PID is given, the uprobe will attach to the version of the library used by the process. Example: BPF(text).attach_uprobe("c", "malloc") BPF(text).attach_uprobe("/usr/bin/python", "main") rNz!offset with addr is not supportedr<r=rr0rpzFailed to attach BPF to uprobe)rrrrrV attach_uproberWrurrrbpf_attach_uprober!r-r)r/r<r?rr=rr0rSrsym_addrr%rrr!s rrzBPF.attach_uprobe6sA:!||  a< D!D D<%s#!&)"7+ ..tV? ?##G, 7>? ? G$rct|}t|}tj|||||\}}|jd|||}|j |y)zdetach_uprobe(name="", sym="", addr=None, pid=-1) Stop running a bpf function that is attached to symbol 'sym' in library or binary 'name'. rNrrrWrr)r/r<r?r=r0rSr%rs r detach_uprobezBPF.detach_uprobesX %s#--dCsGL t))$dC@   )rct|}t|}tj||||\}}|jd|||}|j |y)zdetach_uretprobe(name="", sym="", addr=None, pid=-1) Stop running a bpf function that is attached to symbol 'sym' in library or binary 'name'. rNr)r/r<r?r=r0r%rs rdetach_uretprobezBPF.detach_uretprobesV %s#--dCsC t))$dC@   )rctdtj|jD]4}tj|j|}|j drP|j |tj}|j|j|dd|j|j drP|j |tj}|j|j|dd|j|j drg|j |tj}|jtddjdd }|j!||j ^|j d rW|j |tj"}|jtd d}|j%||j |j d r|j'| |j dr|j)| |j ds#|j+| 7y)Nrskprobe__r$r%s kretprobe__rs tracepoint__s__rprosraw_tracepoint__r)rrr)rqrrrr6rsrrurrr.r#r<r8rQrVr/rqrrwrrr)r/rjrxrrjs rr`zBPF._trace_autoloadsq#// <= 3A--dkk1=I##K0^^Iszz:""11)AB-@GG#%%%n5^^Iszz:%%11)BC.AGG&%%%o6^^Is~~>WWS123;;E4H&&"bgg&>%%&9:^^Is/A/ABWWS!4567**b"''*B%%j1!!)!4%%m4$$Y$7%%h/ 23 3rcN|jstdtzd|_|rt|jj}t j|tj }t j|tj |tjz|jS)zWtrace_open(nonblocking=False) Open the trace_pipe if not already open z %s/trace_piperC) rOrYrafilenofcntlF_GETFLF_SETFLr  O_NONBLOCK)r/ nonblockingr!fls r trace_openzBPF.trace_opensn ~~!/G";TBDN^^**,[[U]]3 B rBMM/AB~~rc |j|}|s|ry|jdr)|ddj}|dd}|jd} |d|j \}}}}|dd}||dzd}|jd} || d zd} |t |t ||t|| fS#t $r } Yd} ~ d} ~ wwxYw#t $r } Yd} ~ y d} ~ wwxYw) ztrace_fields(nonblocking=False) Read from the kernel debug trace pipe and return a tuple of the fields (task, pid, cpu, flags, timestamp, msg) or None if no line was read (nonblocking=True) )NNNNNNsCPU:Nr%rrprrDr")Unknownrrrgr)trace_readlinerlstripfindr9r-rr) r/rrtaskts_endr0rrtsrsym_endmsgs r trace_fieldszBPF.trace_fieldss&&{3DK w'9##%D9DYYt_F &*7Fm&9&9&;#S%a)C $DiioGw{|$C Dc#hC%rCHH   DC Ds$B6"C 6 C C  CCc|j|}d} |jdj}|S#t$rY|SwxYw)ztrace_readline(nonblocking=False) Read from the kernel debug trace pipe and return one line If nonblocking is False, this will block until ctrl-C is pressed. Nrw)rreadlinerr)r/rtracers rrzBPF.trace_readlinesS , >>$'..0D     s6 AAc |r%|jd}|s|j|}n|jd}t|tj j c)atrace_print(self, fmt=None) Read from the kernel debug trace pipe and print on stdout. If fmt is specified, apply as a format string to the output. See trace_fields for the members of the tuple example: trace_print(fmt="pid {1}, msg = {5}") F)r)rrrprintr'stdoutflush)r/fmtrrs r trace_printzBPF.trace_printsa**u*=x!szz6***u*= $K JJ   rc|dkr|dk7rd}|tjvrt|tj|<tj|S)z_sym_cache(pid) Returns a symbol cache for the specified PID. The kernel symbol cache is accessed by providing any PID less than zero. rrD)r _sym_cachesr()r0s r _sym_cachezBPF._sym_cache$sD 7sbyCcoo%#.s#3COOC s##rctt|}|jddk7rXt}t }|j |_|j |_|j|j_tjtjtj|tj|}|dkrf|jrS|jrGd|jtj |jtj"j$} } } nd|d} } } nz|j&|jtj |jtj"j$} } } n)tj)|j+||\} } } |r| d| znd} | xsd} | | z} |r$| "dt,j.j1| znd} | | zS) aysym(addr, pid, show_module=False, show_offset=False) Translate a memory address into a function name for a pid, which is returned. When show_module is True, the module name is also included. When show_offset is True, the instruction offset as a hexadecimal number is also included in the string. A pid of less than zero will access the kernel symbol cache. Example output when both show_module and show_offset are True: "start_thread+0x202 [libpthread-2.24.so]" Example output when both show_module and show_offset are False: "start_thread" bpf_stack_build_idrDrNs+0x%xrs [unknown]s [%s])rrrrrstatusbuild_idr7urbcc_buildsymcache_resolver _bsymcacher+r4r6r,r8r9r<rrBr r%basename) r=r0 show_module show_offsetr> typeofaddrr?br@r<r7r6s rr?zBPF.sym1s(d_ ??