release v1.4.0

app/config/table32.json

@@ -161,7 +161,7 @@
     "159": [1, "sched_get_priority_max", 0, 0],
     "160": [1, "sched_get_priority_min", 0, 0],
     "161": [2, "sched_rr_get_interval", 0, 0],
-    "162": [2, "nanosleep", 0, 0],
+    "162": [2, "nanosleep", 3, 0],
     "163": [5, "mremap", 0, 0],
     "164": [3, "setresuid", 0, 0],
     "165": [3, "getresuid", 0, 0],

app/config/table64.json

@@ -100,7 +100,7 @@
     "98": [6, "futex", 0, 0],
     "99": [2, "set_robust_list", 0, 0],
     "100": [3, "get_robust_list", 0, 0],
-    "101": [2, "nanosleep", 0, 0],
+    "101": [2, "nanosleep", 3, 0],
     "102": [2, "getitimer", 0, 0],
     "103": [3, "setitimer", 0, 0],
     "104": [4, "kexec_load", 0, 0],

app/module/arg_struct.go

@@ -0,0 +1,12 @@
+package module
+
+import "fmt"
+
+type Timespec struct {
+	TvSec  uint64 /* seconds */
+	TvNsec uint64 /* nanoseconds */
+}
+
+func (this *Timespec) String() string {
+	return fmt.Sprintf("seconds=%d,nanoseconds=%d", this.TvSec, this.TvNsec)
+}

app/module/module.go

@@ -284,11 +284,12 @@ func (this *Module) Decode(em *ebpf.Map, payload []byte) (event event.SyscallDat
 	if err = binary.Read(buf, binary.LittleEndian, &data.arg_str); err != nil {
 		return
 	}
+	nr := this.ReadNR(*data)
 	var base_str string
 	if this.conf.Debug {
-		base_str = fmt.Sprintf("[%s] type:%d pid:%d tid:%d nr:%s", bytes.TrimSpace(bytes.Trim(data.comm[:], "\x00")), data.mtype, data.pid, data.tid, this.ReadNR(*data))
+		base_str = fmt.Sprintf("[%s] type:%d pid:%d tid:%d nr:%s", bytes.TrimSpace(bytes.Trim(data.comm[:], "\x00")), data.mtype, data.pid, data.tid, nr)
 	} else {
-		base_str = fmt.Sprintf("[%s] pid:%d tid:%d nr:%s", bytes.TrimSpace(bytes.Trim(data.comm[:], "\x00")), data.pid, data.tid, this.ReadNR(*data))
+		base_str = fmt.Sprintf("[%s] pid:%d tid:%d nr:%s", bytes.TrimSpace(bytes.Trim(data.comm[:], "\x00")), data.pid, data.tid, nr)
 	}
 	// type 和数据发送的顺序相关
 	switch data.mtype {
@@ -309,7 +310,17 @@ func (this *Module) Decode(em *ebpf.Map, payload []byte) (event event.SyscallDat
 			this.logger.Printf("%s PC:0x%x Info:\n%s\n", base_str, data.pc, info)
 		}
 	case 2:
-		arg_str := strings.SplitN(string(bytes.Trim(data.arg_str[:], "\x00")), "\x00", 2)[0]
+		var arg_str string
+		if nr == "nanosleep" {
+			var spec Timespec
+			t_buf := bytes.NewBuffer(data.arg_str[:])
+			if err = binary.Read(t_buf, binary.LittleEndian, &spec); err != nil {
+				return event, err
+			}
+			arg_str = spec.String()
+		} else {
+			arg_str = strings.SplitN(string(bytes.Trim(data.arg_str[:], "\x00")), "\x00", 2)[0]
+		}
 		this.logger.Printf("%s arg_index:%d arg_str:%s\n", base_str, data.arg_index, strings.TrimSpace(arg_str))
 	case 3:
 		this.logger.Printf("%s %s\n", base_str, this.ReadArgs(*data))

src/raw_syscalls.c

@@ -278,6 +278,20 @@ int raw_syscalls_sys_enter(struct bpf_raw_tracepoint_args* ctx) {
                 }
             }
         }
+    } else if ((filter->is_32bit && data->syscall_id == 162) || (!filter->is_32bit && data->syscall_id == 101)) {
+        struct timespec {
+            long tv_sec;        /* seconds */
+            long   tv_nsec;       /* nanoseconds */
+        };
+        // int nanosleep(const struct timespec *req, struct timespec *rem);
+        #pragma unroll
+        for (int j = 0; j < 2; j++) {
+            data->arg_index = j;
+            bpf_probe_read_kernel(&data->args[j], sizeof(u64), &regs->regs[j]);
+            __builtin_memset(&data->arg_str, 0, sizeof(data->arg_str));
+            bpf_probe_read_user(data->arg_str, sizeof(struct timespec), (void*)data->args[j]);
+            bpf_perf_event_output(ctx, &syscall_events, BPF_F_CURRENT_CPU, data, sizeof(struct syscall_data_t));
+        }
     } else {
         // 展开循环
         #pragma unroll