Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to use BPF to filter kernel function arguments?

How to use the Berkeley Packet Filter (BPF) to filter function arguments in kernel? The function should be any non-inline functions, rather than only system calls. Also, it is better that the pointers in function arguments can be dereferenced for validation.

I searched the Internet but cannot find any use cases. Most of the materials only describe how to use seccomp / seccomp-BPF.

It seems that eBPF and kprobe/jprobe are integrated to implement the hooking. But I cannot find a good example on the web.

like image 883
WindChaser Avatar asked Oct 18 '22 04:10

WindChaser


1 Answers

eBPF is probably what you want. If you have not found them already, you should have a look at the examples provided with the bcc (BPF Compiler Collection) tools.

In particular, the example tool argdist relies on kprobes indeed and could be of some interest to you:

argdist probes functions you specify and collects parameter values into a histogram or a frequency count. This can be used to understand the distribution of values a certain parameter takes, filter and print interesting parameters without attaching a debugger, and obtain general execution statistics on various functions.

For example, suppose you want to find what allocation sizes are common in your application:

# ./argdist -p 2420 -C 'p:c:malloc(size_t size):size_t:size'
[01:42:29]
p:c:malloc(size_t size):size_t:size
       COUNT      EVENT
[01:42:30]
p:c:malloc(size_t size):size_t:size
COUNT EVENT

[…]

(extract from the argdist example uses).

For the record, most examples I found so far with eBPF were located in one of those locations:

  • Under linux/samples/bpf within the Linux kernel sources.
  • In the bcc/tools directory of bcc.
  • (For networking examples involoving tc, under iproute2/examples/tc directory in the iproute2 package sources.)
like image 82
Qeole Avatar answered Oct 21 '22 04:10

Qeole