1 /* 2 * Copyright (c) Facebook, Inc. 3 * Licensed under the Apache License, Version 2.0 (the "License") 4 */ 5 6 #include <unistd.h> 7 #include <fstream> 8 #include <iostream> 9 #include <string> 10 11 #include "BPF.h" 12 13 const std::string BPF_PROGRAM = R"( 14 int on_sys_clone(void *ctx) { 15 bpf_trace_printk("Hello, World! Here I did a sys_clone call!\n"); 16 return 0; 17 } 18 )"; 19 main()20int main() { 21 ebpf::BPF bpf; 22 auto init_res = bpf.init(BPF_PROGRAM); 23 if (init_res.code() != 0) { 24 std::cerr << init_res.msg() << std::endl; 25 return 1; 26 } 27 28 std::ifstream pipe("/sys/kernel/debug/tracing/trace_pipe"); 29 std::string line; 30 std::string clone_fnname = bpf.get_syscall_fnname("clone"); 31 32 auto attach_res = bpf.attach_kprobe(clone_fnname, "on_sys_clone"); 33 if (attach_res.code() != 0) { 34 std::cerr << attach_res.msg() << std::endl; 35 return 1; 36 } 37 38 while (true) { 39 if (std::getline(pipe, line)) { 40 std::cout << line << std::endl; 41 // Detach the probe if we got at least one line. 42 auto detach_res = bpf.detach_kprobe(clone_fnname); 43 if (detach_res.code() != 0) { 44 std::cerr << detach_res.msg() << std::endl; 45 return 1; 46 } 47 break; 48 } else { 49 std::cout << "Waiting for a sys_clone event" << std::endl; 50 sleep(1); 51 } 52 } 53 54 return 0; 55 } 56