cleanup and rename

2025-12-31 21:06:25 +00:00 · 2025-09-30 21:05:07 +05:30
parent 18811933bf
commit 0d0a318e46
22 changed files with 18 additions and 113 deletions
--- a/examples/binops_demo.py
+++ b/examples/binops_demo.py
@ -6,8 +6,8 @@ from ctypes import c_void_p, c_int64, c_uint64

 # Instructions to how to run this program
 # 1. Install PythonBPF: pip install pythonbpf
-# 2. Run the program: python demo/pybpf3.py
-# 3. Run the program with sudo: sudo examples/check.sh run demo/pybpf3.o
+# 2. Run the program: python examples/binops_demo.py
+# 3. Run the program with sudo: sudo tools/check.sh run examples/binops_demo.py
 # 4. Start up any program and watch the output

@bpf
--- a/examples/blk_request.py
+++ b/examples/blk_request.py
--- a/examples/c-form/Makefile
+++ b/examples/c-form/Makefile
@ -1,19 +0,0 @@
-BPF_CLANG := clang
-CFLAGS := -O2 -emit-llvm -target bpf -c
-
-SRC := $(wildcard *.bpf.c)
-LL := $(SRC:.bpf.c=.bpf.ll)
-OBJ := $(SRC:.bpf.c=.bpf.o)
-
-.PHONY: all clean
-
-all: $(LL) $(OBJ)
-
-%.bpf.o: %.bpf.c
-	$(BPF_CLANG) -O2 -g -target bpf -c $< -o $@
-
-%.bpf.ll: %.bpf.c
-	$(BPF_CLANG) $(CFLAGS) -g -S $< -o $@
-
-clean:
-	rm -f $(LL) $(OBJ)
--- a/examples/c-form/ex2.bpf.c
+++ b/examples/c-form/ex2.bpf.c
@ -1,12 +0,0 @@
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-#define u64 unsigned long long
-#define u32 unsigned int
-
-SEC("xdp")
-int hello(struct xdp_md *ctx) {
-    bpf_printk("Hello, World!\n");
-    return XDP_PASS;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/ex3-2.bpf.c
+++ b/examples/c-form/ex3-2.bpf.c
@ -1,39 +0,0 @@
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-
-#define u64 unsigned long long
-
-// Define the map
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __type(key, u64);
-    __type(value, u64);
-    __uint(max_entries, 4);
-} last SEC(".maps");
-
-// Handler for syscall entry
-SEC("tracepoint/syscalls/sys_enter_execve")
-int hello(void *ctx) {
-    bpf_printk("entered");
-    bpf_printk("multi constant support");
-    return 0;
-}
-
-// Handler for syscall exit
-SEC("tracepoint/syscalls/sys_exit_execve")
-long hello_again(void *ctx) {
-    bpf_printk("exited");
-
-    // Create a key for map lookup
-    u64 key = 0;
-
-    // Simple lookup without conditionals
-    u64 *tsp = bpf_map_lookup_elem(&last, &key);
-
-    // Get current timestamp
-    u64 ts = bpf_ktime_get_ns();
-
-    return 0;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/ex3.bpf.c
+++ b/examples/c-form/ex3.bpf.c
@ -1,35 +0,0 @@
-// trace_delta.c
-#include <linux/bpf.h>
-#include <linux/ptrace.h>
-#include <bpf/bpf_helpers.h>
-#define u64 unsigned long long
-// Define the map structure
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __uint(max_entries, 1);
-    __type(key, u64);
-    __type(value, u64);
-} last SEC(".maps");
-
-SEC("kprobe/sys_clone")  // Replace with actual probe point
-int do_trace(struct pt_regs *ctx) {
-    u64 ts, *tsp, delta, key = 0;
-
-    // Attempt to read stored timestamp
-    tsp = bpf_map_lookup_elem(&last, &key);
-    if (tsp != NULL) {
-        delta = bpf_ktime_get_ns() - *tsp;
-        if (delta < 1000000000) {
-            // Output if time is less than 1 second
-            bpf_printk("%d\n", delta / 1000000);
-        }
-        bpf_map_delete_elem(&last, &key);
-    }
-
-    // Update stored timestamp
-    ts = bpf_ktime_get_ns();
-    bpf_map_update_elem(&last, &key, &ts, BPF_ANY);
-    return 0;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/ex4.bpf.c
+++ b/examples/c-form/ex4.bpf.c
@ -1,46 +0,0 @@
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-
-#define u64 unsigned long long
-
-// Define the map
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __type(key, u64);
-    __type(value, u64);
-    __uint(max_entries, 1);
-} last SEC(".maps");
-
-// Handler for syscall entry
-SEC("tracepoint/syscalls/sys_enter_execve")
-int hello(void *ctx) {
-    bpf_printk("entered");
-    bpf_printk("multi constant support");
-    return 0;
-}
-
-// Handler for syscall exit
-SEC("tracepoint/syscalls/sys_exit_execve")
-long hello_again(void *ctx) {
-    bpf_printk("exited");
-
-    // Create a key for map lookup
-    u64 key = 0;
-
-    // Simple lookup without conditionals
-    u64 *tsp = bpf_map_lookup_elem(&last, &key);
-    if (tsp != NULL) {
-        u64 delta = bpf_ktime_get_ns() - *tsp;
-        if (delta < 1000000000) {
-            // output if time is less than 1 second
-            bpf_printk("execve called within last second");
-        }
-        bpf_map_delete_elem(&last, &key);
-    }
-    // Get current timestamp
-    u64 ts = bpf_ktime_get_ns();
-    bpf_map_update_elem(&last, &key, &ts, BPF_ANY);
-    return 0;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/ex5.bpf.c
+++ b/examples/c-form/ex5.bpf.c
@ -1,25 +0,0 @@
-#define __TARGET_ARCH_arm64
-
-#include "vmlinux.h"
-#include <bpf/bpf_helpers.h>
-#include <bpf/bpf_tracing.h>
-#include <bpf/bpf_core_read.h>
-
-// Map: key = struct request*, value = u64 timestamp
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __type(key, struct request *);
-    __type(value, u64);
-    __uint(max_entries, 1024);
-} start SEC(".maps");
-
-// Attach to kprobe for blk_start_request
-SEC("kprobe/blk_start_request")
-int BPF_KPROBE(trace_start, struct request *req)
-{
-    u64 ts = bpf_ktime_get_ns();
-    bpf_map_update_elem(&start, &req, &ts, BPF_ANY);
-    return 0;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/ex6.bpf.c
+++ b/examples/c-form/ex6.bpf.c
@ -1,43 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-
-
-#define TASK_COMM_LEN 16
-
-// Define output data structure
-struct data_t {
-    __u32 pid;
