Initial commit

Author: yunwei37

.devcontainer/devcontainer.json

@@ -0,0 +1,6 @@
+{
+	"build": {
+		"context": "..",
+		"dockerfile": "../dev.dockerfile"
+	}
+}

.envrc

@@ -0,0 +1 @@
+use flake

.github/workflows/docker.yml

@@ -0,0 +1,53 @@
+name: Build and public docker image
+
+on:
+  push:
+    branches: "master"
+
+jobs:
+  build-and-push-image:
+    runs-on: ubuntu-latest
+    # run only when code is compiling and tests are passing
+    if: "!contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.head_commit.message, '[ci skip]')"
+    # steps to perform in job
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          submodules: 'recursive'
+
+      - name: install deps
+        run: |
+          sudo apt-get install -y --no-install-recommends \
+          libelf1 libelf-dev zlib1g-dev libclang-13-dev \
+          make git clang llvm pkg-config build-essential
+
+      - name: build package
+        run:  make build
+
+      # setup Docker buld action
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Login to Github Packages
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build image and push to GitHub Container Registry
+        uses: docker/build-push-action@v2
+        with:
+          # relative path to the place where source code with Dockerfile is located
+          context: ./
+          file: dockerfile
+          platforms: linux/amd64
+          # Note: tags has to be all lower-case
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/libbpf-template:latest
+          push: true
+
+      - name: Image digest
+        run: echo ${{ steps.docker_build.outputs.digest }}

.github/workflows/publish.yml

@@ -0,0 +1,71 @@
+name: Build and publish
+
+on:
+  push:
+    branches: "master"
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    if: "!contains(github.event.head_commit.message, '[skip ci]') && !contains(github.event.head_commit.message, '[ci skip]')"
+    strategy:
+      matrix:
+        target: [ x86_64-unknown-linux-gnu ]
+
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        submodules: 'recursive'
+
+    - name: Set latest release version
+      if:   github.event_name == 'push' && github.ref == 'refs/heads/master'
+      id: set_version
+      uses: actions/github-script@v6
+      with:
+        result-encoding: string
+        script: |
+          const { data: releases } = await github.rest.repos.listReleases({
+            owner: context.repo.owner,
+            repo: context.repo.repo,
+          });
+          
+          const { data: tags } = await github.rest.repos.listTags({
+            owner: context.repo.owner,
+            repo: context.repo.repo
+          });
+          
+          if (releases.length === 0) { return "v0.0.1"; }
+         
+          function increase_v(version) {
+            const parts = version.split(".");
+            const last = parseInt(parts[2]) + 1;
+            const next_version = `${parts[0]}.${parts[1]}.${last.toString()}`;
+            return next_version;
+          }
+          
+          const latest_release_tag = releases[0].tag_name;
+          
+          const tag = tags.find(tag => tag.commit.sha === context.sha);
+          
+          return tag ? tag.name : increase_v(latest_release_tag)
+
+    - name: install deps
+      run: |
+        sudo apt-get install -y --no-install-recommends \
+        libelf1 libelf-dev zlib1g-dev libclang-13-dev \
+        make git clang llvm pkg-config build-essential
+
+    - name: build package
+      run:  make build
+
+    - name: Publish
+      if:   github.event_name == 'push' && github.ref == 'refs/heads/master'
+      uses: softprops/action-gh-release@v1
+      with:
+          files: |
+            src/bootstrap
+          prerelease: false
+          tag_name: ${{ steps.set_version.outputs.result }}
+          generate_release_notes: true
+      env:
+        GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.gitignore

@@ -0,0 +1,2 @@
+.direnv
+/build

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "libbpf"]
+	path = libbpf
+	url = https://github.com/libbpf/libbpf.git
+[submodule "bpftool"]
+	path = bpftool
+	url = https://github.com/libbpf/bpftool.git

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2022 eunomia-bpf org.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

Makefile

@@ -0,0 +1,11 @@
+build:
+	make -C src
+
+clean:
+	make -C src clean
+
+install:
+	sudo apt update
+	sudo apt-get install -y --no-install-recommends \
+        libelf1 libelf-dev zlib1g-dev \
+        make clang llvm

