path: root/samples/bpf/bpf_load.c
AgeCommit message (Collapse)AuthorFilesLines
2016-03-08samples/bpf: add map_flags to bpf loaderAlexei Starovoitov1-1/+2
note old loader is compatible with new kernel. map_flags are optional Signed-off-by: Alexei Starovoitov <> Signed-off-by: David S. Miller <>
2016-03-08samples/bpf: move ksym_search() into libraryAlexei Starovoitov1-0/+62
move ksym search from offwaketime into library to be reused in other tests Signed-off-by: Alexei Starovoitov <> Signed-off-by: David S. Miller <>
2016-03-08samples/bpf: make map creation more verboseAlexei Starovoitov1-1/+4
map creation is typically the first one to fail when rlimits are too low, not enough memory, etc Make this failure scenario more verbose Signed-off-by: Alexei Starovoitov <> Signed-off-by: David S. Miller <>
2015-05-21samples/bpf: bpf_tail_call example for tracingAlexei Starovoitov1-12/+45
kprobe example that demonstrates how future seccomp programs may look like. It attaches to seccomp_phase1() function and tail-calls other BPF programs depending on syscall number. Existing optimized classic BPF seccomp programs generated by Chrome look like: if ( < 121) { if ( < 57) { if ( < 22) { if ( < 7) { if ( < 4) { if ( < 1) { check sys_read } else { if ( < 3) { check sys_write and sys_open } else { check sys_close } } } else { } else { } else { } else { } else { } the future seccomp using native eBPF may look like: bpf_tail_call(&sd, &syscall_jmp_table,; which is simpler, faster and leaves more room for per-syscall checks. Usage: $ sudo ./tracex5 <...>-366 [001] d... 4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771) <...>-369 [003] d... 4.870066: : mmap <...>-369 [003] d... 4.870077: : syscall=110 (one of get/set uid/pid/gid) <...>-369 [003] d... 4.870089: : syscall=107 (one of get/set uid/pid/gid) sh-369 [000] d... 4.891740: : read(fd=0, buf=00000000023d1000, size=512) sh-369 [000] d... 4.891747: : write(fd=1, buf=00000000023d3000, size=512) sh-369 [000] d... 4.891747: : read(fd=1, buf=00000000023d3000, size=512) Signed-off-by: Alexei Starovoitov <> Signed-off-by: David S. Miller <>
2015-04-02samples/bpf: Add simple non-portable kprobe filter exampleAlexei Starovoitov1-8/+117
tracex1_kern.c - C program compiled into BPF. It attaches to kprobe:netif_receive_skb() When skb->dev->name == "lo", it prints sample debug message into trace_pipe via bpf_trace_printk() helper function. tracex1_user.c - corresponding user space component that: - loads BPF program via bpf() syscall - opens kprobes:netif_receive_skb event via perf_event_open() syscall - attaches the program to event via ioctl(event_fd, PERF_EVENT_IOC_SET_BPF, prog_fd); - prints from trace_pipe Note, this BPF program is non-portable. It must be recompiled with current kernel headers. kprobe is not a stable ABI and BPF+kprobe scripts may no longer be meaningful when kernel internals change. No matter in what way the kernel changes, neither the kprobe, nor the BPF program can ever crash or corrupt the kernel, assuming the kprobes, perf and BPF subsystem has no bugs. The verifier will detect that the program is using bpf_trace_printk() and the kernel will print 'this is a DEBUG kernel' warning banner, which means that bpf_trace_printk() should be used for debugging of the BPF program only. Usage: $ sudo tracex1 ping-19826 [000] d.s2 63103.382648: : skb ffff880466b1ca00 len 84 ping-19826 [000] d.s2 63103.382684: : skb ffff880466b1d300 len 84 ping-19826 [000] d.s2 63104.382533: : skb ffff880466b1ca00 len 84 ping-19826 [000] d.s2 63104.382594: : skb ffff880466b1d300 len 84 Signed-off-by: Alexei Starovoitov <> Cc: Arnaldo Carvalho de Melo <> Cc: Arnaldo Carvalho de Melo <> Cc: Daniel Borkmann <> Cc: David S. Miller <> Cc: Jiri Olsa <> Cc: Linus Torvalds <> Cc: Masami Hiramatsu <> Cc: Namhyung Kim <> Cc: Peter Zijlstra <> Cc: Peter Zijlstra <> Cc: Steven Rostedt <> Link: Signed-off-by: Ingo Molnar <>
2014-12-05samples: bpf: elf_bpf file loaderAlexei Starovoitov1-0/+203
simple .o parser and loader using BPF syscall. .o is a standard ELF generated by LLVM backend It parses elf file compiled by llvm .c->.o - parses 'maps' section and creates maps via BPF syscall - parses 'license' section and passes it to syscall - parses elf relocations for BPF maps and adjusts BPF_LD_IMM64 insns by storing map_fd into insn->imm and marking such insns as BPF_PSEUDO_MAP_FD - loads eBPF programs via BPF syscall One ELF file can contain multiple BPF programs. int load_bpf_file(char *path); populates prog_fd[] and map_fd[] with FDs received from bpf syscall bpf_helpers.h - helper functions available to eBPF programs written in C Signed-off-by: Alexei Starovoitov <> Signed-off-by: David S. Miller <>