1 files changed, 55 insertions, 0 deletions
diff --git a/tools/perf/examples/bpf/augmented_syscalls.c b/tools/perf/examples/bpf/augmented_syscalls.c
new file mode 100644
index 000000000000..69a31386d8cd
--- /dev/null
+++ b/tools/perf/examples/bpf/augmented_syscalls.c
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Augment the openat syscall with the contents of the filename pointer argument.
+ *
+ * Test it with:
+ *
+ * perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null
+ *
+ * It'll catch some openat syscalls related to the dynamic linked and
+ * the last one should be the one for '/etc/passwd'.
+ *
+ * This matches what is marshalled into the raw_syscall:sys_enter payload
+ * expected by the 'perf trace' beautifiers, and can be used by them unmodified,
+ * which will be done as that feature is implemented in the next csets, for now
+ * it will appear in a dump done by the default tracepoint handler in 'perf trace',
+ * that uses bpf_output__fprintf() to just dump those contents, as done with
+ * the bpf-output event associated with the __bpf_output__ map declared in
+ * tools/perf/include/bpf/stdio.h.
+ */
+#include <stdio.h>
+struct bpf_map SEC("maps") __augmented_syscalls__ = {
+       .type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
+       .key_size = sizeof(int),
+       .value_size = sizeof(u32),
+       .max_entries = __NR_CPUS__,
+};
+struct syscall_enter_openat_args {
+        unsigned long long common_tp_fields;
+        long               syscall_nr;
+        long               dfd;
+        char               *filename_ptr;
+        long               flags;
+        long               mode;
+};
+struct augmented_enter_openat_args {
+        struct syscall_enter_openat_args args;
+        char                             filename[64];
+};
+int syscall_enter(openat)(struct syscall_enter_openat_args *args)
+{
+        struct augmented_enter_openat_args augmented_args;
+        probe_read(&augmented_args.args, sizeof(augmented_args.args), args);
+        probe_read_str(&augmented_args.filename, sizeof(augmented_args.filename), args->filename_ptr);
+        perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU,
+                          &augmented_args, sizeof(augmented_args));
+        return 1;
+}
+license(GPL);

diff --git a/tools/perf/examples/bpf/augmented_syscalls.c b/tools/perf/examples/bpf/augmented_syscalls.c new file mode 100644 index 000000000000..69a31386d8cd --- /dev/null +++ b/tools/perf/examples/bpf/augmented_syscalls.c
@@ -0,0 +1,55 @@
	1	// SPDX-License-Identifier: GPL-2.0
	2	/*
	3	* Augment the openat syscall with the contents of the filename pointer argument.
	4	*
	5	* Test it with:
	6	*
	7	* perf trace -e tools/perf/examples/bpf/augmented_syscalls.c cat /etc/passwd > /dev/null
	8	*
	9	* It'll catch some openat syscalls related to the dynamic linked and
	10	* the last one should be the one for '/etc/passwd'.
	11	*
	12	* This matches what is marshalled into the raw_syscall:sys_enter payload
	13	* expected by the 'perf trace' beautifiers, and can be used by them unmodified,
	14	* which will be done as that feature is implemented in the next csets, for now
	15	* it will appear in a dump done by the default tracepoint handler in 'perf trace',
	16	* that uses bpf_output__fprintf() to just dump those contents, as done with
	17	* the bpf-output event associated with the __bpf_output__ map declared in
	18	* tools/perf/include/bpf/stdio.h.
	19	*/
	20
	21	#include <stdio.h>
	22
	23	struct bpf_map SEC("maps") __augmented_syscalls__ = {
	24	.type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
	25	.key_size = sizeof(int),
	26	.value_size = sizeof(u32),
	27	.max_entries = __NR_CPUS__,
	28	};
	29
	30	struct syscall_enter_openat_args {
	31	unsigned long long common_tp_fields;
	32	long syscall_nr;
	33	long dfd;
	34	char *filename_ptr;
	35	long flags;
	36	long mode;
	37	};
	38
	39	struct augmented_enter_openat_args {
	40	struct syscall_enter_openat_args args;
	41	char filename[64];
	42	};
	43
	44	int syscall_enter(openat)(struct syscall_enter_openat_args *args)
	45	{
	46	struct augmented_enter_openat_args augmented_args;
	47
	48	probe_read(&augmented_args.args, sizeof(augmented_args.args), args);
	49	probe_read_str(&augmented_args.filename, sizeof(augmented_args.filename), args->filename_ptr);
	50	perf_event_output(args, &__augmented_syscalls__, BPF_F_CURRENT_CPU,
	51	&augmented_args, sizeof(augmented_args));
	52	return 1;
	53	}
	54
	55	license(GPL);