README.md

@@ -0,0 +1,147 @@
+# **libbpf-starter-template**
+
+![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)
+[![Build and publish](https://github.com/eunomia-bpf/libbpf-starter-template/actions/workflows/publish.yml/badge.svg)](https://github.com/eunomia-bpf/libbpf-starter-template/actions/workflows/publish.yml)
+![GitHub stars](https://img.shields.io/github/stars/eunomia-bpf/libbpf-starter-template?style=social)
+
+Welcome to the **`libbpf-starter-template`**! This project template is designed to help you quickly start
+developing eBPF projects using libbpf in C. The template provides a solid starting point with a Makefile, 
+Dockerfile, and GitHub action, along with all necessary dependencies to simplify your development process.
+
+借助于 GitHub 模板和 Github Codespace，可以轻松构建 eBPF 项目和开发环境，一键在线编译运行 eBPF 程序。关于中文的文档和详细的 eBPF 开发教程，可以参考：https://github.com/eunomia-bpf/bpf-developer-tutorial
+
+There are other templates for other languages:
+
+- <https://github.com/eunomia-bpf/libbpf-starter-template>: eBPF project template based on the C language and the libbpf framework.
+- <https://github.com/eunomia-bpf/cilium-ebpf-starter-template>: eBPF project template based on the Go language and the cilium/ebpf framework.
+- <https://github.com/eunomia-bpf/libbpf-rs-starter-template>: eBPF project template based on the Rust language and the libbpf-rs framework.
+- <https://github.com/eunomia-bpf/eunomia-template>: eBPF project template based on the C language and the eunomia-bpf framework.
+
+## **Getting Started**
+
+To get started, simply click the "Use this template" button on the GitHub repository page. This will create
+a new repository in your account with the same files and structure as this template.
+
+### Use docker
+
+Run the following code to run the eBPF code from the cloud to your local machine in one line:
+
+```console
+$ sudo docker run --rm -it --privileged ghcr.io/eunomia-bpf/libbpf-template:latest
+TIME     EVENT COMM             PID     PPID    FILENAME/EXIT CODE
+09:25:14 EXEC  sh               28142   1788    /bin/sh
+09:25:14 EXEC  playerctl        28142   1788    /nix/store/vf3rsb7j3p7zzyjpb0a3axl8yq4z1sq5-playerctl-2.4.1/bin/playerctl
+09:25:14 EXIT  playerctl        28142   1788    [1] (6ms)
+09:25:15 EXEC  sh               28145   1788    /bin/sh
+09:25:15 EXEC  playerctl        28145   1788    /nix/store/vf3rsb7j3p7zzyjpb0a3axl8yq4z1sq5-playerctl-2.4.1/bin/playerctl
+09:25:15 EXIT  playerctl        28145   1788    [1] (6ms)
+```
+
+### Use Nix
+
+Using [direnv](https://github.com/direnv/direnv) and nix, you can quickly access a dev shell with a complete development environment.
+
+With direnv, you can automatically load the required dependencies when you enter the directory.
+This way you don't have to worry about installing dependencies to break your other project development environment.
+
+See how to install direnv and Nix:
+- direnv: https://github.com/direnv/direnv/blob/master/docs/installation.md
+- Nix: run
+```
+sh <(curl -L https://nixos.org/nix/install) --daemon
+```
+
+Then use the following command to enable direnv support in this directory.
+
+```sh
+direnv allow
+```
+
+If you want use nix flake without direnv, simply run:
+
+```sh
+nix develop
+```
+
+## **Features**
+
+This starter template includes the following features:
+
+- A **`Makefile`** that allows you to build the project in one command
+- A **`Dockerfile`** to create a containerized environment for your project
+- A **`flake.nix`** to enter a dev shell with needed dependencies
+- A GitHub action to automate your build and publish process
+  and docker image
+- All necessary dependencies for C development with libbpf
+
+## **How to use**
+
+### **1. Create a new repository using this template**
+
+Click the "Use this template" button on the GitHub repository page to create a new repository based on this template.
+
+### **2. Clone your new repository**
+
+Clone your newly created repository to your local machine:
+
+```sh
+git clone https://github.com/your_username/your_new_repository.git --recursive
+```
+
+Or after clone the repo, you can update the git submodule with following commands:
+
+```sh
+git submodule update --init --recursive
+```
+
+### **3. Install dependencies**
+
+For dependencies, it varies from distribution to distribution. You can refer to shell.nix and dockerfile for installation.
+
+On Ubuntu, you may run `make install` or
+
+```sh
+sudo apt-get install -y --no-install-recommends \
+        libelf1 libelf-dev zlib1g-dev \
+        make clang llvm
+```
+
+to install dependencies.
+
+### **4. Build the project**
+
+To build the project, run the following command:
+
+```sh
+make build
+```
+
+This will compile your code and create the necessary binaries. You can you the `Github Code space` or `Github Action` to build the project as well.
+
+### ***Run the Project***
+
+You can run the binary with:
+
+```console
+sudo src/bootstrap
+```
+
+Or with Github Packages locally:
+
+```console
+docker run --rm -it --privileged -v $(pwd):/examples ghcr.io/eunomia-bpf/libbpf-template:latest
+```
+
+### **7. GitHub Actions**
+
+This template also includes a GitHub action that will automatically build and publish your project when you push to the repository.
+To customize this action, edit the **`.github/workflows/publish.yml`** file.
+
+## **Contributing**
+
+We welcome contributions to improve this template! If you have any ideas or suggestions,
+feel free to create an issue or submit a pull request.
+
+## **License**
+
+This project is licensed under the MIT License. See the **[LICENSE](LICENSE)** file for more information.

