It is recommended to use bpf_probe_read_kernel_{str} in the bpf tools.
See kernel commit 0ebeea8ca8a4 ("bpf: Restrict bpf_probe_read{, str}()
only to archs where they work")

Signed-off-by: Sumanth Korikkar <sumanthk@linux.ibm.com>
Acked-by: Ilya Leoshkevich <iii@linux.ibm.com>

In previous patches, I added the option --cgroupmap to filter events
belonging to a set of cgroup-v2. Although this approach works fine with
systemd services and containers when cgroup-v2 is enabled, it does not
work with containers when only cgroup-v1 is enabled because
bpf_get_current_cgroup_id() only works with cgroup-v2. It also requires
Linux 4.18 to get this bpf helper function.

This patch adds an additional way to filter by containers, using mount
namespaces.

Note that this does not help with systemd services since they normally
don't create a new mount namespace (unless you set some options like
'ReadOnlyPaths=', see "man 5 systemd.exec").

My goal with this patch is to filter Kubernetes pods, even on
distributions with an older kernel (<4.18) or without cgroup-v2 enabled.

- This is only implemented for tools that already support filtering by
  cgroup id (bindsnoop, capable, execsnoop, profile, tcpaccept, tcpconnect,
  tcptop and tcptracer).

- I picked the mount namespace because the other namespaces could be
  disabled in Kubernetes (e.g. HostNetwork, HostPID, HostIPC).

It can be tested by following the example in docs/special_filtering added
in this commit, to avoid compiling locally the following command can be used

```
sudo bpftool map create /sys/fs/bpf/mnt_ns_set type hash key 8 value 4 \
  entries 128 name mnt_ns_set flags 0
docker run -ti --rm --privileged \
  -v /usr/src:/usr/src -v /lib/modules:/lib/modules \
  -v /sys/fs/bpf:/sys/fs/bpf --pid=host kinvolk/bcc:alban-containers-filters \
  /usr/share/bcc/tools/execsnoop --mntnsmap /sys/fs/bpf/mnt_ns_set

```

Co-authored-by: Alban Crequy <alban@kinvolk.io>
Co-authored-by: Mauricio Vásquez <mauricio@kinvolk.io>

List of tcp tools updated: tcpaccept, tcpconnect, tcptracer

fix a bunch of types in man pages, docs, tools, tests, src and examples.

While mixing print(end="") with printb(), some messages may miss due to
the underlying buffer handling in python 3.

For example:

  # python3 opensnoop.py
  PID    COMM               FD ERR PATH
  /proc/18849/cmdline
  4109   tmux: server       67   0 /proc/18849/cmdline
  4109   tmux: server       67   0 /proc/18849/cmdline
  4109   tmux: server       67   0 /proc/18849/cmdline

The PID, COMM, FD, and ERR are printed with print(end=""), and those of
the first instance was eaten by printb() which outputs PATH.

The following scripts mix print(end="") and printb() for the same line:

tools/execsnoop.py
tools/opensnoop.py
tools/tcpaccept.py
tools/tcpconnect.py

Those scripts work fine with python 2 but some messages may miss while
using python 3.

This commit converts print(end="") to printb(nl="") to avoid the
inconsistent outputs.

Signed-off-by: Gary Lin <glin@suse.com>

Fixes #2304.

On Linux 4.16 and later, sock:inet_sock_set_state tracepoint was
used for efficency, but it may output wrong PIDs. This is because
sock:inet_sock_set_state may run outside of process context.
Hence, we stick to kprobes until we find a proper solution.

- add option `-T': include time column on output (HH:MM:SS)
- add option `-P PORT': only trace port(s) specified
- add RPORT colume on output

pr #1842 forgot to add filtering in the new tracepoint code so it's
incorrectly showing every sock:inet_sock_set_state event.

This patch fixes that.

Simplify code following #2198 (https://github.com/iovisor/bcc/pull/2198).

Some tools are not touched: mountsnoop.py, trace.py, lib/*.py, old/*.py.

