ebpf | eBPF Utilities, Maps, and more
kandi X-RAY | ebpf Summary
kandi X-RAY | ebpf Summary
This library is not maintained anymore. Please use which has an almost compatible API.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of ebpf
ebpf Key Features
ebpf Examples and Code Snippets
Community Discussions
Trending Discussions on ebpf
QUESTION
I am learning about eBPF and I understand that I can attach my eBPF programs to kprobes, uprobes, tracepoints and more. I see that there is a list of for tracepoints under /sys/kernel/debug/tracing/events/ where I can attach eBPF programs to. However, how do I find which kprobe functions I can break into, say TCP related ones? Also, how do I find those function signatures?
Thanks.
...ANSWER
Answered 2021-May-31 at 18:57You can attach a kprobe to nearly all functions of your kernel (provided they have not been inlined when compiling the kernel). One way to list those functions is through cat /proc/kallsyms
. In your case, grep for tcp
on that file? As for the signatures, I don't believe there is a place to get them other than by reading the kernel sources for your kernel version.
Note that, because kernel functions are not part of the user API, there is no guarantee regarding the stability of their signature (which could be a reason why a list of signatures would make little sense—other than the huge number of signatures to list). If you want your eBPF programs to be more robust and portable between different kernel versions, you should have a look at CO-RE.
QUESTION
Consider a very simple ebpf
code of BPF_PROG_TYPE_SOCKET_FILTER
type:
ANSWER
Answered 2021-May-25 at 19:57It's the other way around: it will drop the packet if 0 is returned. From the code:
QUESTION
Sorry, I am really new to writing eBPF code, so I came upon an error that I can't seem to shake off. Running in sudo does not seem to help. And I wrote a slower crc32 program that compiles but this one does not want to execute no matter what. I am wondering if I'm breaking any convention that I am just not seeing.
...ANSWER
Answered 2021-May-24 at 21:44From the verifier's logs, you have some invalid access here:
QUESTION
I have a small socket filter
type eBPF program, where I'm trying to print a protocol value read from __sk_buff
context:
ANSWER
Answered 2021-May-14 at 00:21I don't believe you are calling the bpf_trace_printk()
helper correctly (BPF_FUNC_trace_prink
is just an integer, by the way). Its signature, commented in the kernel UAPI header bpf.h or in the bpf-helpers
man page, is as follows:
QUESTION
Looking at kernel's sample/bpf/sock_example.c
:
ANSWER
Answered 2021-May-07 at 20:22File descriptors when writing your program in user space, but later replaced by pointers to the map by the verifier.
File Descriptors When Writing Your eBPF ProgramYou write your eBPF program in user space, where you don't have any address pointer to the map. So you use a file descriptor for referencing that map for the various operations (lookups, updates, deletes) that your program may run.
If writing your program in C, instead of assembly instructions like you do, this is usually abstracted: The program references the map with a C pointer, but the loader (typically relying on libbpf) performs some relocation step to extract metadata about the map from a dedicated ELF section of the object file, retrieves the file descriptor to the map, and inserts it in the relevant bytecode instructions.
Kernel Verifier Switches to PointersBut you are correct: in the kernel, the BPF_FUNC_map_lookup_elem()
helper and the like use pointers to the maps, not file descriptors. This is at load time, during verification of the program, that the verifier replaces the file descriptors by the pointers to the memory area associated to the maps (see resolve_pseudo_ldimm64()
from kernel/bpf/verifier.c). It is possible to get a pointer at this time: The verifier does have access to the kernel-memory pointers for those maps.
Note that the verifier actually goes even further and, for some map types (hash, arrays), it even replaces the calls to the helpers for map lookups completely, using instead instructions to directly read from the relevant addresses in the map (search for map_gen_lookup
for details).
QUESTION
I'm trying to write a sample eBPF program which can access __sk_buff member and dump it into /sys/kernel/debug/tracing/trace.