/ 0B 6 #%'![[!(}}!*{{!##*--cnn.0hhqk.0hhsm=#1Wzzcjj$(#** BKK8>>!6d'+D$FFd$'HHcjj$&GGCJJ $D$J$J!&D"%!4! 1 is set in open_perf_buffer N)r+r[rVrLrWrrperf_reader_consume)r/r!rjr"s rperf_buffer_consumezBPF.perf_buffer_consumesd;;T%6%6!77:d//6689 DAqGAJ  G g6rc&|j|y)zMkprobe_poll(self) Deprecated. Use perf_buffer_poll instead. N)r#r/r s r kprobe_pollzBPF.kprobe_polls g&rc|js4tj||||_|js tdytj|j|||}|dkr tdy)NzCould not open ring bufferr)rNrbpf_new_ringbufr-bpf_add_ringbuf)r/rrctxrets r_open_ring_bufferzBPF._open_ring_buffersr$$$'$7$7C$HD !(( <==)%%d&;&;VRMCQw <==rcr|js tdtj|j|y)zring_buffer_poll(self) Poll from all open ringbuf buffers, calling the callback that was provided when calling open_ring_buffer for each entry. No ring buffers to pollN)rNr-rbpf_poll_ringbufr(s rring_buffer_pollzBPF.ring_buffer_polls/ $$56 6 T22G>?s25 AAAcy)zthe do nothing exit handlerNrrs rrz BPF.donothingsrct|jjD]1\}}tj|j |j|=3|j r'tj|j d|_yy)zvclose(self) Closes all associated files descriptors. Attached BPF programs are not detached. N) rrTrr ryr!r6rbpf_module_destroy)r/r<rs rryz BPF.closesk TZZ--/0 !HD" HHRUUO 4  ! ;;  " "4;; /DK rcPt|jjD]\}}|j|t|jjD]\}}|j |t|j jD]\}}|j|t|jjD]\}}|j|t|jjD]\}}|j|t|jjD]\}}|j|t|jjD]\}}|j|t|j j#}|D]-}t%|j |t&s!|j |=/t|j(j#D]\}}|j+|||j,r!|j,j/d|_|j/|j0r't3j4|j0d|_yyr)rrErr=rFrrGrrHrzrIrrJrrKrrUr:rr rMrrOryrNrbpf_free_ringbuf)r/kr" table_keysrrrs rrRz BPF.cleanupsA..01 (DAq  $ $Q ' (..01 (DAq  $ $Q ' (,,2245 &DAq  " "1 % &006689 *DAq  & &q ) *--3356 !DAq   a  !,,2245 $DAq   # $++-. DAq OOA  $++**,-  %C$++c*N;KK$ %%))>)>)C)C)E$F 7 Wi  " "7I 6 7 >> NN "!DN    !6!6 7$(D ! !rc|Srrrs r __enter__z BPF.__enter__s rc$|jyr)rR)r/exc_typeexc_valexc_tbs r__exit__z BPF.__exit__s  r)NrD)F)NNN)r)rrrr)rrrrr)rrr)rr)r)rDrDrrrrDrDrD)rDrrDrDrD)rDrD)rrrNrrDr)rrrNrrD)rrNrDr)rrNrD)FFT)FF)rD)rHrIrJrrrrrrQrrrrrrrrrrrrrrrrrrrrrrrXDP_FLAGS_UPDATE_IF_NOEXISTrXDP_FLAGS_SKB_MODErXDP_FLAGS_DRV_MODErXDP_FLAGS_HW_MODErXDP_FLAGS_REPLACErcompilerrrbcc_buildsymcache_newrrrr r+rrCDLL_librt clock_gettimerc_intr-argtypes classmethodrrr objectr" staticmethodr0rAr1ryrurrrc_boolc_charc_wcharc_ubytec_shortc_ushortc_uintrc_ulong c_longlongrEc_floatc_double c_longdoublec_int64c_uint64rrrrrrrrrrrrrrrrrrrr!r#r.r8r=r;rDrGrLrNrWr]rkrmrqrwrzr|rrrrrrrrrrrrrrrrrrrrrrrrrrr`rrrrrr?rrrrrr#r&r)r/r3r6r9r=rryrRrFrKrrrrrs, --M   F%%I%%I''J //C''J''J))K   F!!G##H##H   F--M   F //N"33!!G //C''K!!H!!H   F))L"*"<"<!**!** (( (("**-.KK***,J Vn ), '6 NOC2<<CRWW\T 2F))N!xxH)=>N * *   E6   8!$cARd4#(N`$* @ )3P ")) BJJ "**  "**  2;;     "** bmm r~~ "** 2;;  RZZ!^!" bkkAo#I&))VU&   &OOOO  IIVO ((  )0 D D= D..--& - -%%$  &&$L0 (   *)  "   DD $*CFEG : > 8II I I  \AE)*7rDH@ % * *38 !DF & $ $..` B B;;$$( = 7'>= 7%??* !)Frr)D __future__rrPctypesr+rrr rrr'rlibbccrrrrr tabler r r r rperfrutilsrrrrrversionr disassemblerrrrmrrr NameErrorrr rr rr%r)raexists DEBUG_LLVM_IRrDEBUG_PREPROCESSOR DEBUG_SOURCEr~ DEBUG_BTFrYr(rLrVrersrrrrrrrrrws3&  ]]YYVV 6%  '',,w * ww~~g#G      )&)V    8  0((TP&P}Js2D))D32D3