bpftool

@@ -0,0 +1,15 @@
+FROM ubuntu:22.04
+
+WORKDIR /root/
+COPY . /root/
+
+RUN apt-get update -y && \
+    apt-get install -y --no-install-recommends \
+      libelf1 libelf-dev zlib1g-dev libclang-13-dev \
+      make git clang llvm pkg-config build-essential && \
+    apt-get install -y --no-install-recommends ca-certificates	&& \
+	  update-ca-certificates	&& \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
+
+ENTRYPOINT ["/bin/bash"]

dev.dockerfile

@@ -0,0 +1,10 @@
+FROM ubuntu:22.04
+
+WORKDIR /root/
+COPY . /root/
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends libelf1 \
+    && rm -rf /var/lib/apt/lists/*
+
+ENTRYPOINT ["/root/src/bootstrap"]

dockerfile

@@ -0,0 +1,31 @@
+{
+  description = "libbpf starter template";
+
+  inputs = {
+    flake-utils.url = "github:numtide/flake-utils";
+    nixpkgs.url = "nixpkgs/nixos-unstable";
+  };
+
+  outputs = { self, nixpkgs, flake-utils }:
+    flake-utils.lib.eachDefaultSystem (system:
+      let
+        pkgs = nixpkgs.legacyPackages.${system};
+      in
+      {
+        devShell = pkgs.mkShell {
+          name = "libbpf-template";
+          nativeBuildInputs = with pkgs; [
+            clang
+            llvm
+            pkg-config
+          ];
+
+          packages = with pkgs; [
+            elfutils
+            zlib
+          ];
+        };
+      }
+    );
+}
+

