1 #include <uapi/linux/ptrace.h>
2 #include <linux/sched.h>
7 unsigned int allocated;
8 unsigned int constant : 1;
9 unsigned int locked : 1;
10 unsigned int invalid : 1;
11 unsigned int align_offset : 3;
14 struct DBusHeaderFields {
19 struct DBusString data;
21 struct DBusHeaderFields fields[9];
25 unsigned char protocol_version;
30 struct DBusHeader header;
31 struct DBusString body;
33 unsigned int locked : 1;
36 long size_counter_delta;
39 u32 changed_stamp : 21;
47 unsigned n_unix_fds_allocated;
49 long unix_fd_counter_delta;
51 struct DBusString *signature;
52 struct DBusString *unique_sender;
53 size_t gvariant_body_last_offset;
54 size_t gvariant_body_last_pos;
59 char comm[TASK_COMM_LEN];
66 BPF_HASH(g_message, struct data_t, unsigned long *);
67 BPF_HASH(msg_size, struct data_t, struct bytes_t);
68 BPF_HISTOGRAM(msg_size_hist);
70 static int get_process_data(struct data_t *data) {
71 data->pid = bpf_get_current_pid_tgid();
72 bpf_get_current_comm(&data->comm, sizeof(data->comm));
76 static int message_size(unsigned long size) {
77 struct data_t data = {};
78 get_process_data(&data);
80 msg_size_hist.increment(bpf_log2l(size));
81 struct bytes_t bytes_sent = {size};
82 struct bytes_t *bytes_prev = msg_size.lookup(&data);
83 if (bytes_prev != 0) {
84 bytes_sent.bytes += bytes_prev->bytes;
85 msg_size.update(&data, &bytes_sent);
88 msg_size.insert(&data, &bytes_sent);
94 int g_get_size_pointer (struct pt_regs *ctx, void *dummy, unsigned long *size) {
95 struct data_t data = {};
96 get_process_data(&data);
97 g_message.insert(&data, &size);
101 int g_get_message_size(struct pt_regs *ctx) {
102 struct data_t data = {};
103 get_process_data(&data);
104 unsigned long **ptr_gsize;
105 ptr_gsize = g_message.lookup(&data);
106 if (ptr_gsize == 0) {
109 unsigned long *gsize = 0;
110 bpf_probe_read(&gsize, sizeof(gsize), ptr_gsize);
111 unsigned long size = 0;
112 bpf_probe_read(&size, sizeof(size), gsize);
113 if(size > 0 && size < 1000000) {
119 int dbus_message_size(struct pt_regs *ctx, void *conn, struct DBusMessage *message) {
120 unsigned long size = 0;
124 bpf_probe_read(&header_len, sizeof(header_len), (char*)message + offsetof(struct DBusMessage, header.data.len));
125 if (header_len > 0) {
128 bpf_probe_read(&body_len, sizeof(body_len), (char*)message + offsetof(struct DBusMessage, body.len));