cleanup and rename

tests/c-form/Makefile

@@ -0,0 +1,19 @@
+BPF_CLANG := clang
+CFLAGS := -O2 -emit-llvm -target bpf -c
+
+SRC := $(wildcard *.bpf.c)
+LL := $(SRC:.bpf.c=.bpf.ll)
+OBJ := $(SRC:.bpf.c=.bpf.o)
+
+.PHONY: all clean
+
+all: $(LL) $(OBJ)
+
+%.bpf.o: %.bpf.c
+	$(BPF_CLANG) -O2 -g -target bpf -c $< -o $@
+
+%.bpf.ll: %.bpf.c
+	$(BPF_CLANG) $(CFLAGS) -g -S $< -o $@
+
+clean:
+	rm -f $(LL) $(OBJ)

tests/c-form/ex2.bpf.c

@@ -0,0 +1,12 @@
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#define u64 unsigned long long
+#define u32 unsigned int
+
+SEC("xdp")
+int hello(struct xdp_md *ctx) {
+    bpf_printk("Hello, World!\n");
+    return XDP_PASS;
+}
+
+char LICENSE[] SEC("license") = "GPL";

tests/c-form/ex3-2.bpf.c

@@ -0,0 +1,39 @@
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+#define u64 unsigned long long
+
+// Define the map
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, u64);
+    __type(value, u64);
+    __uint(max_entries, 4);
+} last SEC(".maps");
+
+// Handler for syscall entry
+SEC("tracepoint/syscalls/sys_enter_execve")
+int hello(void *ctx) {
+    bpf_printk("entered");
+    bpf_printk("multi constant support");
+    return 0;
+}
+
+// Handler for syscall exit
+SEC("tracepoint/syscalls/sys_exit_execve")
+long hello_again(void *ctx) {
+    bpf_printk("exited");
+
+    // Create a key for map lookup
+    u64 key = 0;
+
+    // Simple lookup without conditionals
+    u64 *tsp = bpf_map_lookup_elem(&last, &key);
+
+    // Get current timestamp
+    u64 ts = bpf_ktime_get_ns();
+
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";

tests/c-form/ex3.bpf.c

@@ -0,0 +1,35 @@
+// trace_delta.c
+#include <linux/bpf.h>
+#include <linux/ptrace.h>
+#include <bpf/bpf_helpers.h>
+#define u64 unsigned long long
+// Define the map structure
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 1);
+    __type(key, u64);
+    __type(value, u64);
+} last SEC(".maps");
+
+SEC("kprobe/sys_clone")  // Replace with actual probe point
+int do_trace(struct pt_regs *ctx) {
+    u64 ts, *tsp, delta, key = 0;
+
+    // Attempt to read stored timestamp
+    tsp = bpf_map_lookup_elem(&last, &key);
+    if (tsp != NULL) {
+        delta = bpf_ktime_get_ns() - *tsp;
+        if (delta < 1000000000) {
+            // Output if time is less than 1 second
+            bpf_printk("%d\n", delta / 1000000);
+        }
+        bpf_map_delete_elem(&last, &key);
+    }
+
+    // Update stored timestamp
+    ts = bpf_ktime_get_ns();
+    bpf_map_update_elem(&last, &key, &ts, BPF_ANY);
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";

tests/c-form/ex4.bpf.c

@@ -0,0 +1,46 @@
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+#define u64 unsigned long long
+
+// Define the map
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, u64);
+    __type(value, u64);
+    __uint(max_entries, 1);
+} last SEC(".maps");
+
+// Handler for syscall entry
+SEC("tracepoint/syscalls/sys_enter_execve")
+int hello(void *ctx) {
+    bpf_printk("entered");
+    bpf_printk("multi constant support");
+    return 0;
+}
+
+// Handler for syscall exit
+SEC("tracepoint/syscalls/sys_exit_execve")
+long hello_again(void *ctx) {
+    bpf_printk("exited");
+
+    // Create a key for map lookup
+    u64 key = 0;
+
+    // Simple lookup without conditionals
+    u64 *tsp = bpf_map_lookup_elem(&last, &key);
+    if (tsp != NULL) {
+        u64 delta = bpf_ktime_get_ns() - *tsp;
+        if (delta < 1000000000) {
+            // output if time is less than 1 second
+            bpf_printk("execve called within last second");
+        }
+        bpf_map_delete_elem(&last, &key);
+    }
+    // Get current timestamp
+    u64 ts = bpf_ktime_get_ns();
+    bpf_map_update_elem(&last, &key, &ts, BPF_ANY);
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";

