How to use BPF to filter kernel function arguments?

Question

How to use the Berkeley Packet Filter (BPF) to filter function arguments in kernel? The function should be any non-inline functions, rather than only system calls. Also, it is better that the pointers in function arguments can be dereferenced for validation.

I searched the Internet but cannot find any use cases. Most of the materials only describe how to use seccomp / seccomp-BPF.

It seems that eBPF and kprobe/jprobe are integrated to implement the hooking. But I cannot find a good example on the web.

Answer 1

eBPF is probably what you want. If you have not found them already, you should have a look at the examples provided with the bcc (BPF Compiler Collection) tools.

In particular, the example tool argdist relies on kprobes indeed and could be of some interest to you:

argdist probes functions you specify and collects parameter values into a histogram or a frequency count. This can be used to understand the distribution of values a certain parameter takes, filter and print interesting parameters without attaching a debugger, and obtain general execution statistics on various functions.

For example, suppose you want to find what allocation sizes are common in your application:

# ./argdist -p 2420 -C 'p:c:malloc(size_t size):size_t:size'
[01:42:29]
p:c:malloc(size_t size):size_t:size
       COUNT      EVENT
[01:42:30]
p:c:malloc(size_t size):size_t:size
COUNT EVENT

[…]

(extract from the argdist example uses).

For the record, most examples I found so far with eBPF were located in one of those locations:

• Under linux/samples/bpf within the Linux kernel sources.
• In the bcc/tools directory of bcc.
• (For networking examples involoving tc, under iproute2/examples/tc directory in the iproute2 package sources.)