I'm learning how to use kprobe in Android's ebpf framework. I use kprobe to monitor the do_unlinkat system call in Android's ebpf framework, but I can't get the parameters of the system call in the monitoring. The Android official website only has examples of using tracepoint, but no example of using krpobe. Does anyone know how to get the parameters of the system call when using kprobe in Android? My code is in the following format:
struct event {
char comm[16];
int pid;
__u64 fd;
};
DEFINE_BPF_RINGBUF_EXT(t_ringbuf, struct event, 32 * 1024,
AID_ROOT, AID_SYSTEM, 0660, "", "", false,
BPFLOADER_IGNORED_ON_VERSION, BPFLOADER_MAX_VER, false,
false, false);
DEFINE_BPF_PROG_KVER("kprobe/do_unlinkat", AID_ROOT, AID_ROOT, t_ringbuf_prog, KVER(5, 8, 0))
(struct pt_regs *ctx) {
struct event* e = bpf_t_ringbuf_reserve();
if (e == NULL) return 1;
e->fd = (ctx->regs[1]);
bpf_get_current_comm(&e->comm, sizeof(e->comm));
e->pid = bpf_get_current_pid_tgid() >> 32;
bpf_t_ringbuf_submit(e);
return 0;
}
In the structure pt_regs, I can't get the correct parameters of the do_unlinkat function. Android ebpf related definitions are in this link: https://cs.android.com/android/platform/superproject/main/+/main:frameworks/libs/net/common/native/bpf_headers/include/bpf/bpf_helpers.h
