mirror of
https://github.com/varun-r-mallya/Python-BPF.git
synced 2025-12-31 21:06:25 +00:00
varun-r-mallya
8ee5d03c5d
WARNING: OLD STYLE IMPORTS DO NOT WORK The old style of importing the full module and using pb.* prefixes has been replaced with direct imports of the needed names. This makes the code more explicit about what is being used and removes the unnecessary pb prefix.
43 lines
956 B
Python
43 lines
956 B
Python
from pythonbpf import bpf, map, section, bpfglobal, compile
|
|
from pythonbpf.helpers import bpf_ktime_get_ns
|
|
from pythonbpf.maps import HashMap
|
|
|
|
from ctypes import c_void_p, c_int64, c_int32, c_uint64
|
|
|
|
@bpf
|
|
@map
|
|
def last() -> HashMap:
|
|
return HashMap(key_type=c_uint64, value_type=c_uint64, max_entries=1)
|
|
|
|
|
|
@bpf
|
|
@section("tracepoint/syscalls/sys_enter_execve")
|
|
def hello(ctx: c_void_p) -> c_int32:
|
|
print("entered")
|
|
print("multi constant support")
|
|
return c_int32(0)
|
|
|
|
|
|
@bpf
|
|
@section("tracepoint/syscalls/sys_exit_execve")
|
|
def hello_again(ctx: c_void_p) -> c_int64:
|
|
print("exited")
|
|
key = 0
|
|
tsp = last().lookup(key)
|
|
if tsp:
|
|
delta = (bpf_ktime_get_ns() - tsp.value)
|
|
if delta < 1000000000:
|
|
print("execve called within last second")
|
|
last().delete(key)
|
|
ts = bpf_ktime_get_ns()
|
|
last().update(key, ts)
|
|
return c_int64(0)
|
|
|
|
|
|
@bpf
|
|
@bpfglobal
|
|
def LICENSE() -> str:
|
|
return "GPL"
|
|
|
|
compile()
|