feat(ebpf): support Aya framework. (#1070)

* feat(ebpf): support Aya framework.

1. fix the rbpf bug
2. use new Aya template
3. add kprobe related device files and attributes to sysfs

---
Signed-off-by: chenlinfeng <[email protected]>

kernel/crates/rbpf/src/interpreter.rs

@@ -660,9 +660,9 @@ pub fn execute_program(
                             // Save the callee saved registers
                             pre_stack.save_registers(&reg[6..=9]);
                             // Save the return address
-                            pre_stack.save_return_address(insn_ptr as u16);
+                            pre_stack.save_return_address(insn_ptr as u64);
                             // save the stack pointer
-                            pre_stack.save_sp(reg[10] as u16);
+                            pre_stack.save_sp(reg[10]);
                             let mut stack = StackFrame::new();
                             log::trace!("BPF TO BPF CALL: new pc: {} + {} = {}",insn_ptr ,insn.imm,insn_ptr + insn.imm as usize);
                             reg[10] = stack.as_ptr() as u64 + stack.len() as u64;
@@ -695,7 +695,7 @@ pub fn execute_program(
                     // Restore the return address
                     insn_ptr = stack.get_return_address() as usize;
                     // Restore the stack pointer
-                    reg[10] = stack.get_sp() as u64;
+                    reg[10] = stack.get_sp();
                     log::trace!("EXIT: new pc: {}", insn_ptr);
                 }
             }

kernel/crates/rbpf/src/stack.rs

@@ -1,9 +1,9 @@
 use crate::{ebpf::STACK_SIZE, vec, Vec};
 
 pub struct StackFrame {
-    return_address: u16,
+    return_address: u64,
     saved_registers: [u64; 4],
-    sp: u16,
+    sp: u64,
     frame: Vec<u8>,
 }
 
@@ -54,22 +54,22 @@ impl StackFrame {
     }
 
     /// Save the return address
-    pub fn save_return_address(&mut self, address: u16) {
+    pub fn save_return_address(&mut self, address: u64) {
         self.return_address = address;
     }
 
     /// Get the return address
-    pub fn get_return_address(&self) -> u16 {
+    pub fn get_return_address(&self) -> u64 {
         self.return_address
     }
 
     /// Save the stack pointer
-    pub fn save_sp(&mut self, sp: u16) {
+    pub fn save_sp(&mut self, sp: u64) {
         self.sp = sp;
     }
 
     /// Get the stack pointer
-    pub fn get_sp(&self) -> u16 {
+    pub fn get_sp(&self) -> u64 {
         self.sp
     }
 }

kernel/src/arch/x86_64/mm/fault.rs

@@ -267,9 +267,10 @@ impl X86_64MMArch {
                         });
                 } else {
                     log::error!(
-                        "No mapped vma, error_code: {:#b}, address: {:#x}",
+                        "No mapped vma, error_code: {:#b}, address: {:#x}, flags: {:?}",
                         error_code,
                         address.data(),
+                        flags
                     );
                     let pid = ProcessManager::current_pid();
                     let mut info =

kernel/src/bpf/helper/consts.rs

@@ -1,6 +1,7 @@
 pub const HELPER_MAP_LOOKUP_ELEM: u32 = 1;
 pub const HELPER_MAP_UPDATE_ELEM: u32 = 2;
 pub const HELPER_MAP_DELETE_ELEM: u32 = 3;
+pub const HELPER_KTIME_GET_NS: u32 = 5;
 pub const HELPER_MAP_FOR_EACH_ELEM: u32 = 164;
 pub const HELPER_MAP_LOOKUP_PERCPU_ELEM: u32 = 195;
 pub const HELPER_PERF_EVENT_OUTPUT: u32 = 25;

kernel/src/bpf/helper/mod.rs

@@ -6,6 +6,7 @@ use crate::bpf::map::{BpfCallBackFn, BpfMap};
 use crate::include::bindings::linux_bpf::BPF_F_CURRENT_CPU;
 use crate::libs::lazy_init::Lazy;
 use crate::smp::core::smp_get_processor_id;
+use crate::time::Instant;
 use alloc::{collections::BTreeMap, sync::Arc};
 use core::ffi::c_void;
 use system_error::SystemError;
@@ -300,6 +301,10 @@ pub fn map_peek_elem(map: &Arc<BpfMap>, value: &mut [u8]) -> Result<()> {
     value
 }
 
+pub fn bpf_ktime_get_ns() -> u64 {
+    (Instant::now().total_micros() * 1000) as u64
+}
+
 pub static BPF_HELPER_FUN_SET: Lazy<BTreeMap<u32, RawBPFHelperFn>> = Lazy::new();
 
 /// Initialize the helper functions.
@@ -311,6 +316,7 @@ pub fn init_helper_functions() {
         map.insert(HELPER_MAP_LOOKUP_ELEM, define_func!(raw_map_lookup_elem));
         map.insert(HELPER_MAP_UPDATE_ELEM, define_func!(raw_map_update_elem));
         map.insert(HELPER_MAP_DELETE_ELEM, define_func!(raw_map_delete_elem));
+        map.insert(HELPER_KTIME_GET_NS, define_func!(bpf_ktime_get_ns));
         map.insert(
             HELPER_MAP_FOR_EACH_ELEM,
             define_func!(raw_map_for_each_elem),

kernel/src/bpf/mod.rs

@@ -33,7 +33,7 @@ pub fn bpf(cmd: bpf_cmd, attr: &bpf_attr) -> Result<usize> {
         // Program related commands
         bpf_cmd::BPF_PROG_LOAD => prog::bpf_prog_load(attr),
         // Object creation commands
-        bpf_cmd::BPF_BTF_LOAD => {
+        bpf_cmd::BPF_BTF_LOAD | bpf_cmd::BPF_LINK_CREATE | bpf_cmd::BPF_OBJ_GET_INFO_BY_FD => {
             error!("bpf cmd {:?} not implemented", cmd);
             return Err(SystemError::ENOSYS);
         }

kernel/src/driver/base/device/mod.rs

@@ -310,6 +310,7 @@ pub enum DeviceType {
     PlatformDev,
     Char,
     Pci,
+    Other,
 }
 
 /// @brief: 设备标识符类型

kernel/src/driver/base/init.rs

@@ -21,7 +21,6 @@ pub fn driver_init() -> Result<(), SystemError> {
     platform_bus_init()?;
     serio_bus_init()?;
     CpuDeviceManager::init()?;
-
     // 至此，已完成设备驱动模型的初始化
     return Ok(());
 }

kernel/src/filesystem/procfs/mod.rs

@@ -394,7 +394,31 @@ impl ProcFS {
         } else {
             panic!("create ksmg error");
         }
-
+        // 这个文件是用来欺骗Aya框架识别内核版本
+        /* On Ubuntu LINUX_VERSION_CODE doesn't correspond to info.release,
+         * but Ubuntu provides /proc/version_signature file, as described at
+         * https://ubuntu.com/kernel, with an example contents below, which we
+         * can use to get a proper LINUX_VERSION_CODE.
+         *
+         *   Ubuntu 5.4.0-12.15-generic 5.4.8
+         *
+         * In the above, 5.4.8 is what kernel is actually expecting, while
+         * uname() call will return 5.4.0 in info.release.
+         */
+        let binding = inode.create("version_signature", FileType::File, ModeType::S_IRUGO);
+        if let Ok(version_signature) = binding {
+            let version_signature = version_signature
+                .as_any_ref()
+                .downcast_ref::<LockedProcFSInode>()
+                .unwrap();
+            version_signature.0.lock().fdata.ftype = ProcFileType::Default;
+            version_signature.0.lock().data = "DragonOS 6.0.0-generic 6.0.0\n"
+                .to_string()
+                .as_bytes()
+                .to_vec();
+        } else {
+            panic!("create version_signature error");
+        }
         return result;
     }
 
