1. 14 Jun, 2017 1 commit
    • David Daney's avatar
      samples/bpf: Fix tracex5 to work with MIPS syscalls. · 4b7190e8
      David Daney authored
      There are two problems:
      
      1) In MIPS the __NR_* macros expand to an expression, this causes the
         sections of the object file to be named like:
      
        .
        .
        .
        [ 5] kprobe/(5000 + 1) PROGBITS        0000000000000000 000160 ...
        [ 6] kprobe/(5000 + 0) PROGBITS        0000000000000000 000258 ...
        [ 7] kprobe/(5000 + 9) PROGBITS        0000000000000000 000348 ...
        .
        .
        .
      
      The fix here is to use the "asm_offsets" trick to evaluate the macros
      in the C compiler and generate a header file with a usable form of the
      macros.
      
      2) MIPS syscall numbers start at 5000, so we need a bigger map to hold
      the sub-programs.
      Signed-off-by: default avatarDavid Daney <david.daney@cavium.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b7190e8
  2. 13 Feb, 2017 1 commit
  3. 27 Sep, 2016 1 commit
  4. 15 Apr, 2016 1 commit
  5. 08 Jul, 2015 1 commit
  6. 21 May, 2015 1 commit
    • Alexei Starovoitov's avatar
      samples/bpf: bpf_tail_call example for tracing · 5bacd780
      Alexei Starovoitov authored
      kprobe example that demonstrates how future seccomp programs may look like.
      It attaches to seccomp_phase1() function and tail-calls other BPF programs
      depending on syscall number.
      
      Existing optimized classic BPF seccomp programs generated by Chrome look like:
      if (sd.nr < 121) {
        if (sd.nr < 57) {
          if (sd.nr < 22) {
            if (sd.nr < 7) {
              if (sd.nr < 4) {
                if (sd.nr < 1) {
                  check sys_read
                } else {
                  if (sd.nr < 3) {
                    check sys_write and sys_open
                  } else {
                    check sys_close
                  }
                }
              } else {
            } else {
          } else {
        } else {
      } else {
      }
      
      the future seccomp using native eBPF may look like:
        bpf_tail_call(&sd, &syscall_jmp_table, sd.nr);
      which is simpler, faster and leaves more room for per-syscall checks.
      
      Usage:
      $ sudo ./tracex5
      <...>-366   [001] d...     4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771)
      <...>-369   [003] d...     4.870066: : mmap
      <...>-369   [003] d...     4.870077: : syscall=110 (one of get/set uid/pid/gid)
      <...>-369   [003] d...     4.870089: : syscall=107 (one of get/set uid/pid/gid)
         sh-369   [000] d...     4.891740: : read(fd=0, buf=00000000023d1000, size=512)
         sh-369   [000] d...     4.891747: : write(fd=1, buf=00000000023d3000, size=512)
         sh-369   [000] d...     4.891747: : read(fd=1, buf=00000000023d3000, size=512)
      Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5bacd780