Let's EbpfTracepoint own the ebpf::Program and tracing::NativeEvent

Summary: Part of a linux tracing system, blueprint: [osquery#5218](osquery#5218) Reviewed By: SAlexandru Differential Revision: D13787759 fbshipit-source-id: 726075e04474b4148c0292d6e9e8f10cf60b9214
akindyakov · Feb 4, 2019 · c83c483 · c83c483
1 parent 7bd90ed
commit c83c483
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 36 deletions.
diff --git a/osquery/events/linux/probes/ebpf_tracepoint.cpp b/osquery/events/linux/probes/ebpf_tracepoint.cpp
@@ -22,11 +22,20 @@
 namespace osquery {
 namespace events {
 
-EbpfTracepoint::EbpfTracepoint(EbpfTracepoint&& other) : fd_(other.fd_) {
+EbpfTracepoint::EbpfTracepoint(tracing::NativeEvent system_event,
+                               ebpf::Program program)
+    : system_event_{std::move(system_event)}, program_{std::move(program)} {}
+
+EbpfTracepoint::EbpfTracepoint(EbpfTracepoint&& other)
+    : fd_{other.fd_},
+      system_event_{std::move(other.system_event_)},
+      program_{std::move(other.program_)} {
   other.fd_ = -1;
 }
 
 EbpfTracepoint& EbpfTracepoint::operator=(EbpfTracepoint&& other) {
+  std::swap(system_event_, other.system_event_);
+  std::swap(program_, other.program_);
   std::swap(fd_, other.fd_);
   return *this;
 }
@@ -36,14 +45,14 @@ EbpfTracepoint::~EbpfTracepoint() {
 }
 
 Expected<EbpfTracepoint, EbpfTracepoint::Error> EbpfTracepoint::load(
-    tracing::SystemEventId system_event_id, int prog_fd) {
-  auto instance = EbpfTracepoint{};
+    tracing::NativeEvent system_event, ebpf::Program program) {
+  auto instance = EbpfTracepoint(std::move(system_event), std::move(program));
 
   struct perf_event_attr trace_attr;
   memset(&trace_attr, 0, sizeof(struct perf_event_attr));
   trace_attr.type = PERF_TYPE_TRACEPOINT;
   trace_attr.size = sizeof(struct perf_event_attr);
-  trace_attr.config = system_event_id;
+  trace_attr.config = instance.system_event_.id();
   trace_attr.sample_period = 1;
   trace_attr.sample_type = PERF_SAMPLE_RAW;
   trace_attr.wakeup_events = 1;
@@ -62,7 +71,7 @@ Expected<EbpfTracepoint, EbpfTracepoint::Error> EbpfTracepoint::load(
   }
   instance.fd_ = fd_exp.take();
 
-  if (ioctl(instance.fd_, PERF_EVENT_IOC_SET_BPF, prog_fd) < 0) {
+  if (ioctl(instance.fd_, PERF_EVENT_IOC_SET_BPF, instance.program_.fd()) < 0) {
     return createError(Error::SystemError,
                        "Fail to attach perf event of EbpfTracepoint ")
            << boost::io::quoted(strerror(errno));

diff --git a/osquery/events/linux/probes/ebpf_tracepoint.h b/osquery/events/linux/probes/ebpf_tracepoint.h
@@ -10,8 +10,10 @@
 
 #pragma once
 
+#include <osquery/utils/system/linux/ebpf/program.h>
+#include <osquery/utils/system/linux/tracing/native_event.h>
+
 #include <osquery/utils/expected/expected.h>
-#include <osquery/utils/system/linux/tracing/types.h>
 
 namespace osquery {
 namespace events {
@@ -31,18 +33,22 @@ class EbpfTracepoint final {
 
   ~EbpfTracepoint();
 
-  static Expected<EbpfTracepoint, Error> load(
-      tracing::SystemEventId system_event_id, int ebpf_prog_fd);
+  static Expected<EbpfTracepoint, Error> load(tracing::NativeEvent system_event,
+                                              ebpf::Program program);
 
  private:
-  explicit EbpfTracepoint() = default;
+  explicit EbpfTracepoint(tracing::NativeEvent system_event,
+                          ebpf::Program program);
 
   ExpectedSuccess<Error> unload();
 
   void forceUnload();
 
  private:
   int fd_ = -1;
+
+  tracing::NativeEvent system_event_;
+  ebpf::Program program_;
 };
 
 } // namespace events

diff --git a/osquery/events/linux/probes/tests/BUCK b/osquery/events/linux/probes/tests/BUCK
@@ -19,7 +19,6 @@ osquery_cxx_test(
         (
             LINUX,
             [
-                "ebpf_tracepoint.cpp",
                 "syscall_event.cpp",
             ],
         ),

diff --git a/osquery/events/linux/probes/tests/ebpf_tracepoint.cpp b/osquery/events/linux/probes/tests/ebpf_tracepoint.cpp