gobpf | Go bindings for creating BPF programs

 by   iovisor C Version: v0.2.0 License: Apache-2.0

kandi X-RAY | gobpf Summary

kandi X-RAY | gobpf Summary

gobpf is a C library. gobpf has no bugs, it has no vulnerabilities, it has a Permissive License and it has medium support. You can download it from GitHub.

This repository provides go bindings for the bcc framework as well as low-level routines to load and use eBPF programs from .elf files. Input and contributions are very welcome. We recommend vendoring gobpf and pinning its version as the API is regularly changing following bcc and Linux updates and releases.
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              gobpf has a medium active ecosystem.
              It has 1913 star(s) with 299 fork(s). There are 55 watchers for this library.
              OutlinedDot
              It had no major release in the last 6 months.
              There are 54 open issues and 56 have been closed. On average issues are closed in 136 days. There are 25 open pull requests and 0 closed requests.
              It has a neutral sentiment in the developer community.
              The latest version of gobpf is v0.2.0

            kandi-Quality Quality

              gobpf has 0 bugs and 0 code smells.

            kandi-Security Security

              gobpf has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              gobpf code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              gobpf is licensed under the Apache-2.0 License. This license is Permissive.
              Permissive licenses have the least restrictions, and you can use them in most projects.

            kandi-Reuse Reuse

              gobpf releases are not available. You will need to build from source code and install.
              Installation instructions are not available. Examples and code snippets are available.
              It has 4772 lines of code, 281 functions and 41 files.
              It has high code complexity. Code complexity directly impacts maintainability of the code.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of gobpf
            Get all kandi verified functions for this library.

            gobpf Key Features

            No Key Features are available at this moment for gobpf.

            gobpf Examples and Code Snippets

            No Code Snippets are available at this moment for gobpf.

            Community Discussions

            QUESTION

            Permission denied when retrieving a field from a pointer to a large structure in a BPF program
            Asked 2019-Dec-12 at 09:45

            I am trying to write a BPF program that examines the session ID of any process that calls the tty_write kernel function. In order to retrieve the ID I need to follow a number of fields from a pointer to the current task_struct, however retrieving the group_leader pointer from a pointer to the current task seems to error because the offset from the current task pointer is too large. My BPF program code is as follows:

            ...

            ANSWER

            Answered 2018-Feb-13 at 09:59

            I don't think it's an issue with the offset being too large. There's an issue with field randomization that affects struct task_struct in Linux 4.13.

            You can either use a different kernel, or put the following, before your #includes:

            Source https://stackoverflow.com/questions/48757705

            QUESTION

            Error while loading a BPF program that copies a buffer to the BPF stack
            Asked 2019-Dec-12 at 09:45

            I am trying to load a BPF program that simply copies the buf parameter of tty_write to the BPF stack. My program is as follows:

            ...

            ANSWER

            Answered 2018-Feb-10 at 18:50

            As you've discovered yourself, the issue comes from the use of additional parameters to kprobe__tty_write. This works in ttysnoop because it uses bcc to compile and load BPF programs. bcc actually rewrites the additional parameters to the ctx->xx dereferences. You can see this with the following snippet:

            Source https://stackoverflow.com/questions/48721256

            QUESTION

            eBPF: How can the sockaddr struct be read when hooking into security_socket_connect
            Asked 2019-Nov-21 at 16:13

            As proposed in the presentation Security Monitoring with eBPF I'm trying to hook into security_socket_connect.

            While my gobpf/bcc based code partly works, I seem not be able to read the IP address in the sockaddr struct.

            The relevant part looks like this:

            ...

            ANSWER

            Answered 2019-Jun-12 at 18:13

            I figured it out thanks to an answer to issue #1858 in the bcc repo.

            We have to operate on the pointer, so the IP address can be read like this:

            Source https://stackoverflow.com/questions/56526650

            QUESTION

            eBPF, track values longer than stack size?
            Asked 2019-Mar-07 at 17:02

            I'm extending a program which take arguments of traced function and print it. Everything works fine with numeric arguments and short strings. But it's not clear how to handle with long string that longer than stack size in eBPF (which is limited with 512 byte).

            In example below, string is limited by 80 bytes, of course it can be increased up to 512, but how to track more longer strings?

            Example of C program with traced function which called "ameba"

            ...

            ANSWER

            Answered 2018-Dec-06 at 17:32

            I read about BPF_MAP_TYPE_PERCPU_ARRAY could help in such case, but it's not clear for me how to use it.

            You're right. Peeps usually rely on per-cpu arrays to overcome stack size limitations. The following implements that sort of solution, whereby I'm using a per-cpu array to store struct ameba_event_t instead of storing it on the stack.

            I think you're going to need Linux v4.18 to be able to do this (you need commit d71962f). I haven't tested the code as I don't have the right setup at hand, but can later if you run into any issue.

            Source https://stackoverflow.com/questions/53627094

            QUESTION

            golang, ebpf and functions duration
            Asked 2019-Mar-07 at 17:02

            I'm playing with gobpf and have got an issue with calculating a duration of traced user-space function. I use bpf_ktime_get_ns() to read time and then trying to calculate delta, but got enormous numbers, though traced function sleeps just 1 second.

            Here is the tested C-program, which has a function called "ameba".

            ...

            ANSWER

            Answered 2018-Nov-18 at 08:37

            This looks like it is caused by a mismatch of paddings between kernel and user sides. The data_t structure is actually padded at compile-time to be equivalent to the following:

            Source https://stackoverflow.com/questions/53324158

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install gobpf

            You can download it from GitHub.

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/iovisor/gobpf.git

          • CLI

            gh repo clone iovisor/gobpf

          • sshUrl

            git@github.com:iovisor/gobpf.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link