aya_ebpf/programs/tp_btf.rs
1use core::ffi::c_void;
2
3use crate::{args::FromBtfArgument, EbpfContext};
4
5pub struct BtfTracePointContext {
6 ctx: *mut c_void,
7}
8
9impl BtfTracePointContext {
10 pub fn new(ctx: *mut c_void) -> BtfTracePointContext {
11 BtfTracePointContext { ctx }
12 }
13
14 /// Returns the `n`th argument of the BTF tracepoint, starting from 0.
15 ///
16 /// You can use the tplist tool provided by bcc to get a list of tracepoints and their
17 /// arguments. TODO: document this better, possibly add a tplist alternative to aya.
18 ///
19 /// SAFETY: This function is deeply unsafe, as we are reading raw pointers into kernel memory.
20 /// In particular, the value of `n` must not exceed the number of function arguments.
21 /// Luckily, the BPF verifier will catch this for us.
22 ///
23 /// # Examples
24 ///
25 /// ```no_run
26 /// # #![allow(dead_code)]
27 /// # use aya_ebpf::{programs::BtfTracePointContext, cty::{c_int, c_ulong, c_char}};
28 /// unsafe fn try_tp_btf_sched_process_fork(ctx: BtfTracePointContext) -> Result<u32, u32> {
29 /// // Grab arguments
30 /// let parent_comm: *const c_char = ctx.arg(0);
31 /// let parent_pid: c_int = ctx.arg(1);
32 /// let child_comm: *const c_char = ctx.arg(2);
33 /// let child_pid: c_int = ctx.arg(3);
34 ///
35 /// // You can then do stuff with parent_pidm parent_comm, child_pid, and
36 /// // child_comm down here.
37 ///
38 /// Ok(0)
39 /// }
40 /// ```
41 ///
42 /// [1]: https://elixir.bootlin.com/linux/latest/source/include/linux/lsm_hook_defs.h
43 pub unsafe fn arg<T: FromBtfArgument>(&self, n: usize) -> T {
44 T::from_argument(self.ctx as *const _, n)
45 }
46}
47
48impl EbpfContext for BtfTracePointContext {
49 fn as_ptr(&self) -> *mut c_void {
50 self.ctx
51 }
52}