@@ -466,6 +490,7 @@ impl IndexNode for LockedProcFSInode {
         let file_size = match inode.fdata.ftype {
             ProcFileType::ProcStatus => inode.open_status(&mut private_data)?,
             ProcFileType::ProcMeminfo => inode.open_meminfo(&mut private_data)?,
+            ProcFileType::Default => inode.data.len() as i64,
             _ => {
                 todo!()
             }

kernel/src/misc/events/kprobe/device.rs

@@ -0,0 +1,189 @@
+use crate::driver::base::class::Class;
+use crate::driver::base::device::bus::Bus;
+use crate::driver::base::device::driver::Driver;
+use crate::driver::base::device::{Device, DeviceCommonData, DeviceType, IdTable};
+use crate::driver::base::kobject::{
+    KObjType, KObject, KObjectCommonData, KObjectState, LockedKObjectState,
+};
+use crate::driver::base::kset::KSet;
+use crate::filesystem::kernfs::KernFSInode;
+use crate::filesystem::sysfs::{Attribute, SysFSOpsSupport};
+use crate::filesystem::vfs::syscall::ModeType;
+use crate::libs::rwlock::{RwLockReadGuard, RwLockWriteGuard};
+use crate::libs::spinlock::{SpinLock, SpinLockGuard};
+use alloc::string::{String, ToString};
+use alloc::sync::{Arc, Weak};
+use core::fmt::Debug;
+use system_error::SystemError;
+
+#[derive(Debug)]
+#[cast_to([sync] Device)]
+pub struct KprobeDevice {
+    inner: SpinLock<InnerKprobeDevice>,
+    kobj_state: LockedKObjectState,
+    name: String,
+}
+
+#[derive(Debug)]
+struct InnerKprobeDevice {
+    kobject_common: KObjectCommonData,
+    device_common: DeviceCommonData,
+}
+
+impl KprobeDevice {
+    pub fn new(parent: Option<Weak<dyn KObject>>) -> Arc<Self> {
+        let bus_device = Self {
+            inner: SpinLock::new(InnerKprobeDevice {
+                kobject_common: KObjectCommonData::default(),
+                device_common: DeviceCommonData::default(),
+            }),
+            kobj_state: LockedKObjectState::new(None),
+            name: "kprobe".to_string(),
+        };
+        bus_device.set_parent(parent);
+        return Arc::new(bus_device);
+    }
+
+    fn inner(&self) -> SpinLockGuard<InnerKprobeDevice> {
+        self.inner.lock()
+    }
+}
+
+impl KObject for KprobeDevice {
+    fn as_any_ref(&self) -> &dyn core::any::Any {
+        self
+    }
+
+    fn set_inode(&self, inode: Option<Arc<KernFSInode>>) {
+        self.inner().kobject_common.kern_inode = inode;
+    }
+
+    fn inode(&self) -> Option<Arc<KernFSInode>> {
+        self.inner().kobject_common.kern_inode.clone()
+    }
+
+    fn parent(&self) -> Option<Weak<dyn KObject>> {
+        self.inner().kobject_common.parent.clone()
+    }
+
+    fn set_parent(&self, parent: Option<Weak<dyn KObject>>) {
+        self.inner().kobject_common.parent = parent;
+    }
+
+    fn kset(&self) -> Option<Arc<KSet>> {
+        self.inner().kobject_common.kset.clone()
+    }
+
+    fn set_kset(&self, kset: Option<Arc<KSet>>) {
+        self.inner().kobject_common.kset = kset;
+    }
+
+    fn kobj_type(&self) -> Option<&'static dyn KObjType> {
+        self.inner().kobject_common.kobj_type
+    }
+
+    fn set_kobj_type(&self, ktype: Option<&'static dyn KObjType>) {
+        self.inner().kobject_common.kobj_type = ktype;
+    }
+
+    fn name(&self) -> String {
+        self.name.clone()
+    }
+
+    fn set_name(&self, _name: String) {}
+
+    fn kobj_state(&self) -> RwLockReadGuard<KObjectState> {
+        self.kobj_state.read()
+    }
+
+    fn kobj_state_mut(&self) -> RwLockWriteGuard<KObjectState> {
+        self.kobj_state.write()
+    }
+
+    fn set_kobj_state(&self, state: KObjectState) {
+        *self.kobj_state.write() = state;
+    }
+}
+
+impl Device for KprobeDevice {
+    #[inline]
+    #[allow(dead_code)]
+    fn dev_type(&self) -> DeviceType {
+        return DeviceType::Other;
+    }
+
+    #[inline]
+    fn id_table(&self) -> IdTable {
+        IdTable::new("kprobe".to_string(), None)
+    }
+
+    fn bus(&self) -> Option<Weak<dyn Bus>> {
+        self.inner().device_common.bus.clone()
+    }
+
+    fn set_bus(&self, bus: Option<Weak<dyn Bus>>) {
+        self.inner().device_common.bus = bus;
+    }
+
+    fn set_class(&self, class: Option<Weak<dyn Class>>) {
+        self.inner().device_common.class = class;
+    }
+
+    fn driver(&self) -> Option<Arc<dyn Driver>> {
+        self.inner().device_common.driver.clone()?.upgrade()
+    }
+
+    fn set_driver(&self, driver: Option<Weak<dyn Driver>>) {
+        self.inner().device_common.driver = driver;
+    }
+
+    #[inline]
+    fn is_dead(&self) -> bool {
+        false
+    }
+
+    fn can_match(&self) -> bool {
+        todo!()
+    }
+
+    fn set_can_match(&self, _can_match: bool) {
+        todo!()
+    }
+
+    fn state_synced(&self) -> bool {
+        todo!()
+    }
+
+    fn dev_parent(&self) -> Option<Weak<dyn Device>> {
+        self.inner().device_common.get_parent_weak_or_clear()
+    }
+
+    fn set_dev_parent(&self, dev_parent: Option<Weak<dyn Device>>) {
+        self.inner().device_common.parent = dev_parent;
+    }
+}
+
+#[derive(Debug)]
+pub struct KprobeAttr;
+
+impl Attribute for KprobeAttr {
+    fn name(&self) -> &str {
+        "type"
+    }
+
+    fn mode(&self) -> ModeType {
+        ModeType::S_IRUGO
+    }
+
+    fn support(&self) -> SysFSOpsSupport {
+        SysFSOpsSupport::ATTR_SHOW
+    }
+    fn show(&self, _kobj: Arc<dyn KObject>, buf: &mut [u8]) -> Result<usize, SystemError> {
+        if buf.is_empty() {
+            return Err(SystemError::EINVAL);
+        }
+        // perf_type_id::PERF_TYPE_MAX
+        buf[0] = b'6';
+        Ok(1)
+    }
+}

kernel/src/misc/events/kprobe/mod.rs

@@ -0,0 +1,31 @@
+use crate::driver::base::device::bus::Bus;
+use crate::driver::base::device::{device_manager, device_register, sys_devices_kset, Device};
+use crate::driver::base::kobject::KObject;
+use crate::init::initcall::INITCALL_DEVICE;
+use crate::misc::events::get_event_source_bus;
+use crate::misc::events::kprobe::device::{KprobeAttr, KprobeDevice};
+use alloc::sync::Arc;
+use system_error::SystemError;
+use unified_init::macros::unified_init;
+
+pub mod device;
+static mut KPROBE_DEVICE: Option<Arc<KprobeDevice>> = None;
+
+#[unified_init(INITCALL_DEVICE)]
+pub fn kprobe_subsys_init() -> Result<(), SystemError> {
+    let kprobe_device = KprobeDevice::new(Some(Arc::downgrade(
+        &(sys_devices_kset() as Arc<dyn KObject>),
+    )));
+
+    let event_source_bus = get_event_source_bus().ok_or(SystemError::EINVAL)?;
+    kprobe_device.set_bus(Some(Arc::downgrade(&(event_source_bus as Arc<dyn Bus>))));
+
+    // 注册到/sys/devices下
+    device_register(kprobe_device.clone())?;
+    unsafe {
+        KPROBE_DEVICE = Some(kprobe_device.clone());
+    }
+
+    device_manager().create_file(&(kprobe_device as Arc<dyn Device>), &KprobeAttr)?;
+    Ok(())
+}

