• Alexei Starovoitov's avatar
    samples/bpf: bpf_tail_call example for tracing · 5bacd780
    Alexei Starovoitov authored
    kprobe example that demonstrates how future seccomp programs may look like.
    It attaches to seccomp_phase1() function and tail-calls other BPF programs
    depending on syscall number.
    
    Existing optimized classic BPF seccomp programs generated by Chrome look like:
    if (sd.nr < 121) {
      if (sd.nr < 57) {
        if (sd.nr < 22) {
          if (sd.nr < 7) {
            if (sd.nr < 4) {
              if (sd.nr < 1) {
                check sys_read
              } else {
                if (sd.nr < 3) {
                  check sys_write and sys_open
                } else {
                  check sys_close
                }
              }
            } else {
          } else {
        } else {
      } else {
    } else {
    }
    
    the future seccomp using native eBPF may look like:
      bpf_tail_call(&sd, &syscall_jmp_table, sd.nr);
    which is simpler, faster and leaves more room for per-syscall checks.
    
    Usage:
    $ sudo ./tracex5
    <...>-366   [001] d...     4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771)
    <...>-369   [003] d...     4.870066: : mmap
    <...>-369   [003] d...     4.870077: : syscall=110 (one of get/set uid/pid/gid)
    <...>-369   [003] d...     4.870089: : syscall=107 (one of get/set uid/pid/gid)
       sh-369   [000] d...     4.891740: : read(fd=0, buf=00000000023d1000, size=512)
       sh-369   [000] d...     4.891747: : write(fd=1, buf=00000000023d3000, size=512)
       sh-369   [000] d...     4.891747: : read(fd=1, buf=00000000023d3000, size=512)
    Signed-off-by: default avatarAlexei Starovoitov <ast@plumgrid.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    5bacd780
Makefile 1.71 KB