-    __u64 ts;
-//    char comm[TASK_COMM_LEN];
-};
-
-// Define a perf event output map
-struct {
-    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
-    __uint(key_size, sizeof(__u32));
-    __uint(value_size, sizeof(__u32));
-} events SEC(".maps");
-
-SEC("tracepoint/syscalls/sys_enter_clone")
-int hello(struct pt_regs *ctx)
-{
-    struct data_t data = {};
-    
-    // Get PID (lower 32 bits of the 64-bit value returned)
-    data.pid = bpf_get_current_pid_tgid() & 0xFFFFFFFF;
-    
-    // Get timestamp
-    data.ts = bpf_ktime_get_ns();
-    
-    // Get current process name
-//    bpf_get_current_comm(&data.comm, sizeof(data.comm));
-    
-    // Submit data to userspace via perf event
-    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, 
-                         &data, sizeof(data));
-    
-    return 0;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/ex7.bpf.c
+++ b/examples/c-form/ex7.bpf.c
@ -1,47 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-#include <bpf/bpf_tracing.h>
-
-struct trace_entry {
-  short unsigned int type;
-  unsigned char flags;
-  unsigned char preempt_count;
-  int pid;
-};
-
-struct trace_event_raw_sys_enter {
-  struct trace_entry ent;
-  long int id;
-  long unsigned int args[6];
-  char __data[0];
-};
-
-struct event {
-  __u32 pid;
-  __u32 uid;
-  __u64 ts;
-};
-
-struct {
-  __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
-  __uint(key_size, sizeof(int));
-  __uint(value_size, sizeof(int));
-} events SEC(".maps");
-
-SEC("tp/syscalls/sys_enter_setuid")
-int handle_setuid_entry(struct trace_event_raw_sys_enter *ctx) {
-  struct event data = {};
-
-  // Extract UID from the syscall arguments
-  data.uid = (unsigned int)ctx->args[0];
-  data.ts = bpf_ktime_get_ns();
-  data.pid = bpf_get_current_pid_tgid() >> 32;
-
-  bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
-
-  return 0;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/ex8.bpf.c
+++ b/examples/c-form/ex8.bpf.c
@ -1,47 +0,0 @@
-// SPDX-License-Identifier: GPL-2.0
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-#include <bpf/bpf_tracing.h>
-#include <linux/blkdev.h>
-#define __TARGET_ARCH_aarch64 
-#define u64 unsigned long long
-
-struct {
-    __uint(type, BPF_MAP_TYPE_HASH);
-    __uint(max_entries, 10240);
-    __type(key, struct request *);
-    __type(value, u64);
-} start SEC(".maps");
-
-SEC("kprobe/blk_start_request")
-int BPF_KPROBE(trace_start_req, struct request *req)
-{
-    u64 ts = bpf_ktime_get_ns();
-    bpf_map_update_elem(&start, &req, &ts, BPF_ANY);
-    return 0;
-}
-
-SEC("kprobe/blk_mq_start_request")
-int BPF_KPROBE(trace_start_mq, struct request *req)
-{
-    u64 ts = bpf_ktime_get_ns();
-    bpf_map_update_elem(&start, &req, &ts, BPF_ANY);
-    return 0;
-}
-
-SEC("kprobe/blk_account_io_completion")
-int BPF_KPROBE(trace_completion, struct request *req)
-{
-    u64 *tsp, delta;
-    
-    tsp = bpf_map_lookup_elem(&start, &req);
-    if (tsp) {
-        delta = bpf_ktime_get_ns() - *tsp;
-        bpf_printk("%d %x %d\n", req->__data_len, 
-                  req->cmd_flags, delta / 1000);
-        bpf_map_delete_elem(&start, &req);
-    }
-    return 0;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/example.bpf.c
+++ b/examples/c-form/example.bpf.c
@ -1,18 +0,0 @@
-#include <linux/bpf.h>
-#include <bpf/bpf_helpers.h>
-#include <stdint.h>
-
-void test_function() {
-    bpf_printk("test_function called");
-}
-
-SEC("tracepoint/syscalls/sys_enter_execve")
-int trace_execve(void *ctx)
-{
-    bpf_printk("execve called");
-    bpf_printk("execve2 called");
-    test_function();
-    return 0;
-}
-
-char LICENSE[] SEC("license") = "GPL";
--- a/examples/c-form/vmlinux.h
+++ b/examples/c-form/vmlinux.h
--- a/examples/check.sh
+++ b/examples/check.sh
@ -1,45 +0,0 @@
-#!/bin/bash
-
-PIN_PATH="/sys/fs/bpf/bpf_prog"
-FILE="$2"
-case "$1" in
-    check)
-        echo "[*] Checking $FILE"
-        echo $(sudo bpftool prog load -d "$FILE" "$PIN_PATH")
-        sudo rm -f "$PIN_PATH"
-        echo "[+] Verification succeeded"
-        ;;
-    run)
-        echo "[*] Loading and running $FILE"
-        sudo bpftool prog loadall "$FILE" "$PIN_PATH" autoattach
-        echo "[+] Program loaded. Press Ctrl+C to stop"
-        sudo cat /sys/kernel/debug/tracing/trace_pipe
-        sudo rm -rf "$PIN_PATH"
-        echo "[+] Stopped"
-        ;;
-    stop)
-        echo "[*] Stopping program"
-        sudo rm -f "$PIN_PATH"
-        echo "[+] Stopped"
-        ;;
-    xdp)
-        echo "[*] Loading and running $FILE"
-        sudo bpftool net detach xdp dev $3
-        sudo bpftool prog load "$FILE" "$PIN_PATH" type xdp
-        sudo bpftool net attach xdp pinned "$PIN_PATH" dev $3
-        echo "[+] Program loaded. Press Ctrl+C to stop"
-        sudo cat /sys/kernel/debug/tracing/trace_pipe
-        sudo bpftool net detach xdp dev $3
-        sudo rm -rf "$PIN_PATH"
-        echo "[+] Stopped"
-        ;;
-    *)
-        echo "Usage: $0 <check|run|stop> <file.o>"
-        echo "Examples:"
-        echo "  $0 check program.bpf.o"
-        echo "  $0 run program.bpf.o"
-        echo "  $0 xdp program.bpf.o wlp6s0"
-        echo "  $0 stop"
-        exit 1
-        ;;
-esac
--- a/examples/clone_plot.py
+++ b/examples/clone_plot.py
@ -12,7 +12,7 @@ import matplotlib.pyplot as plt
 # and then plots the distribution as a histogram using matplotlib.
 # It provides a quick view of process creation activity over 10 seconds.
 # Everything is done with Python only code and with the new pylibbpf library.
-# Run `sudo /path/to/python/binary/ pybpf4.py`
+# Run `sudo /path/to/python/binary/ clone_plot.py`