kernel/src/misc/events/mod.rs

@@ -0,0 +1,28 @@
+use crate::driver::base::device::bus::{bus_register, Bus};
+use crate::init::initcall::INITCALL_SUBSYS;
+use crate::misc::events::subsys::EventSourceBus;
+use alloc::sync::Arc;
+use system_error::SystemError;
+use unified_init::macros::unified_init;
+
+mod kprobe;
+mod subsys;
+
+static mut EVENT_SOURCE_BUS: Option<Arc<EventSourceBus>> = None;
+
+fn get_event_source_bus() -> Option<Arc<EventSourceBus>> {
+    unsafe { EVENT_SOURCE_BUS.clone() }
+}
+
+#[unified_init(INITCALL_SUBSYS)]
+pub fn init_event_source_bus() -> Result<(), SystemError> {
+    let event_source_bus = EventSourceBus::new();
+    let r = bus_register(event_source_bus.clone() as Arc<dyn Bus>);
+    if r.is_err() {
+        unsafe { EVENT_SOURCE_BUS = None };
+        return r;
+    }
+    unsafe { EVENT_SOURCE_BUS = Some(event_source_bus.clone()) };
+    // kprobe::kprobe_subsys_init()?;
+    Ok(())
+}

kernel/src/misc/events/subsys.rs

@@ -0,0 +1,52 @@
+use crate::driver::base::device::bus::Bus;
+use crate::driver::base::device::Device;
+use crate::driver::base::subsys::SubSysPrivate;
+use alloc::string::{String, ToString};
+use alloc::sync::{Arc, Weak};
+use system_error::SystemError;
+
+#[derive(Debug)]
+pub struct EventSourceBus {
+    private: SubSysPrivate,
+}
+
+impl EventSourceBus {
+    pub fn new() -> Arc<Self> {
+        let w: Weak<Self> = Weak::new();
+        let private = SubSysPrivate::new("event_source".to_string(), Some(w), None, &[]);
+        let bus = Arc::new(Self { private });
+        bus.subsystem()
+            .set_bus(Some(Arc::downgrade(&(bus.clone() as Arc<dyn Bus>))));
+        return bus;
+    }
+}
+
+impl Bus for EventSourceBus {
+    fn name(&self) -> String {
+        "event_source".to_string()
+    }
+
+    fn dev_name(&self) -> String {
+        self.name()
+    }
+
+    fn root_device(&self) -> Option<Weak<dyn Device>> {
+        None
+    }
+
+    fn remove(&self, _device: &Arc<dyn Device>) -> Result<(), SystemError> {
+        todo!()
+    }
+
+    fn shutdown(&self, _device: &Arc<dyn Device>) {
+        todo!()
+    }
+
+    fn resume(&self, _device: &Arc<dyn Device>) -> Result<(), SystemError> {
+        todo!()
+    }
+
+    fn subsystem(&self) -> &SubSysPrivate {
+        &self.private
+    }
+}

kernel/src/misc/mod.rs

@@ -1 +1,2 @@
+pub mod events;
 pub mod ksysfs;

kernel/src/perf/bpf.rs

@@ -79,54 +79,28 @@ impl RingPage {
         }
     }
 
+    #[inline]
     fn can_write(&self, data_size: usize, data_tail: usize, data_head: usize) -> bool {
-        if (data_head + 1) % self.data_region_size == data_tail {
-            // The buffer is full
-            return false;
-        }
-        let capacity = if data_head >= data_tail {
-            self.data_region_size - data_head + data_tail
-        } else {
-            data_tail - data_head
-        };
+        let capacity = self.data_region_size - data_head + data_tail;
         data_size <= capacity
     }
 
     pub fn write_event(&mut self, data: &[u8]) -> Result<()> {
         let data_tail = unsafe { &mut (*(self.ptr as *mut perf_event_mmap_page)).data_tail };
         let data_head = unsafe { &mut (*(self.ptr as *mut perf_event_mmap_page)).data_head };
-        // data_tail..data_head is the region that can be written
-        // check if there is enough space to write the event
-        let sample_size = PerfSample::calculate_size(data.len());
 
-        let can_write_sample =
-            self.can_write(sample_size, *data_tail as usize, *data_head as usize);
-        // log::error!(
-        //     "can_write_sample: {}, data_tail: {}, data_head: {}, data.len(): {}, region_size: {}",
-        //     can_write_sample,
-        //     *data_tail,
-        //     *data_head,
-        //     data.len(),
-        //     self.data_region_size
-        // );
-        if !can_write_sample {
-            //we need record it to the lost record
-            self.lost += 1;
-            // log::error!(
-            //     "Lost record: {}, data_tail: {}, data_head: {}",
-            //     self.lost,
-            //     *data_tail,
-            //     *data_head
-            // );
-            Ok(())
-        } else {
-            // we can write the sample to the page
-            // If the lost record is not zero, we need to write the lost record first.
+        // user lib will update the tail after read the data,but it will not % data_region_size
+        let perf_header_size = size_of::<perf_event_header>();
+        let can_write_perf_header =
+            self.can_write(perf_header_size, *data_tail as usize, *data_head as usize);
+
+        if can_write_perf_header {
             let can_write_lost_record = self.can_write(
                 size_of::<LostSamples>(),
                 *data_tail as usize,
                 *data_head as usize,
             );
+            // if there is lost record, we need to write the lost record first
             if self.lost > 0 && can_write_lost_record {
                 let new_data_head = self.write_lost(*data_head as usize)?;
                 *data_head = new_data_head as u64;
@@ -137,8 +111,21 @@ impl RingPage {
                 //     *data_head
                 // );
                 self.lost = 0;
-                self.write_event(data)
-            } else {
+                // try to write the event again
+                return self.write_event(data);
+            }
+            let sample_size = PerfSample::calculate_size(data.len());
+            let can_write_sample =
+                self.can_write(sample_size, *data_tail as usize, *data_head as usize);
+            // log::error!(
+            //     "can_write_sample: {}, data_tail: {}, data_head: {}, data.len(): {}, region_size: {}",
+            //     can_write_sample,
+            //     *data_tail,
+            //     *data_head,
+            //     data.len(),
+            //     self.data_region_size
+            // );
+            if can_write_sample {
                 let new_data_head = self.write_sample(data, *data_head as usize)?;
                 *data_head = new_data_head as u64;
                 // log::info!(
@@ -146,20 +133,24 @@ impl RingPage {
                 //     *data_tail,
                 //     *data_head
                 // );
-                Ok(())
+            } else {
+                self.lost += 1;
             }
+        } else {
+            self.lost += 1;
         }
+        Ok(())
     }
 
     /// Write any data to the page.
     ///
     /// Return the new data_head
-    fn write_any(&mut self, data: &[u8], data_head: usize) -> Result<usize> {
+    fn write_any(&mut self, data: &[u8], data_head: usize) -> Result<()> {
         let data_region_len = self.data_region_size;
         let data_region = self.as_mut_slice()[PAGE_SIZE..].as_mut();
         let data_len = data.len();
+        let start = data_head % data_region_len;
         let end = (data_head + data_len) % data_region_len;
-        let start = data_head;
         if start < end {
             data_region[start..end].copy_from_slice(data);
         } else {
@@ -167,40 +158,57 @@ impl RingPage {
             data_region[start..start + first_len].copy_from_slice(&data[..first_len]);
             data_region[0..end].copy_from_slice(&data[first_len..]);
         }
-        Ok(end)
+        Ok(())
+    }
+    #[inline]
+    fn fill_size(&self, data_head_mod: usize) -> usize {
+        if self.data_region_size - data_head_mod < size_of::<perf_event_header>() {
+            // The remaining space is not enough to write the perf_event_header
+            // We need to fill the remaining space with 0
+            self.data_region_size - data_head_mod
+        } else {
+            0
+        }
     }
 
