2

I am learning about eBPF and I understand that I can attach my eBPF programs to kprobes, uprobes, tracepoints and more. I see that there is a list of for tracepoints under /sys/kernel/debug/tracing/events/ where I can attach eBPF programs to. However, how do I find which kprobe functions I can break into, say TCP related ones? Also, how do I find those function signatures?

Thanks.

user3267989
  • 299
  • 3
  • 18

1 Answers1

5

You can attach a kprobe to nearly all functions of your kernel (provided they have not been inlined when compiling the kernel). One way to list those functions is through cat /proc/kallsyms. In your case, grep for tcp on that file? As for the signatures, I don't believe there is a place to get them other than by reading the kernel sources for your kernel version.

Note that, because kernel functions are not part of the user API, there is no guarantee regarding the stability of their signature (which could be a reason why a list of signatures would make little sense—other than the huge number of signatures to list). If you want your eBPF programs to be more robust and portable between different kernel versions, you should have a look at CO-RE.

Qeole
  • 8,284
  • 1
  • 24
  • 52
  • 1
    Not all kernel functions. Functions in `/sys/kernel/debug/kprobes/blacklist` cannot be attached to. See https://www.kernel.org/doc/html/latest/trace/kprobes.html#blacklist. – pchaigno May 31 '21 at 07:39
  • Hence the “nearly” :p. But thanks for the precision! – Qeole May 31 '21 at 12:27
  • Please make the "nearly" bold. I only read bold text :-D – pchaigno May 31 '21 at 14:29
  • 2
    Done. _Takes note to buy glasses for pchaigno for their next birthday._ – Qeole May 31 '21 at 18:58
  • @Qeole can u please tell if I need to trap any kernel function then do I need to write `SEC("kprobe/sys_write")` to trap `sys_write` system call? And my SEC attribute will be enough if loaded correctly along with function definition? – user786 Jan 23 '22 at 03:19
  • 1
    All depends on whether your loader is able to interpret this section name. If you load with libbpf, or with bpftool (which relies on libbpf), then yes, it should be enough. – Qeole Jan 24 '22 at 11:05
  • @Qeole can u also please tell is uprobe ebpf program does it attach to userspace some program function. Is there any sample for that in kernel source or any tutorial with libbpf? – user786 Jan 28 '22 at 02:55
  • Yes uprobes attach to user space functions. There are a few examples here and there although not as many as for kprobes. Try grepping for `uprobes` in `kernel/samples/` in the kernel repo maybe. BCC has a few examples, `sslsniff` is an interesting one. Have a look at the `bpftrace` project as well, it might help you trace things without having to code the eBPF parts. – Qeole Jan 28 '22 at 09:51