libbpf | Automated upstream mirror for libbpf stand-alone build | Recommender System library
kandi X-RAY | libbpf Summary
kandi X-RAY | libbpf Summary
Please check out [libbpf-bootstrap] and [the companion blog post] for the examples of building BPF applications with libbpf. [libbpf-tools] are also a good source of the real-world libbpf-based tracing tools. See also ["BPF CO-RE reference guide"] for the coverage of practical aspects of building BPF CO-RE applications and ["BPF CO-RE"] for general introduction into BPF portability issues and BPF CO-RE origins. All general BPF questions, including kernel functionality, libbpf APIs and their application, should be sent to bpf@vger.kernel.org mailing list. You can subscribe to it [here] and search its archive [here] Please search the archive before asking new questions. It very well might be that this was already addressed or answered before. bpf@vger.kernel.org is monitored by many more people and they will happily try to help you with whatever issue you have. This repository’s PRs and issues should be opened only for dealing with issues pertaining to specific way this libbpf mirror repo is set up and organized. Build
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of libbpf
libbpf Key Features
libbpf Examples and Code Snippets
Community Discussions
Trending Discussions on libbpf
QUESTION
I see for python BCC implementation the syscall __x64_sys_openat
is used to attach a kprobe, however in libbpf implementation a kprobe is attached to sys_enter_openat
. It seems both capture openat()
syscall, I tested it with cat file.txt
.
What is the difference between them? And which one is more reliable to use?
...ANSWER
Answered 2022-Mar-30 at 09:05__x64_sys_openat
is the name of some function in the Linux kernel, to which BCC attaches a kprobe.
sys_enter_openat
is the name of a tracepoint in Linux, meaning that this is a (more or less) stable interface to which you can hook for tracing, including with an eBPF program. You can see the available tracepoints on your system by listing the entries under /sys/kernel/debug/tracing/events/
. I think BCC also has a utility called tplist
to help with it.
When given the choice, I would recommend hooking at tracepoints if possible, because they tend to be more stable than kernel internals: The parameters for __x64_sys_openat
, or the name of that function, could change between different kernel versions for example; or the name would change on an other architecture, et cætera. However, the tracepoint is unlikely to change. Note that the instability of kernel's internals is somewhat mitigated for eBPF with CO-RE.
Then it is not always possible to hook to a tracepoint: You can only use one of the existing tracepoints from the kernel. If you want to hook to another random function where no tracepoint is present (and assuming this function was not inlined at compilation time - check this by looking for it in /proc/kallsyms
), then you want to use a kprobe.
Sometimes you also need to pay extra attention to where you hook. For example, for security use cases (i.e. blocking a syscall), syscall tracepoints (or the corresponding kernel functions, obviously) are not always the best hooking points because they might leave you open to TOCTOU attacks. LSM hooks could be a good solution for that use case.
QUESTION
I have created an app with BPF library(https://github.com/libbpf/libbpf). Unfortunately it does not have documentation or at least I have not found it yet. Only thing I have found is this https://libbpf.readthedocs.io/en/latest/api.html, but it does not have everything I need.
I would like to know, what is void *ctx for and what are these ring_buffer_opts in this function.
...ANSWER
Answered 2022-Mar-22 at 23:19You have found the GitHub mirror for the project (the “original” sources are in the Linux kernel repository) and the official API documentation. The latter is generated from the source code, in particular from the comments in src/libbpf.h
. It may be that the documentation is not entirely up-to-date, it seems that the description for a few functions is currently missing in the HTML-rendered documentation.
However, not all functions have been documented yet, and the ring buffer API does not have much on this side to help you. So the best I can suggest is to look at the code and at existing examples. There are at least two selftests in the kernel repository which are using ring_buffer__new()
: ringbuf.c
and ringbuf_multi.c
.
The first one (ringbuf.c
) calls it like this:
QUESTION
I have an eBPF program with the following map definitions:
...ANSWER
Answered 2022-Mar-22 at 22:28The verifier complains because your code is trying to read uninitialised data from the stack, in particular in your variable val
.
If we look at your code:
QUESTION
I have an implementation in BPF for XDP, wherein I specify five maps to be created as follows:
...ANSWER
Answered 2022-Mar-19 at 23:24As per the discussion in the comments, the map is not created because it is not actually used in your eBPF code (not provided in the question).
As you realised yourself, the branch in your code that was calling the map was in fact unreachable. Based on that, it's likely that clang compiled out this portion of code, and that the map is not used in the resulting eBPF bytecode. When preparing to load your program, bpftool (libbpf) looks at what maps are necessary, and only creates the ones that are needed for your program. It may skip maps that are defined in the ELF file if no program uses them.
One hint here is that, if the program was effectively using the map, it couldn't load successfully if the map was missing: given that your program loads, the map would necessarily be present if it was needed. Note that bpftool prog show
will show you the ids of the maps used by a program.
QUESTION
Here's how I'm trying to initialize a BPF_MAP_TYPE_PERCPU_ARRAY
of structs to a default value. The array contains counters the user space program will read.
ANSWER
Answered 2022-Mar-16 at 19:52This specific part is triggering this error:
QUESTION
So I have this command ls -al -R | grep libbpf.h
and it just act dump print
ANSWER
Answered 2022-Jan-31 at 08:11you can use find command
QUESTION
So I created a map of type BPF_MAP_TYPE_ARRAY.
...ANSWER
Answered 2022-Jan-16 at 11:11TL;DR. The issue is that you're making an out-of-bound access to the packet from the verifier's point of view. You need to check the packet is long enough to actually contain the IP header first.
Reading the verifier error message.
QUESTION
So in my userspace program I am calling some functions like bpf_object__open_file
which are part of libbpf
library installed with PKG_CONFIG_PATH=/build/root/lib64/pkgconfig DESTDIR=/build/root make install
So when I compile the it compiles just fine, no error with this command
...ANSWER
Answered 2022-Jan-13 at 14:22You should add the libbpf library directory to your LD_LIBRARY_PATH
variable.
QUESTION
I like to know how to create ebpf map with char array value
I tried like this
...ANSWER
Answered 2021-Dec-17 at 17:07The key and value should be __u32
:
QUESTION
I have this function which is depreciated. First how one can find the new alternative to functions that are depreciated. the function exist in libbpf library and perf_buffer__new
is the exact name. so basically as the name suggest its used to create perf buffer to share info between userspace and kernel. First I like to know is perf buffers are only specific to ebpf filters or not. not means I can use perf buffers in anything. for example if I have some driver code so I just add perf buffer to have info shared between some userspace app and the driver. so some searching on the web I found it specifically link to ebpf, is this true?
So this is my code that uses call to perf_buffer__new
but that function is depreciated, this function in libbpf's libbpf.h header file declarations is commented out
So I like to new what is the new alternative that I can use in my code, if there is a change in api then i like to let u know that I am trying share buffer parameter in SEC("kprobe/__x64_sys_recvfrom") to userspace for that I have used PT_REGS_PARM2 and bpf_probe_read_kernel to and included the parameter in map data. So if api is changed then how to accomplish this this is my userspace and ebpf program
Userspace.c
...ANSWER
Answered 2022-Jan-10 at 17:071. you are explicitly using perf_buffer__new_deprecated
in your code - don't do this: Use perf_buffer_new
instead. You should never call a function that already has 'deprecated' in it's name.
2. Take a look in the header: libbpf/libbpf.h
perf_buffer_new
is defined like this:
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install libbpf
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page