     /// Write a sample to the page.
     fn write_sample(&mut self, data: &[u8], data_head: usize) -> Result<usize> {
+        let sample_size = PerfSample::calculate_size(data.len());
+        let maybe_end = (data_head + sample_size) % self.data_region_size;
+        let fill_size = self.fill_size(maybe_end);
         let perf_sample = PerfSample {
             s_hdr: SampleHeader {
                 header: perf_event_header {
                     type_: perf_event_type::PERF_RECORD_SAMPLE as u32,
                     misc: 0,
-                    size: size_of::<SampleHeader>() as u16 + data.len() as u16,
+                    size: size_of::<SampleHeader>() as u16 + data.len() as u16 + fill_size as u16,
                 },
                 size: data.len() as u32,
             },
             value: data,
         };
-        let new_head = self.write_any(perf_sample.s_hdr.as_bytes(), data_head)?;
-        self.write_any(perf_sample.value, new_head)
+        self.write_any(perf_sample.s_hdr.as_bytes(), data_head)?;
+        self.write_any(perf_sample.value, data_head + size_of::<SampleHeader>())?;
+        Ok(data_head + sample_size + fill_size)
     }
 
     /// Write a lost record to the page.
     ///
     /// Return the new data_head
     fn write_lost(&mut self, data_head: usize) -> Result<usize> {
+        let maybe_end = (data_head + size_of::<LostSamples>()) % self.data_region_size;
+        let fill_size = self.fill_size(maybe_end);
         let lost = LostSamples {
             header: perf_event_header {
                 type_: perf_event_type::PERF_RECORD_LOST as u32,
                 misc: 0,
-                size: size_of::<LostSamples>() as u16,
+                size: size_of::<LostSamples>() as u16 + fill_size as u16,
             },
             id: 0,
             count: self.lost as u64,
         };
-        self.write_any(lost.as_bytes(), data_head)
+        self.write_any(lost.as_bytes(), data_head)?;
+        Ok(data_head + size_of::<LostSamples>() + fill_size)
     }
 
     pub fn readable(&self) -> bool {

kernel/src/perf/kprobe.rs

@@ -39,8 +39,10 @@ impl KprobePerfEvent {
             .downcast_arc::<BpfProg>()
             .ok_or(SystemError::EINVAL)?;
         let prog_slice = file.insns();
-        let mut vm =
-            EbpfVmRawOwned::new(Some(prog_slice.to_vec())).map_err(|_| SystemError::EINVAL)?;
+        let mut vm = EbpfVmRawOwned::new(Some(prog_slice.to_vec())).map_err(|e| {
+            log::error!("create ebpf vm failed: {:?}", e);
+            SystemError::EINVAL
+        })?;
         vm.register_helper_set(BPF_HELPER_FUN_SET.get())
             .map_err(|_| SystemError::EINVAL)?;
         // create a callback to execute the ebpf prog
@@ -75,10 +77,10 @@ impl CallBackFunc for KprobePerfCallBack {
                 size_of::<KProbeContext>(),
             )
         };
-        let _res = self
-            .vm
-            .execute_program(probe_context)
-            .map_err(|_| SystemError::EINVAL);
+        let res = self.vm.execute_program(probe_context);
+        if res.is_err() {
+            log::error!("kprobe callback error: {:?}", res);
+        }
     }
 }
 

kernel/src/syscall/mod.rs

@@ -1216,6 +1216,7 @@ impl Syscall {
                 let flags = args[4] as u32;
                 Self::sys_perf_event_open(attr, pid, cpu, group_fd, flags)
             }
+            SYS_SETRLIMIT => Ok(0),
             _ => panic!("Unsupported syscall ID: {}", syscall_num),
         };
 

user/apps/test_ebpf/syscall_ebpf/.gitignore → user/apps/syscall_ebpf/.gitignore

@@ -7,3 +7,4 @@ target/
 
 # These are backup files generated by rustfmt
 **/*.rs.bk
+/install/

user/apps/syscall_ebpf/Cargo.toml

@@ -0,0 +1,31 @@
+[workspace]
+resolver = "2"
+members = ["syscall_ebpf", "syscall_ebpf-common", "syscall_ebpf-ebpf"]
+default-members = ["syscall_ebpf", "syscall_ebpf-common"]
+
+[workspace.dependencies]
+aya = { version = "0.13.0", default-features = false }
+aya-ebpf = { version = "0.1.1", default-features = false }
+aya-log = { version = "0.2.1", default-features = false }
+aya-log-ebpf = { version = "0.1.1", default-features = false }
+anyhow = { version = "1", default-features = false }
+cargo_metadata = { version = "0.18.0", default-features = false }
+# `std` feature is currently required to build `clap`.
+#
+# See https://github.com/clap-rs/clap/blob/61f5ee5/clap_builder/src/lib.rs#L15.
+clap = { version = "4.5.20", default-features = false, features = ["std"] }
+env_logger = { version = "0.11.5", default-features = false }
+libc = { version = "0.2.159", default-features = false }
+log = { version = "0.4.22", default-features = false }
+tokio = { version = "1.40.0", default-features = false }
+which = { version = "6.0.0", default-features = false }
+
+[profile.dev]
+panic = "abort"
+
+[profile.release]
+panic = "abort"
+
+[profile.release.package.syscall_ebpf-ebpf]
+debug = 2
+codegen-units = 1

user/apps/test_ebpf/Makefile → user/apps/syscall_ebpf/Makefile

@@ -21,10 +21,10 @@ endif
 run:
 	RUSTFLAGS=$(RUSTFLAGS) cargo $(TOOLCHAIN) run --target $(RUST_TARGET)
 
-build:build-ebpf
+build:
 	RUSTFLAGS=$(RUSTFLAGS) cargo $(TOOLCHAIN) build --target $(RUST_TARGET)
 
-clean:clean-ebpf
+clean:
 	RUSTFLAGS=$(RUSTFLAGS) cargo $(TOOLCHAIN) clean --target $(RUST_TARGET)
 
 test:
@@ -42,20 +42,16 @@ fmt-check:
 run-release:
 	RUSTFLAGS=$(RUSTFLAGS) cargo $(TOOLCHAIN) run --target $(RUST_TARGET) --release
 
-build-release:build-ebpf
+build-release:
 	RUSTFLAGS=$(RUSTFLAGS) cargo $(TOOLCHAIN) build --target $(RUST_TARGET) --release
 
-clean-release:clean-ebpf
+clean-release:
 	RUSTFLAGS=$(RUSTFLAGS) cargo $(TOOLCHAIN) clean --target $(RUST_TARGET) --release
 
 test-release:
 	RUSTFLAGS=$(RUSTFLAGS) cargo $(TOOLCHAIN) test --target $(RUST_TARGET) --release
 
-build-ebpf:
-	cd ./syscall_ebpf && RUST_LOG=debug cargo xtask build --release
-clean-ebpf:
-	cd ./syscall_ebpf && cargo clean
 
 .PHONY: install
-install:build-ebpf
-	RUSTFLAGS=$(RUSTFLAGS) cargo $(TOOLCHAIN) install --target $(RUST_TARGET) --path . --no-track --root $(INSTALL_DIR) --force
+install:
+	RUSTFLAGS=$(RUSTFLAGS) cargo $(TOOLCHAIN) install --target $(RUST_TARGET) --path ./syscall_ebpf --no-track --root $(INSTALL_DIR) --force

user/apps/syscall_ebpf/README.md

@@ -0,0 +1,33 @@
+# syscall_ebpf
+
+## Prerequisites
+
+1. stable rust toolchains: `rustup toolchain install stable`
+1. nightly rust toolchains: `rustup toolchain install nightly --component rust-src`
+1. (if cross-compiling) rustup target: `rustup target add ${ARCH}-unknown-linux-musl`
+1. (if cross-compiling) LLVM: (e.g.) `brew install llvm` (on macOS)
+1. (if cross-compiling) C toolchain: (e.g.) [`brew install filosottile/musl-cross/musl-cross`](https://github.com/FiloSottile/homebrew-musl-cross) (on macOS)
+1. bpf-linker: `cargo install bpf-linker` (`--no-default-features` on macOS)
+
+## Build & Run
+
+Use `cargo build`, `cargo check`, etc. as normal. Run your program with:
+
+```shell
+cargo run --release --config 'target."cfg(all())".runner="sudo -E"'
+```
+
+Cargo build scripts are used to automatically build the eBPF correctly and include it in the
+program.
+
+## Cross-compiling on macOS
+
+Cross compilation should work on both Intel and Apple Silicon Macs.
+
+```shell
+CC=${ARCH}-linux-musl-gcc cargo build --package syscall_ebpf --release \
+  --target=${ARCH}-unknown-linux-musl \
+  --config=target.${ARCH}-unknown-linux-musl.linker=\"${ARCH}-linux-musl-gcc\"
+```
+The cross-compiled program `target/${ARCH}-unknown-linux-musl/release/syscall_ebpf` can be
+copied to a Linux server or VM and run there.