...ANSWER
Answered 2021-May-05 at 19:23The error is not caused by bpf_trace_prink()
, but by the skb
accesses that are present in your bytecode only when you call bpf_trace_printk()
.
Accessing skb->local_ip4
and skb->remote_ip4
is not allowed for programs of types BPF_PROG_TYPE_LWT_OUT
, that you use.
See kernel code: The function that checks for valid access for this type returns false for certain offsets or range in skb
:
QUESTION
Is it possible to write an eBPF program, that can dynamically call an external library? I.e. assume that this specific library is present on the host that runs the eBPF code.
Right now I don't care if the program is passing verification, but rather if it is possible to express this in the bytecode. It should be assumed that the external function is not embedded in the ELF binary.
...ANSWER
Answered 2021-Apr-26 at 13:23No, this is not possible at the moment.
Once loaded and attached, eBPF programs can call:
- eBPF functions from the same program (eBPF-to-eBPF function calls)
- other eBPF programs, under certain conditions, through tail calls
- other eBPF programs of type
BPF_PROG_TYPE_EXT
- kernel function helpers (library of functions defined in the kernel)
- random kernel functions, if they are explicitly marked as callable (should be in Linux 5.13)
It cannot call functions from user space libraries.
QUESTION
I am learning BPF for my own fun, and I am having a hard time figuring out how to read argv
and envp
from the context passed to my eBPF program for sys_enter_execve
I will show my BPF program here and then explain in more details later what I am trying to accomplish.
Here's my code:
...ANSWER
Answered 2021-Apr-21 at 08:42TL;DR. You are trying to read arbitrary kernel memory. You need to use bpf_probe_read
for that.
Let's have a look at the error logs:
The invalid memory access is on a load from r1
. The value in r1
was loaded from memory using the address in r6
as the base. According to the second line, the verifier associates type ctx
to r6
.
So r6
points to your variable ctx
. That variable is special (hence why the verifier has a special ctx
type for it). Your BPF program is allowed to access memory pointed by that variable as long as its bounded (the exact bound depends on the program type).
QUESTION
I am attempting to track deleted files with perf. I know eBPF / SystemTap is better suited here, but I am limited on the platform with tool choices (ARM).
This is how I am recording it
...ANSWER
Answered 2021-Apr-02 at 09:40It will not be possible to obtain the string version of pathname
using perf
tools in this case.
When a userspace utility calls perf_even_open
syscall with a request to monitor tracepoint events, such as the one you are trying to monitor with syscalls:sys_enter_unlinkat
, a 'perf probe' function is attached to the tracepoint. You can see the probe function here.
The probe function allocates a perf buffer and validates the allocated buffer after which it invokes a bpf program.
This bpf program needs to know the 'format' of the static tracepoint event, since it needs to understand what is the structure of the binary trace output in the perf ring buffer.
The format of the event is defined in the /sys/kernel/debug/tracing/events/syscalls/sys_enter_unlinkat/format
file, for your case.
If you look at this file, you will see that perf script
reports the output as per the print fmt
entry in the field.
QUESTION
eBPF has become a prominent tool to easily and quickly monitor processes. However, I was not able to find how would one compute the impact of the probe itself on the performance. I'm sure if I hook every syscall and push some information in a map, there must be some impact, nothing is free, but how would I properly compute this added latency?
The only solution I have thought is to run the same programs several times with both the probes active and not, and check the system execution time difference, but this seems to me like it would be influenced by various factors which could add a lot of variance and therefore not give very solid results.
...ANSWER
Answered 2021-Feb-10 at 08:53There was a talk on this topic by Bryce Kahle at the eBPF Summit. It's the most complete answer to this question I'm aware of.
To summarize, you have several options:
- Rely on
kernel.bpf_stats_enabled
statistics collected by the kernel. - Use
bpftool prog profile
. - Use
BPF_PROG_TEST_RUN
hook, e.g., viabpftool prog run
.
The talk doesn't mention one last option: you can now attach BPF program at the entry and exit of other BPF programs with BPF trampoline.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install ebpf
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page