bpf: mini eBPF library, test stubs and verifier testsuite
1.
the library includes a trivial set of BPF syscall wrappers:
int bpf_create_map(int key_size, int value_size, int max_entries);
int bpf_update_elem(int fd, void *key, void *value);
int bpf_lookup_elem(int fd, void *key, void *value);
int bpf_delete_elem(int fd, void *key);
int bpf_get_next_key(int fd, void *key, void *next_key);
int bpf_prog_load(enum bpf_prog_type prog_type,
const struct sock_filter_int *insns, int insn_len,
const char *license);
bpf_prog_load() stores verifier log into global bpf_log_buf[] array
and BPF_*() macros to build instructions
2.
test stubs configure eBPF infra with 'unspec' map and program types.
These are fake types used by user space testsuite only.
3.
verifier tests valid and invalid programs and expects predefined
error log messages from kernel.
40 tests so far.
$ sudo ./test_verifier
#0 add+sub+mul OK
#1 unreachable OK
#2 unreachable2 OK
#3 out of range jump OK
#4 out of range jump2 OK
#5 test1 ld_imm64 OK
...
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-09-26 14:17:07 +07:00
|
|
|
# kbuild trick to avoid linker error. Can be omitted if a module is built.
|
|
|
|
obj- := dummy.o
|
|
|
|
|
|
|
|
# List of programs to build
|
2014-11-14 08:36:48 +07:00
|
|
|
hostprogs-y := test_verifier test_maps
|
2014-12-02 06:06:36 +07:00
|
|
|
hostprogs-y += sock_example
|
2014-12-02 06:06:38 +07:00
|
|
|
hostprogs-y += sockex1
|
2014-12-02 06:06:39 +07:00
|
|
|
hostprogs-y += sockex2
|
2015-05-20 06:59:06 +07:00
|
|
|
hostprogs-y += sockex3
|
2015-03-26 02:49:23 +07:00
|
|
|
hostprogs-y += tracex1
|
2015-03-26 02:49:24 +07:00
|
|
|
hostprogs-y += tracex2
|
2015-03-26 02:49:25 +07:00
|
|
|
hostprogs-y += tracex3
|
2015-03-26 02:49:26 +07:00
|
|
|
hostprogs-y += tracex4
|
samples/bpf: bpf_tail_call example for tracing
kprobe example that demonstrates how future seccomp programs may look like.
It attaches to seccomp_phase1() function and tail-calls other BPF programs
depending on syscall number.
Existing optimized classic BPF seccomp programs generated by Chrome look like:
if (sd.nr < 121) {
if (sd.nr < 57) {
if (sd.nr < 22) {
if (sd.nr < 7) {
if (sd.nr < 4) {
if (sd.nr < 1) {
check sys_read
} else {
if (sd.nr < 3) {
check sys_write and sys_open
} else {
check sys_close
}
}
} else {
} else {
} else {
} else {
} else {
}
the future seccomp using native eBPF may look like:
bpf_tail_call(&sd, &syscall_jmp_table, sd.nr);
which is simpler, faster and leaves more room for per-syscall checks.
Usage:
$ sudo ./tracex5
<...>-366 [001] d... 4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771)
<...>-369 [003] d... 4.870066: : mmap
<...>-369 [003] d... 4.870077: : syscall=110 (one of get/set uid/pid/gid)
<...>-369 [003] d... 4.870089: : syscall=107 (one of get/set uid/pid/gid)
sh-369 [000] d... 4.891740: : read(fd=0, buf=00000000023d1000, size=512)
sh-369 [000] d... 4.891747: : write(fd=1, buf=00000000023d3000, size=512)
sh-369 [000] d... 4.891747: : read(fd=1, buf=00000000023d3000, size=512)
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 06:59:05 +07:00
|
|
|
hostprogs-y += tracex5
|
2015-06-19 21:00:44 +07:00
|
|
|
hostprogs-y += lathist
|
bpf: mini eBPF library, test stubs and verifier testsuite
1.
the library includes a trivial set of BPF syscall wrappers:
int bpf_create_map(int key_size, int value_size, int max_entries);
int bpf_update_elem(int fd, void *key, void *value);
int bpf_lookup_elem(int fd, void *key, void *value);
int bpf_delete_elem(int fd, void *key);
int bpf_get_next_key(int fd, void *key, void *next_key);
int bpf_prog_load(enum bpf_prog_type prog_type,
const struct sock_filter_int *insns, int insn_len,
const char *license);
bpf_prog_load() stores verifier log into global bpf_log_buf[] array
and BPF_*() macros to build instructions
2.
test stubs configure eBPF infra with 'unspec' map and program types.