user/apps/syscall_ebpf/rustfmt.toml

@@ -0,0 +1,4 @@
+group_imports = "StdExternalCrate"
+imports_granularity = "Crate"
+reorder_imports = true
+unstable_features = true

user/apps/test_ebpf/syscall_ebpf/syscall_ebpf-common/Cargo.toml → user/apps/syscall_ebpf/syscall_ebpf-common/Cargo.toml

@@ -8,7 +8,7 @@ default = []
 user = ["aya"]
 
 [dependencies]
-aya = { git = "https://git.mirrors.dragonos.org.cn/DragonOS-Community/tiny-aya.git", rev = "0689f13", optional = true }
+aya = { workspace = true, optional = true }
 
 [lib]
 path = "src/lib.rs"

user/apps/syscall_ebpf/syscall_ebpf-ebpf/.cargo/config.toml

@@ -0,0 +1,12 @@
+# We have this so that one doesn't need to manually pass
+# --target=bpfel-unknown-none -Z build-std=core when running cargo
+# check/build/doc etc.
+#
+# NB: this file gets loaded only if you run cargo from this directory, it's
+# ignored if you run from the workspace root. See
+# https://doc.rust-lang.org/cargo/reference/config.html#hierarchical-structure
+[build]
+target = ["bpfeb-unknown-none", "bpfel-unknown-none"]
+
+[unstable]
+build-std = ["core"]

user/apps/syscall_ebpf/syscall_ebpf-ebpf/Cargo.toml

@@ -0,0 +1,17 @@
+[package]
+name = "syscall_ebpf-ebpf"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+syscall_ebpf-common = { path = "../syscall_ebpf-common" }
+
+aya-ebpf = { workspace = true }
+aya-log-ebpf = { workspace = true }
+
+[build-dependencies]
+which = { workspace = true }
+
+[[bin]]
+name = "syscall_ebpf"
+path = "src/main.rs"

user/apps/syscall_ebpf/syscall_ebpf-ebpf/build.rs

@@ -0,0 +1,17 @@
+use which::which;
+
+/// Building this crate has an undeclared dependency on the `bpf-linker` binary. This would be
+/// better expressed by [artifact-dependencies][bindeps] but issues such as
+/// https://github.com/rust-lang/cargo/issues/12385 make their use impractical for the time being.
+///
+/// This file implements an imperfect solution: it causes cargo to rebuild the crate whenever the
+/// mtime of `which bpf-linker` changes. Note that possibility that a new bpf-linker is added to
+/// $PATH ahead of the one used as the cache key still exists. Solving this in the general case
+/// would require rebuild-if-changed-env=PATH *and* rebuild-if-changed={every-directory-in-PATH}
+/// which would likely mean far too much cache invalidation.
+///
+/// [bindeps]: https://doc.rust-lang.org/nightly/cargo/reference/unstable.html?highlight=feature#artifact-dependencies
+fn main() {
+    let bpf_linker = which("bpf-linker").unwrap();
+    println!("cargo:rerun-if-changed={}", bpf_linker.to_str().unwrap());
+}

user/apps/syscall_ebpf/syscall_ebpf-ebpf/rust-toolchain.toml

@@ -0,0 +1,3 @@
+[toolchain]
+channel = "nightly"
+components = ["rust-src"]

user/apps/syscall_ebpf/syscall_ebpf-ebpf/src/lib.rs

@@ -0,0 +1,3 @@
+#![no_std]
+
+// This file exists to enable the library target.

user/apps/syscall_ebpf/syscall_ebpf-ebpf/src/main.rs

@@ -0,0 +1,50 @@
+#![no_std]
+#![no_main]
+
+use aya_ebpf::{
+    helpers::bpf_ktime_get_ns,
+    macros::{kprobe, map},
+    maps::HashMap,
+    programs::ProbeContext,
+};
+use aya_log_ebpf::info;
+
+#[kprobe]
+pub fn syscall_ebpf(ctx: ProbeContext) -> u32 {
+    try_syscall_ebpf(ctx).unwrap_or_else(|ret| ret)
+}
+
+fn try_syscall_ebpf(ctx: ProbeContext) -> Result<u32, u32> {
+    let pt_regs = unsafe { &*ctx.regs };
+    // first arg -> rdi
+    // second arg -> rsi
+    // third arg -> rdx
+    // four arg -> rcx
+    let syscall_num = pt_regs.rsi as usize;
+    if syscall_num != 1 {
+        unsafe {
+            if let Some(v) = SYSCALL_LIST.get(&(syscall_num as u32)) {
+                let new_v = *v + 1;
+                SYSCALL_LIST
+                    .insert(&(syscall_num as u32), &new_v, 0)
+                    .unwrap();
+            } else {
+                SYSCALL_LIST.insert(&(syscall_num as u32), &1, 0).unwrap();
+            }
+        }
+        let time = unsafe { bpf_ktime_get_ns() };
+        info!(&ctx, "[{}] invoke syscall {}", time, syscall_num);
+    }
+    Ok(0)
+}
+
+#[map]
+static SYSCALL_LIST: HashMap<u32, u32> = HashMap::<u32, u32>::with_max_entries(1024, 0);
+
+#[cfg(not(test))]
+#[panic_handler]
+fn panic(_info: &core::panic::PanicInfo) -> ! {
+    // we need use this because the verifier will forbid loop
+    unsafe { core::hint::unreachable_unchecked() }
+    // loop{}
+}

user/apps/syscall_ebpf/syscall_ebpf/Cargo.toml

@@ -0,0 +1,35 @@
+[package]
+name = "syscall_ebpf"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+syscall_ebpf-common = { path = "../syscall_ebpf-common", features = ["user"] }
+
+anyhow = { workspace = true, default-features = true }
+aya = { workspace = true }
+aya-log = { workspace = true }
+env_logger = { workspace = true }
+libc = { workspace = true }
+log = { workspace = true }
+tokio = { workspace = true, features = ["macros", "rt", "rt-multi-thread", "net", "signal", "time"] }
+
+[build-dependencies]
+cargo_metadata = { workspace = true }
+# TODO(https://github.com/rust-lang/cargo/issues/12375): this should be an artifact dependency, but
+# it's not possible to tell cargo to use `-Z build-std` to build it. We cargo-in-cargo in the build
+# script to build this, but we want to teach cargo about the dependecy so that cache invalidation
+# works properly.
+#
+# Note also that https://github.com/rust-lang/cargo/issues/10593 occurs when `target = ...` is added
+# to an artifact dependency; it seems possible to work around that by setting `resolver = "1"` in
+# Cargo.toml in the workspace root.
+#
+# Finally note that *any* usage of `artifact = ...` in *any* Cargo.toml in the workspace breaks
+# workflows with stable cargo; stable cargo outright refuses to load manifests that use unstable
+# features.
+syscall_ebpf-ebpf = { path = "../syscall_ebpf-ebpf" }
+
+[[bin]]
+name = "syscall_ebpf"
+path = "src/main.rs"