flake.lock

@@ -0,0 +1,2 @@
+/.output
+/bootstrap

flake.nix

@@ -0,0 +1,110 @@
+# SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+OUTPUT := .output
+CLANG ?= clang
+LLVM_STRIP ?= llvm-strip
+LIBBPF_SRC := $(abspath ../libbpf/src)
+BPFTOOL_SRC := $(abspath ../bpftool/src)
+LIBBPF_OBJ := $(abspath $(OUTPUT)/libbpf.a)
+BPFTOOL_OUTPUT ?= $(abspath $(OUTPUT)/bpftool)
+BPFTOOL ?= $(BPFTOOL_OUTPUT)/bootstrap/bpftool
+ARCH ?= $(shell uname -m | sed 's/x86_64/x86/' \
+			 | sed 's/aarch64/arm64/' \
+			 | sed 's/ppc64le/powerpc/' \
+			 | sed 's/mips.*/mips/' \
+			 | sed 's/arm.*/arm/' \
+			 | sed 's/riscv64/riscv/')
+VMLINUX := ../vmlinux/$(ARCH)/vmlinux.h
+# Use our own libbpf API headers and Linux UAPI headers distributed with
+# libbpf to avoid dependency on system-wide headers, which could be missing or
+# outdated
+INCLUDES := -I$(OUTPUT) -I../libbpf/include/uapi -I$(dir $(VMLINUX))
+CFLAGS := -g -Wall
+ALL_LDFLAGS := $(LDFLAGS) $(EXTRA_LDFLAGS)
+
+APPS = bootstrap
+
+# Get Clang's default includes on this system. We'll explicitly add these dirs
+# to the includes list when compiling with `-target bpf` because otherwise some
+# architecture-specific dirs will be "missing" on some architectures/distros -
+# headers such as asm/types.h, asm/byteorder.h, asm/socket.h, asm/sockios.h,
+# sys/cdefs.h etc. might be missing.
+#
+# Use '-idirafter': Don't interfere with include mechanics except where the
+# build would have failed anyways.
+CLANG_BPF_SYS_INCLUDES = $(shell $(CLANG) -v -E - </dev/null 2>&1 \
+	| sed -n '/<...> search starts here:/,/End of search list./{ s| \(/.*\)|-idirafter \1|p }')
+
+ifeq ($(V),1)
+	Q =
+	msg =
+else
+	Q = @
+	msg = @printf '  %-8s %s%s\n'					\
+		      "$(1)"						\
+		      "$(patsubst $(abspath $(OUTPUT))/%,%,$(2))"	\
+		      "$(if $(3), $(3))";
+	MAKEFLAGS += --no-print-directory
+endif
+
+define allow-override
+  $(if $(or $(findstring environment,$(origin $(1))),\
+            $(findstring command line,$(origin $(1)))),,\
+    $(eval $(1) = $(2)))
+endef
+
+$(call allow-override,CC,$(CROSS_COMPILE)cc)
+$(call allow-override,LD,$(CROSS_COMPILE)ld)
+
+.PHONY: all
+all: $(APPS)
+
+.PHONY: clean
+clean:
+	$(call msg,CLEAN)
+	$(Q)rm -rf $(OUTPUT) $(APPS)
+
+$(OUTPUT) $(OUTPUT)/libbpf $(BPFTOOL_OUTPUT):
+	$(call msg,MKDIR,$@)
+	$(Q)mkdir -p $@
+
+# Build libbpf
+$(LIBBPF_OBJ): $(wildcard $(LIBBPF_SRC)/*.[ch] $(LIBBPF_SRC)/Makefile) | $(OUTPUT)/libbpf
+	$(call msg,LIB,$@)
+	$(Q)$(MAKE) -C $(LIBBPF_SRC) BUILD_STATIC_ONLY=1		      \
+		    OBJDIR=$(dir $@)/libbpf DESTDIR=$(dir $@)		      \
+		    INCLUDEDIR= LIBDIR= UAPIDIR=			      \
+		    install
+
+# Build bpftool
+$(BPFTOOL): | $(BPFTOOL_OUTPUT)
+	$(call msg,BPFTOOL,$@)
+	$(Q)$(MAKE) ARCH= CROSS_COMPILE= OUTPUT=$(BPFTOOL_OUTPUT)/ -C $(BPFTOOL_SRC) bootstrap
+
+# Build BPF code
+$(OUTPUT)/%.bpf.o: %.bpf.c $(LIBBPF_OBJ) $(wildcard %.h) $(VMLINUX) | $(OUTPUT)
+	$(call msg,BPF,$@)
+	$(Q)$(CLANG) -g -fstack-protector -O2 -target bpf -D__TARGET_ARCH_$(ARCH) $(INCLUDES) $(CLANG_BPF_SYS_INCLUDES) -c $(filter %.c,$^) -o $@
+	$(Q)$(LLVM_STRIP) -g $@ # strip useless DWARF info
+
+# Generate BPF skeletons
+$(OUTPUT)/%.skel.h: $(OUTPUT)/%.bpf.o | $(OUTPUT) $(BPFTOOL)
+	$(call msg,GEN-SKEL,$@)
+	$(Q)$(BPFTOOL) gen skeleton $< > $@
+
+# Build user-space code
+$(patsubst %,$(OUTPUT)/%.o,$(APPS)): %.o: %.skel.h
+
+$(OUTPUT)/%.o: %.c $(wildcard %.h) | $(OUTPUT)
+	$(call msg,CC,$@)
+	$(Q)$(CC) $(CFLAGS) $(INCLUDES) -c $(filter %.c,$^) -o $@
+
+# Build application binary
+$(APPS): %: $(OUTPUT)/%.o $(LIBBPF_OBJ) | $(OUTPUT)
+	$(call msg,BINARY,$@)
+	$(Q)$(CC) $(CFLAGS) $^ $(ALL_LDFLAGS) -lelf -lz -o $@
+
+# delete failed targets
+.DELETE_ON_ERROR:
+
+# keep intermediate (.skel.h, .bpf.o, etc) targets
+.SECONDARY:

libbpf

@@ -0,0 +1,112 @@
+// SPDX-License-Identifier: GPL-2.0 OR BSD-3-Clause
+/* Copyright (c) 2020 Facebook */
+#include "vmlinux.h"
+#include <bpf/bpf_helpers.h>
+#include <bpf/bpf_tracing.h>
+#include <bpf/bpf_core_read.h>
+#include "bootstrap.h"
+
+char LICENSE[] SEC("license") = "Dual BSD/GPL";
+
+struct {
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 8192);
+	__type(key, pid_t);
+	__type(value, u64);
+} exec_start SEC(".maps");
+
+struct {
+	__uint(type, BPF_MAP_TYPE_RINGBUF);
+	__uint(max_entries, 256 * 1024);
+} rb SEC(".maps");
+
+const volatile unsigned long long min_duration_ns = 0;
+
+SEC("tp/sched/sched_process_exec")
+int handle_exec(struct trace_event_raw_sched_process_exec *ctx)
+{
+	struct task_struct *task;
+	unsigned fname_off;
+	struct event *e;
+	pid_t pid;
+	u64 ts;
+
+	/* remember time exec() was executed for this PID */
+	pid = bpf_get_current_pid_tgid() >> 32;
+	ts = bpf_ktime_get_ns();
+	bpf_map_update_elem(&exec_start, &pid, &ts, BPF_ANY);
+
+	/* don't emit exec events when minimum duration is specified */
+	if (min_duration_ns)
+		return 0;
+
+	/* reserve sample from BPF ringbuf */
+	e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
+	if (!e)
+		return 0;
+
+	/* fill out the sample with data */
+	task = (struct task_struct *)bpf_get_current_task();
+
+	e->exit_event = false;
+	e->pid = pid;
+	e->ppid = BPF_CORE_READ(task, real_parent, tgid);
+	bpf_get_current_comm(&e->comm, sizeof(e->comm));
+
+	fname_off = ctx->__data_loc_filename & 0xFFFF;
+	bpf_probe_read_str(&e->filename, sizeof(e->filename), (void *)ctx + fname_off);
+
+	/* successfully submit it to user-space for post-processing */
+	bpf_ringbuf_submit(e, 0);
+	return 0;
+}
+
+SEC("tp/sched/sched_process_exit")
+int handle_exit(struct trace_event_raw_sched_process_template* ctx)
+{
+	struct task_struct *task;
+	struct event *e;
+	pid_t pid, tid;
+	u64 id, ts, *start_ts, duration_ns = 0;
+	
+	/* get PID and TID of exiting thread/process */
+	id = bpf_get_current_pid_tgid();
+	pid = id >> 32;
+	tid = (u32)id;
+
+	/* ignore thread exits */
+	if (pid != tid)
+		return 0;
+
+	/* if we recorded start of the process, calculate lifetime duration */
+	start_ts = bpf_map_lookup_elem(&exec_start, &pid);
+	if (start_ts)
+		duration_ns = bpf_ktime_get_ns() - *start_ts;
+	else if (min_duration_ns)
+		return 0;
+	bpf_map_delete_elem(&exec_start, &pid);
+
+	/* if process didn't live long enough, return early */
+	if (min_duration_ns && duration_ns < min_duration_ns)
+		return 0;
+
+	/* reserve sample from BPF ringbuf */
+	e = bpf_ringbuf_reserve(&rb, sizeof(*e), 0);
+	if (!e)
+		return 0;
+
+	/* fill out the sample with data */
+	task = (struct task_struct *)bpf_get_current_task();
+
+	e->exit_event = true;
+	e->duration_ns = duration_ns;
+	e->pid = pid;
+	e->ppid = BPF_CORE_READ(task, real_parent, tgid);
+	e->exit_code = (BPF_CORE_READ(task, exit_code) >> 8) & 0xff;
+	bpf_get_current_comm(&e->comm, sizeof(e->comm));
+
+	/* send data to user-space for post-processing */
+	bpf_ringbuf_submit(e, 0);
+	return 0;
+}
+