@bpf
@map
--- a/examples/execve2.py
+++ b/examples/execve2.py
@ -1,35 +0,0 @@
-from pythonbpf.decorators import bpf, map, section, bpfglobal
-from ctypes import c_void_p, c_int64, c_int32, c_uint64
-from pythonbpf.helpers import ktime
-from pythonbpf.maps import HashMap
-
-
-@bpf
-@map
-def last() -> HashMap:
-    return HashMap(key=c_uint64, value=c_uint64, max_entries=1)
-
-
-@bpf
-@section("tracepoint/syscalls/sys_enter_execve")
-def hello(ctx: c_void_p) -> c_int32:
-    print("entered")
-    print("multi constant support")
-    return c_int32(0)
-
-
-@bpf
-@section("tracepoint/syscalls/sys_exit_execve")
-def hello_again(ctx: c_void_p) -> c_int64:
-    print("exited")
-    key = 0
-    tsp = last().lookup(key)
-    print(tsp)
-    ts = ktime()
-    return c_int64(0)
-
-
-@bpf
-@bpfglobal
-def LICENSE() -> str:
-    return "GPL"
--- a/examples/execve3.py
+++ b/examples/execve3.py
@ -1,45 +0,0 @@
-from pythonbpf import bpf, map, section, bpfglobal, compile
-from pythonbpf.helpers import ktime, deref
-from pythonbpf.maps import HashMap
-
-from ctypes import c_void_p, c_int64, c_int32, c_uint64
-
-
-@bpf
-@map
-def last() -> HashMap:
-    return HashMap(key=c_uint64, value=c_uint64, max_entries=3)
-
-@bpf
-@section("tracepoint/syscalls/sys_exit_execve")
-def hello_again(ctx: c_void_p) -> c_int64:
-    print("multi constant support")
-    print("exited")
-    key = 0
-    delta = 0
-    dddelta = 0
-    tsp = last().lookup(key)
-    if True:
-        delta = ktime()
-        ddelta = deref(delta)
-        ttsp = deref(deref(tsp))
-        dddelta = ddelta - ttsp
-        if dddelta < 1000000000:
-            print("execve called within last second")
-        last().delete(key)
-    ts = ktime()
-    last().update(key, ts)
-
-    va = 8
-    nm = 5 + va
-    al = 6 & 3
-    print(f"this is a variable {nm}")
-
-    return c_int64(0)
-
-@bpf
-@bpfglobal
-def LICENSE() -> str:
-    return "GPL"
-
-compile()
--- a/examples/hello_world.py
+++ b/examples/hello_world.py
@ -1,11 +1,9 @@
-from pythonbpf import bpf, section, bpfglobal, compile
-
+from pythonbpf import bpf, section, bpfglobal, compile, BPF
 from ctypes import c_void_p, c_int64