user/apps/syscall_ebpf/syscall_ebpf/build.rs

@@ -0,0 +1,150 @@
+use std::{
+    env, fs,
+    io::{BufRead as _, BufReader},
+    path::PathBuf,
+    process::{Child, Command, Stdio},
+};
+
+use cargo_metadata::{
+    Artifact, CompilerMessage, Message, Metadata, MetadataCommand, Package, Target,
+};
+
+/// This crate has a runtime dependency on artifacts produced by the `syscall_ebpf-ebpf` crate.
+/// This would be better expressed as one or more [artifact-dependencies][bindeps] but issues such
+/// as:
+///
+/// * https://github.com/rust-lang/cargo/issues/12374
+/// * https://github.com/rust-lang/cargo/issues/12375
+/// * https://github.com/rust-lang/cargo/issues/12385
+///
+/// prevent their use for the time being.
+///
+/// [bindeps]: https://doc.rust-lang.org/nightly/cargo/reference/unstable.html?highlight=feature#artifact-dependencies
+fn main() {
+    let Metadata { packages, .. } = MetadataCommand::new().no_deps().exec().unwrap();
+    let ebpf_package = packages
+        .into_iter()
+        .find(|Package { name, .. }| name == "syscall_ebpf-ebpf")
+        .unwrap();
+
+    let out_dir = env::var_os("OUT_DIR").unwrap();
+    let out_dir = PathBuf::from(out_dir);
+
+    let endian = env::var_os("CARGO_CFG_TARGET_ENDIAN").unwrap();
+    let target = if endian == "big" {
+        "bpfeb"
+    } else if endian == "little" {
+        "bpfel"
+    } else {
+        panic!("unsupported endian={:?}", endian)
+    };
+
+    // TODO(https://github.com/rust-lang/cargo/issues/4001): Make this `false` if we can determine
+    // we're in a check build.
+    let build_ebpf = true;
+    if build_ebpf {
+        let arch = env::var_os("CARGO_CFG_TARGET_ARCH").unwrap();
+
+        let target = format!("{target}-unknown-none");
+
+        let Package { manifest_path, .. } = ebpf_package;
+        let ebpf_dir = manifest_path.parent().unwrap();
+
+        // We have a build-dependency on `syscall_ebpf-ebpf`, so cargo will automatically rebuild us
+        // if `syscall_ebpf-ebpf`'s *library* target or any of its dependencies change. Since we
+        // depend on `syscall_ebpf-ebpf`'s *binary* targets, that only gets us half of the way. This
+        // stanza ensures cargo will rebuild us on changes to the binaries too, which gets us the
+        // rest of the way.
+        println!("cargo:rerun-if-changed={}", ebpf_dir.as_str());
+
+        let mut cmd = Command::new("cargo");
+        cmd.args([
+            "build",
+            "-Z",
+            "build-std=core",
+            "--bins",
+            "--message-format=json",
+            "--release",
+            "--target",
+            &target,
+        ]);
+
+        cmd.env("CARGO_CFG_BPF_TARGET_ARCH", arch);
+
+        // Workaround to make sure that the rust-toolchain.toml is respected.
+        for key in ["RUSTUP_TOOLCHAIN", "RUSTC", "RUSTC_WORKSPACE_WRAPPER"] {
+            cmd.env_remove(key);
+        }
+        cmd.current_dir(ebpf_dir);
+
+        // Workaround for https://github.com/rust-lang/cargo/issues/6412 where cargo flocks itself.
+        let ebpf_target_dir = out_dir.join("../syscall_ebpf-ebpf");
+        cmd.arg("--target-dir").arg(&ebpf_target_dir);
+
+        let mut child = cmd
+            .stdout(Stdio::piped())
+            .stderr(Stdio::piped())
+            .spawn()
+            .unwrap_or_else(|err| panic!("failed to spawn {cmd:?}: {err}"));
+        let Child { stdout, stderr, .. } = &mut child;
+
+        // Trampoline stdout to cargo warnings.
+        let stderr = stderr.take().unwrap();
+        let stderr = BufReader::new(stderr);
+        let stderr = std::thread::spawn(move || {
+            for line in stderr.lines() {
+                let line = line.unwrap();
+                println!("cargo:warning={line}");
+            }
+        });
+
+        let stdout = stdout.take().unwrap();
+        let stdout = BufReader::new(stdout);
+        let mut executables = Vec::new();
+        for message in Message::parse_stream(stdout) {
+            #[allow(clippy::collapsible_match)]
+            match message.expect("valid JSON") {
+                Message::CompilerArtifact(Artifact {
+                    executable,
+                    target: Target { name, .. },
+                    ..
+                }) => {
+                    if let Some(executable) = executable {
+                        executables.push((name, executable.into_std_path_buf()));
+                    }
+                }
+                Message::CompilerMessage(CompilerMessage { message, .. }) => {
+                    for line in message.rendered.unwrap_or_default().split('\n') {
+                        println!("cargo:warning={line}");
+                    }
+                }
+                Message::TextLine(line) => {
+                    println!("cargo:warning={line}");
+                }
+                _ => {}
+            }
+        }
+
+        let status = child
+            .wait()
+            .unwrap_or_else(|err| panic!("failed to wait for {cmd:?}: {err}"));
+        assert_eq!(status.code(), Some(0), "{cmd:?} failed: {status:?}");
+
+        stderr.join().map_err(std::panic::resume_unwind).unwrap();
+
+        for (name, binary) in executables {
+            let dst = out_dir.join(name);
+            let _: u64 = fs::copy(&binary, &dst)
+                .unwrap_or_else(|err| panic!("failed to copy {binary:?} to {dst:?}: {err}"));
+        }
+    } else {
+        let Package { targets, .. } = ebpf_package;
+        for Target { name, kind, .. } in targets {
+            if *kind != ["bin"] {
+                continue;
+            }
+            let dst = out_dir.join(name);
+            fs::write(&dst, []).unwrap_or_else(|err| panic!("failed to create {dst:?}: {err}"));
+        }
+    }
+}

user/apps/syscall_ebpf/syscall_ebpf/src/main.rs

@@ -0,0 +1,74 @@
+use aya::{maps::HashMap, programs::KProbe};
+#[rustfmt::skip]
+use log::{debug, warn};
+use tokio::{signal, task::yield_now, time};
+
+extern crate libc;
+
+#[tokio::main(flavor = "current_thread")]
+async fn main() -> anyhow::Result<()> {
+    // env_logger::init();
+    env_logger::builder()
+        .filter_level(log::LevelFilter::Warn)
+        .format_timestamp(None)
+        .init();
+
+    // Bump the memlock rlimit. This is needed for older kernels that don't use the
+    // new memcg based accounting, see https://lwn.net/Articles/837122/
+    let rlim = libc::rlimit {
+        rlim_cur: libc::RLIM_INFINITY,
+        rlim_max: libc::RLIM_INFINITY,
+    };
+    let ret = unsafe { libc::setrlimit(libc::RLIMIT_MEMLOCK, &rlim) };
+    if ret != 0 {
+        debug!("remove limit on locked memory failed, ret is: {}", ret);
+    }
+
+    // This will include your eBPF object file as raw bytes at compile-time and load it at
+    // runtime. This approach is recommended for most real-world use cases. If you would
+    // like to specify the eBPF program at runtime rather than at compile-time, you can
+    // reach for `Bpf::load_file` instead.
+    let mut ebpf = aya::Ebpf::load(aya::include_bytes_aligned!(concat!(
+        env!("OUT_DIR"),
+        "/syscall_ebpf"
+    )))?;
+    if let Err(e) = aya_log::EbpfLogger::init(&mut ebpf) {
+        // This can happen if you remove all log statements from your eBPF program.
+        warn!("failed to initialize eBPF logger: {}", e);
+    }
+
+    let program: &mut KProbe = ebpf.program_mut("syscall_ebpf").unwrap().try_into()?;
+    program.load()?;
+    program.attach("dragonos_kernel::syscall::Syscall::handle", 0)?;
+    // println!("attacch the kprobe to dragonos_kernel::syscall::Syscall::handle");
+
+    // print the value of the blocklist per 5 seconds
+    tokio::spawn(async move {
+        let blocklist: HashMap<_, u32, u32> =
+            HashMap::try_from(ebpf.map("SYSCALL_LIST").unwrap()).unwrap();
+        let mut now = time::Instant::now();
+        loop {
+            let new_now = time::Instant::now();
+            let duration = new_now.duration_since(now);
+            if duration.as_secs() >= 5 {
+                println!("------------SYSCALL_LIST----------------");
+                let iter = blocklist.iter();
+                for item in iter {
+                    if let Ok((key, value)) = item {
+                        println!("syscall: {:?}, count: {:?}", key, value);
+                    }
+                }
+                println!("----------------------------------------");
+                now = new_now;
+            }
+            yield_now().await;
+        }
+    });
+
+    let ctrl_c = signal::ctrl_c();
+    println!("Waiting for Ctrl-C...");
+    ctrl_c.await?;
+    println!("Exiting...");
+
+    Ok(())
+}

