gobpf | Go bindings for creating BPF programs
kandi X-RAY | gobpf Summary
kandi X-RAY | gobpf Summary
This repository provides go bindings for the bcc framework as well as low-level routines to load and use eBPF programs from .elf files. Input and contributions are very welcome. We recommend vendoring gobpf and pinning its version as the API is regularly changing following bcc and Linux updates and releases.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of gobpf
gobpf Key Features
gobpf Examples and Code Snippets
Community Discussions
Trending Discussions on gobpf
QUESTION
I am trying to write a BPF program that examines the session ID of any process that calls the tty_write
kernel function. In order to retrieve the ID I need to follow a number of fields from a pointer to the current task_struct
, however retrieving the group_leader
pointer from a pointer to the current task seems to error because the offset from the current task pointer is too large. My BPF program code is as follows:
ANSWER
Answered 2018-Feb-13 at 09:59I don't think it's an issue with the offset being too large. There's an issue with field randomization that affects struct task_struct
in Linux 4.13.
You can either use a different kernel, or put the following, before your #include
s:
QUESTION
I am trying to load a BPF program that simply copies the buf
parameter of tty_write to the BPF stack. My program is as follows:
ANSWER
Answered 2018-Feb-10 at 18:50As you've discovered yourself, the issue comes from the use of additional parameters to kprobe__tty_write
. This works in ttysnoop
because it uses bcc to compile and load BPF programs. bcc actually rewrites the additional parameters to the ctx->xx
dereferences. You can see this with the following snippet:
QUESTION
As proposed in the presentation Security Monitoring with eBPF I'm trying to hook into security_socket_connect.
While my gobpf/bcc based code partly works, I seem not be able to read the IP address in the sockaddr
struct.
The relevant part looks like this:
...ANSWER
Answered 2019-Jun-12 at 18:13I figured it out thanks to an answer to issue #1858 in the bcc repo.
We have to operate on the pointer, so the IP address can be read like this:
QUESTION
I'm extending a program which take arguments of traced function and print it. Everything works fine with numeric arguments and short strings. But it's not clear how to handle with long string that longer than stack size in eBPF (which is limited with 512 byte).
In example below, string is limited by 80 bytes, of course it can be increased up to 512, but how to track more longer strings?
Example of C program with traced function which called "ameba"
...ANSWER
Answered 2018-Dec-06 at 17:32I read about BPF_MAP_TYPE_PERCPU_ARRAY could help in such case, but it's not clear for me how to use it.
You're right. Peeps usually rely on per-cpu arrays to overcome stack size limitations. The following implements that sort of solution, whereby I'm using a per-cpu array to store struct ameba_event_t
instead of storing it on the stack.
I think you're going to need Linux v4.18 to be able to do this (you need commit d71962f). I haven't tested the code as I don't have the right setup at hand, but can later if you run into any issue.
QUESTION
I'm playing with gobpf and have got an issue with calculating a duration of traced user-space function. I use bpf_ktime_get_ns() to read time and then trying to calculate delta, but got enormous numbers, though traced function sleeps just 1 second.
Here is the tested C-program, which has a function called "ameba".
...ANSWER
Answered 2018-Nov-18 at 08:37This looks like it is caused by a mismatch of paddings between kernel and user sides. The data_t
structure is actually padded at compile-time to be equivalent to the following:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install gobpf
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page