These are fake types used by user space testsuite only.
3.
verifier tests valid and invalid programs and expects predefined
error log messages from kernel.
40 tests so far.
$ sudo ./test_verifier
#0 add+sub+mul OK
#1 unreachable OK
#2 unreachable2 OK
#3 out of range jump OK
#4 out of range jump2 OK
#5 test1 ld_imm64 OK
...
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-09-26 14:17:07 +07:00
|
|
|
|
|
|
|
test_verifier-objs := test_verifier.o libbpf.o
|
2014-11-14 08:36:48 +07:00
|
|
|
test_maps-objs := test_maps.o libbpf.o
|
2014-12-02 06:06:36 +07:00
|
|
|
sock_example-objs := sock_example.o libbpf.o
|
2014-12-02 06:06:38 +07:00
|
|
|
sockex1-objs := bpf_load.o libbpf.o sockex1_user.o
|
2014-12-02 06:06:39 +07:00
|
|
|
sockex2-objs := bpf_load.o libbpf.o sockex2_user.o
|
2015-05-20 06:59:06 +07:00
|
|
|
sockex3-objs := bpf_load.o libbpf.o sockex3_user.o
|
2015-03-26 02:49:23 +07:00
|
|
|
tracex1-objs := bpf_load.o libbpf.o tracex1_user.o
|
2015-03-26 02:49:24 +07:00
|
|
|
tracex2-objs := bpf_load.o libbpf.o tracex2_user.o
|
2015-03-26 02:49:25 +07:00
|
|
|
tracex3-objs := bpf_load.o libbpf.o tracex3_user.o
|
2015-03-26 02:49:26 +07:00
|
|
|
tracex4-objs := bpf_load.o libbpf.o tracex4_user.o
|
samples/bpf: bpf_tail_call example for tracing
kprobe example that demonstrates how future seccomp programs may look like.
It attaches to seccomp_phase1() function and tail-calls other BPF programs
depending on syscall number.
Existing optimized classic BPF seccomp programs generated by Chrome look like:
if (sd.nr < 121) {
if (sd.nr < 57) {
if (sd.nr < 22) {
if (sd.nr < 7) {
if (sd.nr < 4) {
if (sd.nr < 1) {
check sys_read
} else {
if (sd.nr < 3) {
check sys_write and sys_open
} else {
check sys_close
}
}
} else {
} else {
} else {
} else {
} else {
}
the future seccomp using native eBPF may look like:
bpf_tail_call(&sd, &syscall_jmp_table, sd.nr);
which is simpler, faster and leaves more room for per-syscall checks.
Usage:
$ sudo ./tracex5
<...>-366 [001] d... 4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771)
<...>-369 [003] d... 4.870066: : mmap
<...>-369 [003] d... 4.870077: : syscall=110 (one of get/set uid/pid/gid)
<...>-369 [003] d... 4.870089: : syscall=107 (one of get/set uid/pid/gid)
sh-369 [000] d... 4.891740: : read(fd=0, buf=00000000023d1000, size=512)
sh-369 [000] d... 4.891747: : write(fd=1, buf=00000000023d3000, size=512)
sh-369 [000] d... 4.891747: : read(fd=1, buf=00000000023d3000, size=512)
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 06:59:05 +07:00
|
|
|
tracex5-objs := bpf_load.o libbpf.o tracex5_user.o
|
2015-06-19 21:00:44 +07:00
|
|
|
lathist-objs := bpf_load.o libbpf.o lathist_user.o
|
bpf: mini eBPF library, test stubs and verifier testsuite
1.
the library includes a trivial set of BPF syscall wrappers:
int bpf_create_map(int key_size, int value_size, int max_entries);
int bpf_update_elem(int fd, void *key, void *value);
int bpf_lookup_elem(int fd, void *key, void *value);
int bpf_delete_elem(int fd, void *key);
int bpf_get_next_key(int fd, void *key, void *next_key);
int bpf_prog_load(enum bpf_prog_type prog_type,
const struct sock_filter_int *insns, int insn_len,
const char *license);
bpf_prog_load() stores verifier log into global bpf_log_buf[] array
and BPF_*() macros to build instructions
2.
test stubs configure eBPF infra with 'unspec' map and program types.