user/apps/test_ebpf/.gitignore

@@ -1,3 +0,0 @@
-/target
-Cargo.lock
-/install/

user/apps/test_ebpf/Cargo.toml

@@ -1,16 +0,0 @@
-[package]
-name = "test_ebpf"
-version = "0.1.0"
-edition = "2021"
-
-[dependencies]
-aya = { git = "https://git.mirrors.dragonos.org.cn/DragonOS-Community/tiny-aya.git", rev = "0689f13" }
-aya-log = { git = "https://git.mirrors.dragonos.org.cn/DragonOS-Community/tiny-aya.git", rev = "0689f13" }
-
-log = "0.4.22"
-env_logger = "0.11.5"
-tokio = { version = "1.25", features = ["macros", "rt", "rt-multi-thread", "net", "signal", "time"] }
-
-[profile.release]
-lto = true
-strip = true

user/apps/test_ebpf/src/main.rs

@@ -1,60 +0,0 @@
-use aya::maps::HashMap;
-use aya::programs::KProbe;
-use aya::{include_bytes_aligned, Ebpf};
-use aya_log::EbpfLogger;
-use log::{info, warn};
-use std::error::Error;
-use tokio::task::yield_now;
-use tokio::{signal, time};
-
-#[tokio::main(flavor = "current_thread")]
-async fn main() -> Result<(), Box<dyn Error>> {
-    env_logger::builder()
-        .filter_level(log::LevelFilter::Warn)
-        .format_timestamp(None)
-        .init();
-
-    let mut bpf = Ebpf::load(include_bytes_aligned!(
-        "../syscall_ebpf/target/bpfel-unknown-none/release/syscall_ebpf"
-    ))?;
-
-    // create a async task to read the log
-    if let Err(e) = EbpfLogger::init(&mut bpf) {
-        // This can happen if you remove all log statements from your eBPF program.
-        warn!("failed to initialize eBPF logger: {}", e);
-    }
-
-    let program: &mut KProbe = bpf.program_mut("syscall_ebpf").unwrap().try_into()?;
-    program.load()?;
-    program.attach("dragonos_kernel::syscall::Syscall::handle", 0)?;
-
-    info!("attacch the kprobe to dragonos_kernel::syscall::Syscall::handle");
-
-    // print the value of the blocklist per 5 seconds
-    tokio::spawn(async move {
-        let blocklist: HashMap<_, u32, u32> =
-            HashMap::try_from(bpf.map("SYSCALL_LIST").unwrap()).unwrap();
-        let mut now = time::Instant::now();
-        loop {
-            let new_now = time::Instant::now();
-            let duration = new_now.duration_since(now);
-            if duration.as_secs() >= 5 {
-                println!("------------SYSCALL_LIST----------------");
-                let iter = blocklist.iter();
-                for item in iter {
-                    if let Ok((key, value)) = item {
-                        println!("syscall: {:?}, count: {:?}", key, value);
-                    }
-                }
-                println!("----------------------------------------");
-                now = new_now;
-            }
-            yield_now().await;
-        }
-    });
-
-    info!("Waiting for Ctrl-C...");
-    signal::ctrl_c().await?;
-    info!("Exiting...");
-    Ok(())
-}

user/apps/test_ebpf/syscall_ebpf/.cargo/config.toml

@@ -1,2 +0,0 @@
-[alias]
-xtask = "run --package xtask --"

user/apps/test_ebpf/syscall_ebpf/.vscode/settings.json

@@ -1,3 +0,0 @@
-{
-  "rust-analyzer.linkedProjects": ["Cargo.toml", "syscall_ebpf-ebpf/Cargo.toml"]
-}

user/apps/test_ebpf/syscall_ebpf/Cargo.toml

@@ -1,3 +0,0 @@
-[workspace]
-resolver = "2"
-members = ["xtask", "syscall_ebpf-common"]

user/apps/test_ebpf/syscall_ebpf/README.md

@@ -1,32 +0,0 @@
-# syscall_ebpf
-
-## Prerequisites
-
-1. Install bpf-linker: `cargo install bpf-linker`
-
-## Build eBPF
-
-```bash
-cargo xtask build-ebpf
-```
-
-To perform a release build you can use the `--release` flag.
-You may also change the target architecture with the `--target` flag.
-
-## Build Userspace
-
-```bash
-cargo build
-```
-
-## Build eBPF and Userspace
-
-```bash
-cargo xtask build
-```
-
-## Run
-
-```bash
-RUST_LOG=info cargo xtask run
-```

user/apps/test_ebpf/syscall_ebpf/syscall_ebpf-ebpf/.cargo/config.toml

@@ -1,6 +0,0 @@
-[build]
-target-dir = "../target"
-target = "bpfel-unknown-none"
-
-[unstable]
-build-std = ["core"]

user/apps/test_ebpf/syscall_ebpf/syscall_ebpf-ebpf/.helix/config.toml

@@ -1,2 +0,0 @@
-[editor]
-workspace-lsp-roots = []

user/apps/test_ebpf/syscall_ebpf/syscall_ebpf-ebpf/.vim/coc-settings.json

@@ -1,4 +0,0 @@
-{
-    "rust-analyzer.cargo.target": "bpfel-unknown-none",
-    "rust-analyzer.checkOnSave.allTargets": false
-}

user/apps/test_ebpf/syscall_ebpf/syscall_ebpf-ebpf/.vscode/settings.json

@@ -1,4 +0,0 @@
-{
-    "rust-analyzer.cargo.target": "bpfel-unknown-none",
-    "rust-analyzer.checkOnSave.allTargets": false
-}

user/apps/test_ebpf/syscall_ebpf/syscall_ebpf-ebpf/Cargo.toml

@@ -1,33 +0,0 @@
-[package]
-name = "syscall_ebpf-ebpf"
-version = "0.1.0"
-edition = "2021"
-
-[dependencies]
-aya-ebpf = { git = "https://git.mirrors.dragonos.org.cn/DragonOS-Community/aya.git", rev = "3d57d35" }
-aya-log-ebpf = { git = "https://git.mirrors.dragonos.org.cn/DragonOS-Community/aya.git", rev = "3d57d35" }
-
-syscall_ebpf-common = { path = "../syscall_ebpf-common" }
-
-[[bin]]
-name = "syscall_ebpf"
-path = "src/main.rs"
-
-[profile.dev]
-opt-level = 3
-debug = false
-debug-assertions = false
-overflow-checks = false
-lto = true
-panic = "abort"
-incremental = false
-codegen-units = 1
-rpath = false
-
-[profile.release]
-lto = true
-panic = "abort"
-codegen-units = 1
-
-[workspace]
-members = []

user/apps/test_ebpf/syscall_ebpf/syscall_ebpf-ebpf/rust-toolchain.toml

@@ -1,13 +0,0 @@
-[toolchain]
-channel = "nightly-2024-11-05"
-# The source code of rustc, provided by the rust-src component, is needed for
-# building eBPF programs.
-components = [
-    "cargo",
-    "clippy",
-    "rust-docs",
-    "rust-src",
-    "rust-std",
-    "rustc",
-    "rustfmt",
-]

user/apps/test_ebpf/syscall_ebpf/syscall_ebpf-ebpf/src/main.rs

@@ -1,44 +0,0 @@
-#![no_std]
-#![no_main]
-
-use aya_ebpf::{macros::kprobe, programs::ProbeContext};
-use aya_ebpf::macros::map;
-use aya_ebpf::maps::HashMap;
-use aya_log_ebpf::info;
-
-#[kprobe]
-pub fn syscall_ebpf(ctx: ProbeContext) -> u32 {
-    try_syscall_ebpf(ctx).unwrap_or_else(|ret| ret)
-}
-
-fn try_syscall_ebpf(ctx: ProbeContext) -> Result<u32, u32> {
-    let pt_regs = unsafe {
-        &*ctx.regs
-    };
-    // first arg -> rdi
-    // second arg -> rsi
-    // third arg -> rdx
-    // four arg -> rcx
-    let syscall_num  = pt_regs.rsi as usize;
-    if syscall_num != 1 {
-        unsafe {
-            if let Some(v) = SYSCALL_LIST.get(&(syscall_num as u32)){
-                let new_v = *v + 1;
-                SYSCALL_LIST.insert(&(syscall_num as u32), &new_v,0).unwrap();
-            }else {
-                SYSCALL_LIST.insert(&(syscall_num as u32), &1,0).unwrap();
-            }
-        }
-        info!(&ctx, "invoke syscall {}", syscall_num);
-    }
-    Ok(0)
-}
-
-#[map] //
-static SYSCALL_LIST: HashMap<u32, u32> =
-    HashMap::<u32, u32>::with_max_entries(1024, 0);
-
-#[panic_handler]
-fn panic(_info: &core::panic::PanicInfo) -> ! {
-    unsafe { core::hint::unreachable_unchecked() }
-}