 # Instructions to how to run this program
 # 1. Install PythonBPF: pip install pythonbpf
-# 2. Run the program: python demo/pybpf0.py
-# 3. Run the program with sudo: sudo examples/check.sh run demo/pybpf0.o
+# 2. Run the program: sudo python examples/hello_world.py
 # 4. Start up any program and watch the output


@ -20,4 +18,11 @@ def hello_world(ctx: c_void_p) -> c_int64:
 def LICENSE() -> str:
    return "GPL"

-compile()
+b = BPF()
+b.load_and_attach()
+if b.is_loaded() and b.is_attached():
+    print("Successfully loaded and attached")
+else:
+    print("Could not load successfully")
+
+# Now cat /sys/kernel/debug/tracing/trace_pipe to see results of the execve syscall.
--- a/examples/struct_and_perf.py
+++ b/examples/struct_and_perf.py
--- a/examples/sys_sync.py
+++ b/examples/sys_sync.py
@ -6,8 +6,8 @@ from ctypes import c_void_p, c_int64, c_uint64

 # Instructions to how to run this program
 # 1. Install PythonBPF: pip install pythonbpf
-# 2. Run the program: python demo/pybpf2.py
-# 3. Run the program with sudo: sudo examples/check.sh run demo/pybpf2.o
+# 2. Run the program: python examples/sys_sync.py
+# 3. Run the program with sudo: sudo tools/check.sh run examples/sys_sync.o
 # 4. Start a Python repl and `import os` and then keep entering `os.sync()` to see reponses.

@bpf
--- a/examples/xdp_pass.py
+++ b/examples/xdp_pass.py
@ -6,9 +6,9 @@ from ctypes import c_void_p, c_int64

 # Instructions to how to run this program
 # 1. Install PythonBPF: pip install pythonbpf
-# 2. Run the program: python demo/pybpf1.py
-# 3. Run the program with sudo: sudo examples/check.sh run demo/pybpf1.o
-# 4. Attach object file to any network device with something like ./check.sh xdp ../demo/pybpf1.o tailscale0
+# 2. Run the program: python examples/xdp_pass.py
+# 3. Run the program with sudo: sudo tools/check.sh run examples/xdp_pass.o
+# 4. Attach object file to any network device with something like ./check.sh xdp examples/xdp_pass.o tailscale0
 # 5. send traffic through the device and observe effects

@bpf