$ cargo xtask run ... [2022-08-09T15:30:28Z INFO kprobe_rs] Waiting for Ctrl-C... [2022-08-09T15:30:30Z INFO kprobe_rs] function do_sys_openat2 called [2022-08-09T15:30:30Z INFO kprobe_rs] function do_sys_openat2 called [2022-08-09T15:30:30Z INFO kprobe_rs] function do_sys_openat2 called
// This will include your eBPF object file as raw bytes at compile-time and load it at // runtime. This approach is recommended for most real-world use cases. If you would // like to specify the eBPF program at runtime rather than at compile-time, you can // reach for `Bpf::load_file` instead. // include_bytes_aligned!()在编译时会拷贝BPF ELF目标文件的内容 // Bpf::load()读取前一个命令中BPF ELF目标文件的内容,创建maps,执行BTF重定向 #[cfg(debug_assertions)] letmut bpf = Bpf::load(include_bytes_aligned!( "../../target/bpfel-unknown-none/debug/kprobe-rs" ))?; #[cfg(not(debug_assertions))] letmut bpf = Bpf::load(include_bytes_aligned!( "../../target/bpfel-unknown-none/release/kprobe-rs" ))?; BpfLogger::init(&mut bpf)?; // 提取kprobe程序 let program: &mut KProbe = bpf.program_mut("kprobe_rs").unwrap().try_into()?; // 把它加载进内核 program.load()?; program.attach("do_sys_openat2", 0)?;
info!("Waiting for Ctrl-C..."); signal::ctrl_c().await?; info!("Exiting...");