src/.gitignore

@@ -0,0 +1,173 @@
+// SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause)
+/* Copyright (c) 2020 Facebook */
+#include <argp.h>
+#include <signal.h>
+#include <stdio.h>
+#include <time.h>
+#include <sys/resource.h>
+#include <bpf/libbpf.h>
+#include "bootstrap.h"
+#include "bootstrap.skel.h"
+
+static struct env {
+	bool verbose;
+	long min_duration_ms;
+} env;
+
+const char *argp_program_version = "bootstrap 0.0";
+const char *argp_program_bug_address = "<bpf@vger.kernel.org>";
+const char argp_program_doc[] =
+"BPF bootstrap demo application.\n"
+"\n"
+"It traces process start and exits and shows associated \n"
+"information (filename, process duration, PID and PPID, etc).\n"
+"\n"
+"USAGE: ./bootstrap [-d <min-duration-ms>] [-v]\n";
+
+static const struct argp_option opts[] = {
+	{ "verbose", 'v', NULL, 0, "Verbose debug output" },
+	{ "duration", 'd', "DURATION-MS", 0, "Minimum process duration (ms) to report" },
+	{},
+};
+
+static error_t parse_arg(int key, char *arg, struct argp_state *state)
+{
+	switch (key) {
+	case 'v':
+		env.verbose = true;
+		break;
+	case 'd':
+		errno = 0;
+		env.min_duration_ms = strtol(arg, NULL, 10);
+		if (errno || env.min_duration_ms <= 0) {
+			fprintf(stderr, "Invalid duration: %s\n", arg);
+			argp_usage(state);
+		}
+		break;
+	case ARGP_KEY_ARG:
+		argp_usage(state);
+		break;
+	default:
+		return ARGP_ERR_UNKNOWN;
+	}
+	return 0;
+}
+
+static const struct argp argp = {
+	.options = opts,
+	.parser = parse_arg,
+	.doc = argp_program_doc,
+};
+
+static int libbpf_print_fn(enum libbpf_print_level level, const char *format, va_list args)
+{
+	if (level == LIBBPF_DEBUG && !env.verbose)
+		return 0;
+	return vfprintf(stderr, format, args);
+}
+
+static volatile bool exiting = false;
+
+static void sig_handler(int sig)
+{
+	exiting = true;
+}
+
+static int handle_event(void *ctx, void *data, size_t data_sz)
+{
+	const struct event *e = data;
+	struct tm *tm;
+	char ts[32];
+	time_t t;
+
+	time(&t);
+	tm = localtime(&t);
+	strftime(ts, sizeof(ts), "%H:%M:%S", tm);
+
+	if (e->exit_event) {
+		printf("%-8s %-5s %-16s %-7d %-7d [%u]",
+		       ts, "EXIT", e->comm, e->pid, e->ppid, e->exit_code);
+		if (e->duration_ns)
+			printf(" (%llums)", e->duration_ns / 1000000);
+		printf("\n");
+	} else {
+		printf("%-8s %-5s %-16s %-7d %-7d %s\n",
+		       ts, "EXEC", e->comm, e->pid, e->ppid, e->filename);
+	}
+
+	return 0;
+}
+
+int main(int argc, char **argv)