These are fake types used by user space testsuite only.
3.
verifier tests valid and invalid programs and expects predefined
error log messages from kernel.
40 tests so far.
$ sudo ./test_verifier
#0 add+sub+mul OK
#1 unreachable OK
#2 unreachable2 OK
#3 out of range jump OK
#4 out of range jump2 OK
#5 test1 ld_imm64 OK
...
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-09-26 14:17:07 +07:00
|
|
|
|
|
|
|
# Tell kbuild to always build the programs
|
|
|
|
always := $(hostprogs-y)
|
2014-12-02 06:06:38 +07:00
|
|
|
always += sockex1_kern.o
|
2014-12-02 06:06:39 +07:00
|
|
|
always += sockex2_kern.o
|
2015-05-20 06:59:06 +07:00
|
|
|
always += sockex3_kern.o
|
2015-03-26 02:49:23 +07:00
|
|
|
always += tracex1_kern.o
|
2015-03-26 02:49:24 +07:00
|
|
|
always += tracex2_kern.o
|
2015-03-26 02:49:25 +07:00
|
|
|
always += tracex3_kern.o
|
2015-03-26 02:49:26 +07:00
|
|
|
always += tracex4_kern.o
|
samples/bpf: bpf_tail_call example for tracing
kprobe example that demonstrates how future seccomp programs may look like.
It attaches to seccomp_phase1() function and tail-calls other BPF programs
depending on syscall number.
Existing optimized classic BPF seccomp programs generated by Chrome look like:
if (sd.nr < 121) {
if (sd.nr < 57) {
if (sd.nr < 22) {
if (sd.nr < 7) {
if (sd.nr < 4) {
if (sd.nr < 1) {
check sys_read
} else {
if (sd.nr < 3) {
check sys_write and sys_open
} else {
check sys_close
}
}
} else {
} else {
} else {
} else {
} else {
}
the future seccomp using native eBPF may look like:
bpf_tail_call(&sd, &syscall_jmp_table, sd.nr);
which is simpler, faster and leaves more room for per-syscall checks.
Usage:
$ sudo ./tracex5
<...>-366 [001] d... 4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771)
<...>-369 [003] d... 4.870066: : mmap
<...>-369 [003] d... 4.870077: : syscall=110 (one of get/set uid/pid/gid)
<...>-369 [003] d... 4.870089: : syscall=107 (one of get/set uid/pid/gid)
sh-369 [000] d... 4.891740: : read(fd=0, buf=00000000023d1000, size=512)
sh-369 [000] d... 4.891747: : write(fd=1, buf=00000000023d3000, size=512)
sh-369 [000] d... 4.891747: : read(fd=1, buf=00000000023d3000, size=512)
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 06:59:05 +07:00
|
|
|
always += tracex5_kern.o
|
2015-04-02 07:12:13 +07:00
|
|
|
always += tcbpf1_kern.o
|
2015-06-19 21:00:44 +07:00
|
|
|
always += lathist_kern.o
|
bpf: mini eBPF library, test stubs and verifier testsuite
1.
the library includes a trivial set of BPF syscall wrappers:
int bpf_create_map(int key_size, int value_size, int max_entries);
int bpf_update_elem(int fd, void *key, void *value);
int bpf_lookup_elem(int fd, void *key, void *value);
int bpf_delete_elem(int fd, void *key);
int bpf_get_next_key(int fd, void *key, void *next_key);
int bpf_prog_load(enum bpf_prog_type prog_type,
const struct sock_filter_int *insns, int insn_len,
const char *license);
bpf_prog_load() stores verifier log into global bpf_log_buf[] array
and BPF_*() macros to build instructions
2.
test stubs configure eBPF infra with 'unspec' map and program types.
