add bpf byte code capture #2874
Conversation
2853bfd to
c12c33d
Compare
c12c33d to
051946a
Compare
92b1456 to
3e9541a
Compare
3e9541a to
078bab2
Compare
49807db to
1ee3493
Compare
|
Quick note, we pick also the libbpf |
pkg/ebpf/c/vmlinux.h
Outdated
| struct { /* anonymous struct used by BPF_PROG_LOAD command */ | ||
| __u32 prog_type; /* one of enum bpf_prog_type */ | ||
| __u32 insn_cnt; | ||
| __u64 insns; | ||
| __u64 license; | ||
| __u32 log_level; /* verbosity level of verifier */ | ||
| __u32 log_size; /* size of user buffer */ | ||
| __u64 log_buf; /* user supplied buffer */ | ||
| __u32 kern_version; /* not used */ | ||
| __u32 prog_flags; | ||
| char prog_name[BPF_OBJ_NAME_LEN]; | ||
| __u32 prog_ifindex; /* ifindex of netdev to prep for */ | ||
| /* For some prog types expected attach type must be known at | ||
| * load time to verify attach type specific parts of prog | ||
| * (context accesses, allowed helpers, etc). | ||
| */ | ||
| __u32 expected_attach_type; | ||
| __u32 prog_btf_fd; /* fd pointing to BTF type data */ | ||
| __u32 func_info_rec_size; /* userspace bpf_func_info size */ | ||
| __u64 func_info; /* func info */ | ||
| __u32 func_info_cnt; /* number of bpf_func_info records */ | ||
| __u32 line_info_rec_size; /* userspace bpf_line_info size */ | ||
| __u64 line_info; /* line info */ | ||
| __u32 line_info_cnt; /* number of bpf_line_info records */ | ||
| __u32 attach_btf_id; /* in-kernel BTF type id to attach to */ | ||
| union { | ||
| /* valid prog_fd to attach to bpf prog */ | ||
| __u32 attach_prog_fd; | ||
| /* or valid module BTF object fd or 0 to attach to vmlinux */ | ||
| __u32 attach_btf_obj_fd; | ||
| }; | ||
| __u32 : 32; /* pad */ | ||
| __u64 fd_array; /* array of FDs */ | ||
| }; | ||
|
|
||
| struct { /* anonymous struct for BPF_BTF_LOAD */ | ||
| __u64 btf; | ||
| __u64 btf_log_buf; | ||
| __u32 btf_size; | ||
| __u32 btf_log_size; | ||
| __u32 btf_log_level; | ||
| }; | ||
|
|
There was a problem hiding this comment.
You have added the entire type here, not only the fields/members you're using, right? Isn't this type declared in /usr/include/linux/bpf.h for the "non-CO-RE" compilation? (it's a per kernel version "include" file and is compatible with non-CO-RE code, for sure).
If that wasn't the case, full missing types would go to either:
missing_definitions.h(CO-RE code)missing_noncore_definitions.h(non CO-RE code)
But, in your case, the type exists for non CO-RE code so you only need to declare the fields/members you're REALLY using in the vmlinux.h file (not all the types).
There was a problem hiding this comment.
Changed it - thanks for the catch. TBH I have little clue to what I'm doing regarding CORE and non CORE and I don't know how you divided it - I just try to make it work XD
There was a problem hiding this comment.
No worries at all, we can help you find out where things go as long as it works as it did ;). Thanks, Asaf!
pkg/ebpf/c/common/bpf.h
Outdated
There was a problem hiding this comment.
I would not call this file bpf.h. There are numerous bpf.h files, for kernel uapi (userland headers), internal files to the kernel, and libbpf bpf.h (multiple: userland and kernel). I would call something else IMHO.
There was a problem hiding this comment.
changed to bpf_prog.h
6d8edd4 to
2359a8e
Compare
2359a8e to
d2518c6
Compare
|
|
||
| u32 insn_cnt = get_attr_insn_cnt(attr); | ||
| const struct bpf_insn *insns = get_attr_insns(attr); | ||
| unsigned int insn_size = (unsigned int) (sizeof(struct bpf_insn) * insn_cnt); |
There was a problem hiding this comment.
@AsafEitani FTR only... you might already know that, just mentioning if not. We don't have a problem with using sizeof(struct bpf_insn) here because the struct bpf_insn won't ever have its size changed.
But, whenever you want to get its size, the correct approach for any other kernel types is to use the bpf type helper bpf_core_type_size(type) for CO-RE and sizeof() for NON-CO-RE.
This is major because the type might change from one kernel to another and for portability, the helper will consider that (So you don't need to declare the FULL type in the vmlinux.h file, only the types you really use).
fix #1274
1. Explain what the PR does
Adds BPF programs bytecode (JIT) capture.
2. Explain how to test it
tracee-ebpf -c bpf