tests/c-form/ex5.bpf.c

@@ -0,0 +1,25 @@
+#define __TARGET_ARCH_arm64
+
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+
+// Map: key = struct request*, value = u64 timestamp
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __type(key, struct request *);
+    __type(value, u64);
+    __uint(max_entries, 1024);
+} start SEC(".maps");
+
+// Attach to kprobe for blk_start_request
+SEC("kprobe/blk_start_request")
+int BPF_KPROBE(trace_start, struct request *req)
+{
+    u64 ts = bpf_ktime_get_ns();
+    bpf_map_update_elem(&start, &req, &ts, BPF_ANY);
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";

tests/c-form/ex6.bpf.c

@@ -0,0 +1,43 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+
+
+#define TASK_COMM_LEN 16
+
+// Define output data structure
+struct data_t {
+    __u32 pid;
+    __u64 ts;
+//    char comm[TASK_COMM_LEN];
+};
+
+// Define a perf event output map
+struct {
+    __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+    __uint(key_size, sizeof(__u32));
+    __uint(value_size, sizeof(__u32));
+} events SEC(".maps");
+
+SEC("tracepoint/syscalls/sys_enter_clone")
+int hello(struct pt_regs *ctx)
+{
+    struct data_t data = {};
+    
+    // Get PID (lower 32 bits of the 64-bit value returned)
+    data.pid = bpf_get_current_pid_tgid() & 0xFFFFFFFF;
+    
+    // Get timestamp
+    data.ts = bpf_ktime_get_ns();
+    
+    // Get current process name
+//    bpf_get_current_comm(&data.comm, sizeof(data.comm));
+    
+    // Submit data to userspace via perf event
+    bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, 
+                         &data, sizeof(data));
+    
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";

tests/c-form/ex7.bpf.c

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: GPL-2.0
+
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+
+struct trace_entry {
+  short unsigned int type;
+  unsigned char flags;
+  unsigned char preempt_count;
+  int pid;
+};
+
+struct trace_event_raw_sys_enter {
+  struct trace_entry ent;
+  long int id;
+  long unsigned int args[6];
+  char __data[0];
+};
+
+struct event {
+  __u32 pid;
+  __u32 uid;
+  __u64 ts;
+};
+
+struct {
+  __uint(type, BPF_MAP_TYPE_PERF_EVENT_ARRAY);
+  __uint(key_size, sizeof(int));
+  __uint(value_size, sizeof(int));
+} events SEC(".maps");
+
+SEC("tp/syscalls/sys_enter_setuid")
+int handle_setuid_entry(struct trace_event_raw_sys_enter *ctx) {
+  struct event data = {};
+
+  // Extract UID from the syscall arguments
+  data.uid = (unsigned int)ctx->args[0];
+  data.ts = bpf_ktime_get_ns();
+  data.pid = bpf_get_current_pid_tgid() >> 32;
+
+  bpf_perf_event_output(ctx, &events, BPF_F_CURRENT_CPU, &data, sizeof(data));
+
+  return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";

tests/c-form/ex8.bpf.c

@@ -0,0 +1,47 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <linux/blkdev.h>
+#define __TARGET_ARCH_aarch64 
+#define u64 unsigned long long
+
+struct {
+    __uint(type, BPF_MAP_TYPE_HASH);
+    __uint(max_entries, 10240);
+    __type(key, struct request *);
+    __type(value, u64);
+} start SEC(".maps");
+
+SEC("kprobe/blk_start_request")
+int BPF_KPROBE(trace_start_req, struct request *req)
+{
+    u64 ts = bpf_ktime_get_ns();
+    bpf_map_update_elem(&start, &req, &ts, BPF_ANY);
+    return 0;
+}
+
+SEC("kprobe/blk_mq_start_request")
+int BPF_KPROBE(trace_start_mq, struct request *req)
+{
+    u64 ts = bpf_ktime_get_ns();
+    bpf_map_update_elem(&start, &req, &ts, BPF_ANY);
+    return 0;
+}
+
+SEC("kprobe/blk_account_io_completion")
+int BPF_KPROBE(trace_completion, struct request *req)
+{
+    u64 *tsp, delta;
+    
+    tsp = bpf_map_lookup_elem(&start, &req);
+    if (tsp) {
+        delta = bpf_ktime_get_ns() - *tsp;
+        bpf_printk("%d %x %d\n", req->__data_len, 
+                  req->cmd_flags, delta / 1000);
+        bpf_map_delete_elem(&start, &req);
+    }
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";

tests/c-form/example.bpf.c

@@ -0,0 +1,18 @@
+#include <linux/bpf.h>
+#include <bpf/bpf_helpers.h>
+#include <stdint.h>
+
+void test_function() {
+    bpf_printk("test_function called");
+}
+
+SEC("tracepoint/syscalls/sys_enter_execve")
+int trace_execve(void *ctx)
+{
+    bpf_printk("execve called");
+    bpf_printk("execve2 called");
+    test_function();
+    return 0;
+}
+
+char LICENSE[] SEC("license") = "GPL";