user/apps/test_ebpf/syscall_ebpf/xtask/Cargo.toml

@@ -1,8 +0,0 @@
-[package]
-name = "xtask"
-version = "0.1.0"
-edition = "2021"
-
-[dependencies]
-anyhow = "1"
-clap = { version = "4.1", features = ["derive"] }

user/apps/test_ebpf/syscall_ebpf/xtask/src/build.rs

@@ -1,42 +0,0 @@
-use std::process::Command;
-
-use anyhow::Context as _;
-use clap::Parser;
-
-use crate::build_ebpf::{build_ebpf, Architecture, Options as BuildOptions};
-
-#[derive(Debug, Parser)]
-pub struct Options {
-    /// Set the endianness of the BPF target
-    #[clap(default_value = "bpfel-unknown-none", long)]
-    pub bpf_target: Architecture,
-    /// Build and run the release target
-    #[clap(long)]
-    pub release: bool,
-}
-
-/// Build the project
-fn build_project(opts: &Options) -> Result<(), anyhow::Error> {
-    let mut args = vec!["build"];
-    if opts.release {
-        args.push("--release")
-    }
-    let status = Command::new("cargo")
-        .args(&args)
-        .status()
-        .expect("failed to build userspace");
-    assert!(status.success());
-    Ok(())
-}
-
-/// Build our ebpf program and the project
-pub fn build(opts: Options) -> Result<(), anyhow::Error> {
-    // build our ebpf program followed by our application
-    build_ebpf(BuildOptions {
-        target: opts.bpf_target,
-        release: opts.release,
-    })
-    .context("Error while building eBPF program")?;
-    build_project(&opts).context("Error while building userspace application")?;
-    Ok(())
-}

user/apps/test_ebpf/syscall_ebpf/xtask/src/build_ebpf.rs

@@ -1,67 +0,0 @@
-use std::{path::PathBuf, process::Command};
-
-use clap::Parser;
-
-#[derive(Debug, Copy, Clone)]
-pub enum Architecture {
-    BpfEl,
-    BpfEb,
-}
-
-impl std::str::FromStr for Architecture {
-    type Err = String;
-
-    fn from_str(s: &str) -> Result<Self, Self::Err> {
-        Ok(match s {
-            "bpfel-unknown-none" => Architecture::BpfEl,
-            "bpfeb-unknown-none" => Architecture::BpfEb,
-            _ => return Err("invalid target".to_owned()),
-        })
-    }
-}
-
-impl std::fmt::Display for Architecture {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        f.write_str(match self {
-            Architecture::BpfEl => "bpfel-unknown-none",
-            Architecture::BpfEb => "bpfeb-unknown-none",
-        })
-    }
-}
-
-#[derive(Debug, Parser)]
-pub struct Options {
-    /// Set the endianness of the BPF target
-    #[clap(default_value = "bpfel-unknown-none", long)]
-    pub target: Architecture,
-    /// Build the release target
-    #[clap(long)]
-    pub release: bool,
-}
-
-pub fn build_ebpf(opts: Options) -> Result<(), anyhow::Error> {
-    let dir = PathBuf::from("syscall_ebpf-ebpf");
-    let target = format!("--target={}", opts.target);
-    let mut args = vec![
-        "build",
-        target.as_str(),
-        "-Z",
-        "build-std=core",
-    ];
-    if opts.release {
-        args.push("--release")
-    }
-
-    // Command::new creates a child process which inherits all env variables. This means env
-    // vars set by the cargo xtask command are also inherited. RUSTUP_TOOLCHAIN is removed
-    // so the rust-toolchain.toml file in the -ebpf folder is honored.
-
-    let status = Command::new("cargo")
-        .current_dir(dir)
-        .env_remove("RUSTUP_TOOLCHAIN")
-        .args(&args)
-        .status()
-        .expect("failed to build bpf program");
-    assert!(status.success());
-    Ok(())
-}

user/apps/test_ebpf/syscall_ebpf/xtask/src/main.rs

@@ -1,36 +0,0 @@
-mod build_ebpf;
-mod build;
-mod run;
-
-use std::process::exit;
-
-use clap::Parser;
-
-#[derive(Debug, Parser)]
-pub struct Options {
-    #[clap(subcommand)]
-    command: Command,
-}
-
-#[derive(Debug, Parser)]
-enum Command {
-    BuildEbpf(build_ebpf::Options),
-    Build(build::Options),
-    Run(run::Options),
-}
-
-fn main() {
-    let opts = Options::parse();
-
-    use Command::*;
-    let ret = match opts.command {
-        BuildEbpf(opts) => build_ebpf::build_ebpf(opts),
-        Run(opts) => run::run(opts),
-        Build(opts) => build::build(opts),
-    };
-
-    if let Err(e) = ret {
-        eprintln!("{e:#}");
-        exit(1);
-    }
-}

user/apps/test_ebpf/syscall_ebpf/xtask/src/run.rs

@@ -1,55 +0,0 @@
-use std::process::Command;
-
-use anyhow::Context as _;
-use clap::Parser;
-
-use crate::{build::{build, Options as BuildOptions}, build_ebpf::Architecture};
-
-#[derive(Debug, Parser)]
-pub struct Options {
-    /// Set the endianness of the BPF target
-    #[clap(default_value = "bpfel-unknown-none", long)]
-    pub bpf_target: Architecture,
-    /// Build and run the release target
-    #[clap(long)]
-    pub release: bool,
-    /// The command used to wrap your application
-    #[clap(short, long, default_value = "sudo -E")]
-    pub runner: String,
-    /// Arguments to pass to your application
-    #[clap(name = "args", last = true)]
-    pub run_args: Vec<String>,
-}
-
-
-/// Build and run the project
-pub fn run(opts: Options) -> Result<(), anyhow::Error> {
-    // Build our ebpf program and the project
-    build(BuildOptions{
-        bpf_target: opts.bpf_target,
-        release: opts.release,
-    }).context("Error while building project")?;
-    
-    // profile we are building (release or debug)
-    let profile = if opts.release { "release" } else { "debug" };
-    let bin_path = format!("target/{profile}/syscall_ebpf");
-
-    // arguments to pass to the application
-    let mut run_args: Vec<_> = opts.run_args.iter().map(String::as_str).collect();
-
-    // configure args
-    let mut args: Vec<_> = opts.runner.trim().split_terminator(' ').collect();
-    args.push(bin_path.as_str());
-    args.append(&mut run_args);
-
-    // run the command
-    let status = Command::new(args.first().expect("No first argument"))
-        .args(args.iter().skip(1))
-        .status()
-        .expect("failed to run the command");
-
-    if !status.success() {
-        anyhow::bail!("Failed to run `{}`", args.join(" "));
-    }
-    Ok(())
-}

user/dadk/config/test_ebpf_0_1_0.toml → user/dadk/config/syscall_ebpf_0_1_0.toml

@@ -1,5 +1,5 @@
 # 用户程序名称
-name = "test_ebpf"
+name = "test_ebpf_new"
 # 版本号
 version = "0.1.0"
 # 用户程序描述信息
@@ -21,7 +21,7 @@ type = "build-from-source"
 # "install_from_prebuilt" 可选值："local", "archive"
 source = "local"
 # 路径或URL
-source-path = "user/apps/test_ebpf"
+source-path = "user/apps/syscall_ebpf"
 # 构建相关信息
 [build]
 # （可选）构建命令