How to use the Berkeley Packet Filter (BPF) to filter function arguments in kernel? The function should be any non-inline functions, rather than only system calls. Also, it is better that the pointers in function arguments can be dereferenced for validation.
I searched the Internet but cannot find any use cases. Most of the materials only describe how to use seccomp / seccomp-BPF.
It seems that eBPF and kprobe/jprobe are integrated to implement the hooking. But I cannot find a good example on the web.
eBPF is probably what you want. If you have not found them already, you should have a look at the examples provided with the bcc (BPF Compiler Collection) tools.
In particular, the example tool argdist
relies on kprobes indeed and could be of some interest to you:
argdist probes functions you specify and collects parameter values into a histogram or a frequency count. This can be used to understand the distribution of values a certain parameter takes, filter and print interesting parameters without attaching a debugger, and obtain general execution statistics on various functions.
For example, suppose you want to find what allocation sizes are common in your application:
# ./argdist -p 2420 -C 'p:c:malloc(size_t size):size_t:size' [01:42:29] p:c:malloc(size_t size):size_t:size COUNT EVENT [01:42:30] p:c:malloc(size_t size):size_t:size COUNT EVENT
[…]
(extract from the argdist example uses).
For the record, most examples I found so far with eBPF were located in one of those locations:
linux/samples/bpf
within the Linux kernel sources.bcc/tools
directory of bcc.tc
, under iproute2/examples/tc
directory in the iproute2 package sources.)If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With