These are fake types used by user space testsuite only.
3.
verifier tests valid and invalid programs and expects predefined
error log messages from kernel.
40 tests so far.
$ sudo ./test_verifier
#0 add+sub+mul OK
#1 unreachable OK
#2 unreachable2 OK
#3 out of range jump OK
#4 out of range jump2 OK
#5 test1 ld_imm64 OK
...
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-09-26 14:17:07 +07:00
|
|
|
|
|
|
|
HOSTCFLAGS += -I$(objtree)/usr/include
|
2014-12-02 06:06:38 +07:00
|
|
|
|
|
|
|
HOSTCFLAGS_bpf_load.o += -I$(objtree)/usr/include -Wno-unused-variable
|
|
|
|
HOSTLOADLIBES_sockex1 += -lelf
|
2014-12-02 06:06:39 +07:00
|
|
|
HOSTLOADLIBES_sockex2 += -lelf
|
2015-05-20 06:59:06 +07:00
|
|
|
HOSTLOADLIBES_sockex3 += -lelf
|
2015-03-26 02:49:23 +07:00
|
|
|
HOSTLOADLIBES_tracex1 += -lelf
|
2015-03-26 02:49:24 +07:00
|
|
|
HOSTLOADLIBES_tracex2 += -lelf
|
2015-03-26 02:49:25 +07:00
|
|
|
HOSTLOADLIBES_tracex3 += -lelf
|
2015-03-26 02:49:26 +07:00
|
|
|
HOSTLOADLIBES_tracex4 += -lelf -lrt
|
samples/bpf: bpf_tail_call example for tracing
kprobe example that demonstrates how future seccomp programs may look like.
It attaches to seccomp_phase1() function and tail-calls other BPF programs
depending on syscall number.
Existing optimized classic BPF seccomp programs generated by Chrome look like:
if (sd.nr < 121) {
if (sd.nr < 57) {
if (sd.nr < 22) {
if (sd.nr < 7) {
if (sd.nr < 4) {
if (sd.nr < 1) {
check sys_read
} else {
if (sd.nr < 3) {
check sys_write and sys_open
} else {
check sys_close
}
}
} else {
} else {
} else {
} else {
} else {
}
the future seccomp using native eBPF may look like:
bpf_tail_call(&sd, &syscall_jmp_table, sd.nr);
which is simpler, faster and leaves more room for per-syscall checks.
Usage:
$ sudo ./tracex5
<...>-366 [001] d... 4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771)
<...>-369 [003] d... 4.870066: : mmap
<...>-369 [003] d... 4.870077: : syscall=110 (one of get/set uid/pid/gid)
<...>-369 [003] d... 4.870089: : syscall=107 (one of get/set uid/pid/gid)
sh-369 [000] d... 4.891740: : read(fd=0, buf=00000000023d1000, size=512)
sh-369 [000] d... 4.891747: : write(fd=1, buf=00000000023d3000, size=512)
sh-369 [000] d... 4.891747: : read(fd=1, buf=00000000023d3000, size=512)
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-05-20 06:59:05 +07:00
|
|
|
HOSTLOADLIBES_tracex5 += -lelf
|
2015-06-19 21:00:44 +07:00
|
|
|
HOSTLOADLIBES_lathist += -lelf
|
2014-12-02 06:06:38 +07:00
|
|
|
|
|
|
|
# point this to your LLVM backend with bpf support
|
|
|
|
LLC=$(srctree)/tools/bpf/llvm/bld/Debug+Asserts/bin/llc
|
|
|
|
|
2015-05-12 11:25:51 +07:00
|
|
|
$(obj)/%.o: $(src)/%.c
|
2014-12-02 06:06:38 +07:00
|
|
|
clang $(NOSTDINC_FLAGS) $(LINUXINCLUDE) $(EXTRA_CFLAGS) \
|
|
|
|
-D__KERNEL__ -Wno-unused-value -Wno-pointer-sign \
|
|
|
|
-O2 -emit-llvm -c $< -o -| $(LLC) -march=bpf -filetype=obj -o $@
|