- A userspace program loads an ebpf program into the kernel via the bpf syscall.
- Also via
bpf_prog_load
in bpf-helpers
- Also via
- The above userspace program and the ebpf program communicate via message passing using eBPF maps.
- Message passing uses eBPF maps for data. There are multiple map types.
- There are helpers in bpf-helpers to setup different ebpf map types.
- https://www.kernel.org/doc/html/v5.10/trace/kprobes.html
- Hook almost any kernel routine
- Gets packaged like a kernel module
- Can modify registers and stack - be careful (dbl check - what does the verifier do for kprobe safety)
- Can run pre or post call
- Unstable across kernel versions
- https://www.kernel.org/doc/html/v5.10/trace/tracepoints.html
- Stable hooks pre-defined by developers
- Guaranteed to always be same across kernel versions
- Doesn't cover all routines
- Also works pre/post call.
- /sys/kernel/debug/tracing filesystem
- How to use the above file system https://www.kernel.org/doc/html/v5.10/trace/events.html
- https://github.com/bpftools/linux-observability-with-bpf
- bpf-helpers
- bpf syscall
- Headers for userspace program:
- Headers for bpf program in kernel (I think):
- BPF Complier Collection (BCC): https://github.com/iovisor/bcc/tree/master