+{
+	struct ring_buffer *rb = NULL;
+	struct bootstrap_bpf *skel;
+	int err;
+
+	/* Parse command line arguments */
+	err = argp_parse(&argp, argc, argv, 0, NULL, NULL);
+	if (err)
+		return err;
+
+	/* Set up libbpf errors and debug info callback */
+	libbpf_set_print(libbpf_print_fn);
+
+	/* Cleaner handling of Ctrl-C */
+	signal(SIGINT, sig_handler);
+	signal(SIGTERM, sig_handler);
+
+	/* Load and verify BPF application */
+	skel = bootstrap_bpf__open();
+	if (!skel) {
+		fprintf(stderr, "Failed to open and load BPF skeleton\n");
+		return 1;
+	}
+
+	/* Parameterize BPF code with minimum duration parameter */
+	skel->rodata->min_duration_ns = env.min_duration_ms * 1000000ULL;
+
+	/* Load & verify BPF programs */
+	err = bootstrap_bpf__load(skel);
+	if (err) {
+		fprintf(stderr, "Failed to load and verify BPF skeleton\n");
+		goto cleanup;
+	}
+
+	/* Attach tracepoints */
+	err = bootstrap_bpf__attach(skel);
+	if (err) {
+		fprintf(stderr, "Failed to attach BPF skeleton\n");
+		goto cleanup;
+	}
+
+	/* Set up ring buffer polling */
+	rb = ring_buffer__new(bpf_map__fd(skel->maps.rb), handle_event, NULL, NULL);
+	if (!rb) {
+		err = -1;
+		fprintf(stderr, "Failed to create ring buffer\n");
+		goto cleanup;
+	}
+
+	/* Process events */
+	printf("%-8s %-5s %-16s %-7s %-7s %s\n",
+	       "TIME", "EVENT", "COMM", "PID", "PPID", "FILENAME/EXIT CODE");
+	while (!exiting) {
+		err = ring_buffer__poll(rb, 100 /* timeout, ms */);
+		/* Ctrl-C will cause -EINTR */
+		if (err == -EINTR) {
+			err = 0;
+			break;
+		}
+		if (err < 0) {
+			printf("Error polling perf buffer: %d\n", err);
+			break;
+		}
+	}
+
+cleanup:
+	/* Clean up */
+	ring_buffer__free(rb);
+	bootstrap_bpf__destroy(skel);
+
+	return err < 0 ? -err : 0;
+}

src/Makefile

@@ -0,0 +1,19 @@
+/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
+/* Copyright (c) 2020 Facebook */
+#ifndef __BOOTSTRAP_H
+#define __BOOTSTRAP_H
+
+#define TASK_COMM_LEN 16
+#define MAX_FILENAME_LEN 127
+
+struct event {
+	int pid;
+	int ppid;
+	unsigned exit_code;
+	unsigned long long duration_ns;
+	char comm[TASK_COMM_LEN];
+	char filename[MAX_FILENAME_LEN];
+	bool exit_event;
+};
+
+#endif /* __BOOTSTRAP_H */

src/bootstrap.bpf.c

@@ -0,0 +1 @@
+vmlinux_62.h

src/bootstrap.c

@@ -0,0 +1 @@
+vmlinux_601.h

src/bootstrap.h

@@ -0,0 +1 @@
+vmlinux_602.h

vmlinux/arm/vmlinux.h

@@ -0,0 +1 @@
+x86/vmlinux.h

vmlinux/arm/vmlinux_62.h

@@ -0,0 +1 @@
+vmlinux_601.h