increased stack trace depth

chains-project · Jan 13, 2025 · 89843e1 · 89843e1
1 parent b86bdd3
commit 89843e1
Showing 1 changed file with 17 additions and 9 deletions.
diff --git a/eBPFleash/backend.c b/eBPFleash/backend.c
@@ -7,17 +7,17 @@
 #define TARGET_CMD "default_comm"
 #endif
 
-#define TASK_COMM_SIZE 100
-#define MAX_STACK_DEPTH 20
+#define COMM_SIZE 100
+#define MAX_STACK_DEPTH 32
 
 char __license[] SEC("license") = "Dual MIT/GPL";
 
-static char target_comm[10] = TARGET_CMD;
+static char target_comm[COMM_SIZE] = TARGET_CMD;
 
 struct event {
     u32 pid;
     u64 syscall;
-    u8  comm[TASK_COMM_SIZE];
+    u8  comm[COMM_SIZE];
 	u32 stack_id;
 };
 
@@ -30,7 +30,7 @@ struct {
     __uint(type, BPF_MAP_TYPE_STACK_TRACE);
     __uint(key_size, sizeof(u32));
     __uint(value_size, MAX_STACK_DEPTH * sizeof(u64));
-    __uint(max_entries, 1000);
+    __uint(max_entries, 10000);
 } stacktraces SEC(".maps");
 
 struct {
@@ -53,17 +53,19 @@ static __always_inline int str_compare(const char *str1, const char *str2, int s
     return 0;
 }
 
-
 SEC("tracepoint/raw_syscalls/sys_enter")
+// SEC("tracepoint/syscalls/sys_enter_*")
 int trace_syscall(struct trace_event_raw_sys_enter *ctx) {
 
+
 	// Get the current PID
 	u32 pid = bpf_get_current_pid_tgid() >> 32;
 	u32 *target_pid_ptr = bpf_map_lookup_elem(&target_pid_map, &pid);
 
 	if (!target_pid_ptr) {
+
         // Check if the current comm matches the target comm
-        char comm[TASK_COMM_SIZE];
+        char comm[COMM_SIZE];
         bpf_get_current_comm(&comm, sizeof(comm));
         if (str_compare(comm, target_comm, sizeof(target_comm)) == 0) {
 			u32 value = pid;
@@ -84,10 +86,16 @@ int trace_syscall(struct trace_event_raw_sys_enter *ctx) {
 
 	// Populate the event structure with pid, syscall number, 
 	// command and stack trace
-	bpf_get_current_comm(&e->comm, TASK_COMM_SIZE);
+	bpf_get_current_comm(&e->comm, COMM_SIZE);
 	e->pid = pid;
 	e->syscall = ctx->id;
-    e->stack_id = bpf_get_stackid(ctx, &stacktraces, BPF_F_USER_STACK);
+    // bpf_printk("SYSCALL %d\n", e->syscall);
+    int stack_id = bpf_get_stackid(ctx, &stacktraces, BPF_F_USER_STACK);
+    if (stack_id >= 0) {
+        e->stack_id = stack_id;
+    } else {
+        e->stack_id = 0; // Invalid stack id
+    }
 
 	// Submit the event to the ring buffer
 	bpf_ringbuf_submit(e, 0);