The following three tools are recently changed to use
printb in order to flush out the result.
  opensnoop.py, tcpaccept.py, tcpconnect.py

With python3, however, these tools have errors like below:
  TypeError: %b requires a bytes-like object, or an object that implements __bytes__, not 'str'
  Traceback (most recent call last):
    File "_ctypes/callbacks.c", line 234, in 'calling callback function'
    File "/usr/lib/python3.6/site-packages/bcc/table.py", line 572, in raw_cb_
      callback(cpu, data, size)
    File "../../tools/opensnoop.py", line 248, in print_event
      printb(b'%s' % event.fname.decode('utf-8', 'replace'))

This patch fixed printb related issues for these three tools
for python3. The python2 still works with the fix.

Signed-off-by: Yonghong Song <yhs@fb.com>

add missing FILTER in the bpf program.

* add stdout flushing to some tools

* change printb import source in opensnoop tool

* fixed shebangs in tools (and lib)

* fixed shebangs in examples

* do not mangle shebangs in rpm spec

* renamed style-check.sh to c-style-check.sh

* factored out python linter to a separate file

* added shebang validation to the py-style-check

* added shebangs to all python executables

Many tools rely on the user to type Ctrl-C to end, but don't actually
catch the keyboard interrupt and thus show an ugly backtrace when it
happens. Let's catch the interrupt.

* tools: uses 'replace' error handler by default in decode()

Tools might encouter characters from non utf-8 charset (e.g. a file
name). When this happen, it's better to replace the unexpected
character by a question mark than crash the tool when all we do is
to print the string.

* tools: fix a bytes/string issue in attach_perf_event()

Finish the conversion started with commit 36ce1124.

Minor tweaks to make the tools consistent within themselves.

make types appropriate for ipaddr/protocol etc.

Most of these calls have been rendered useless by a9f96c02 ("Recognize
context member dereferences despite array accesses (#1828)").

implement tracepoint based probing for tcpaccept.py.

 fix socket protocol reading

* Skip instead of bailing out if MemberExpr is not rewritable

* Recognize context member dereferences despite array accesses

For example, the rewriter should recognize, in the following, that
prev is an external pointer retrieved from the context pointer,
despite the access to the second element of the args array.

struct task_struct *prev = (struct task_struct *)ctx->args[1];

The same could be done for the translation of member dereferences to
bpf_probe_read calls, but that would be a little bit more complex (to
retrieve the correct base) and there's currently no tool that would
benefit from it.

* Test for the recognition of ext ptrs from context array

* tools: remove unnecessary bpf_probe_read calls

5d656bc7 made this calls unnecessary.

Several python tools allow their eBPF code to be printed to
stdout for debugging.  There are other projects that would
like to share these program definitions however, instead of
duplicating code.  We previously agreed on an --ebpf option
and we now continue adding it to more tools.

Signed-off-by: Nathan Scott <nathans@redhat.com>

This fixes the bcc module and all the affected tools for issues related to string handling in Python 3. Specifically, when passing Python strings to C libraries they are encoded as ASCII, and when constructing Python strings from C strings, they are decoded first.

* tcpretrans: support full IPv6 addresses, fix --lossprobe

* tcpaccept: support full IPv6 addresses, fix timestamps

* tcpconnect: support full IPv6 addresses, fix timestamps

* tcpconnlat: support full IPv6 addresses, fix timestamps

Convert some of the examples and tools to use the new helpers.

Signed-off-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>

In order not to miss some files in the tools and examples source
directories, use cmake file(GLOB) to collect relevant files. To ease the
implementation, move all tools to be .py suffixed in the source, but
sans-suffix in the installation (same as before)

In addition, to prevent future API breakage confusion (though of course
that may still happen), use CDLL("libbcc.so.0") in the bcc __init__.py.

Fixes: #317
Signed-off-by: Brenden Blanco <bblanco@plumgrid.com>

no functional changes

Signed-off-by: Alexei Starovoitov <ast@fb.com>