elf

package
v0.0.0-...-a96e238 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 11, 2021 License: Apache-2.0 Imports: 21 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// Object pin settings should correspond to those of other projects, e.g.:
	// https://git.kernel.org/pub/scm/linux/kernel/git/shemminger/iproute2.git/tree/include/bpf_elf.h#n25
	// Also it should be self-consistent with `elf/include/bpf.h` in the same repository.
	PIN_NONE      = 0
	PIN_OBJECT_NS = 1
	PIN_GLOBAL_NS = 2
	PIN_CUSTOM_NS = 3
)
View Source
const (
	BPFDirGlobals = "globals" // as in iproute2's BPF_DIR_GLOBALS
	BPFFSPath     = "/sys/fs/bpf/"
)

Variables

This section is empty.

Functions

func AttachCgroupProgram

func AttachCgroupProgram(cgroupProg *CgroupProgram, cgroupPath string, attachType AttachType) error

func AttachCgroupProgramFromFd

func AttachCgroupProgramFromFd(progFd int, cgroupPath string, attachType AttachType) error

func AttachSocketFilter

func AttachSocketFilter(socketFilter *SocketFilter, sockFd int) error

func AttachUprobe

func AttachUprobe(uprobe *Uprobe, path string, offset uint64) error

AttachUprobe attaches the uprobe's BPF script to the program or library at the given path and offset.

func CurrentKernelVersion

func CurrentKernelVersion() (uint32, error)

CurrentKernelVersion returns the current kernel version in LINUX_VERSION_CODE format (see KernelVersionFromReleaseString())

func DetachCgroupProgram

func DetachCgroupProgram(cgroupProg *CgroupProgram, cgroupPath string, attachType AttachType) error

func DetachSocketFilter

func DetachSocketFilter(socketFilter *SocketFilter, sockFd int) error

func GetProgFd

func GetProgFd(pinPath string) int

GetProgFd returns the fd for a pinned bpf program at the given path

func GetSyscallFnName

func GetSyscallFnName(name string) (string, error)

Returns the qualified syscall named by going through '/proc/kallsyms' on the system on which its executed. It allows BPF programs that may have been compiled for older syscall functions to run on newer kernels

func KernelVersionFromReleaseString

func KernelVersionFromReleaseString(releaseString string) (uint32, error)

KernelVersionFromReleaseString converts a release string with format 4.4.2[-1] to a kernel version number in LINUX_VERSION_CODE format. That is, for kernel "a.b.c", the version number will be (a<<16 + b<<8 + c)

func NowNanoseconds

func NowNanoseconds() uint64

NowNanoseconds returns a time that can be compared to bpf_ktime_get_ns()

func PinObject

func PinObject(fd int, pinPath string) error

PinObject pins an object to a path

func PinObjectGlobal

func PinObjectGlobal(fd int, namespace, name string) error

PinObjectGlobal pins and object to a name in a namespaces e.g. `/sys/fs/bpf/my-namespace/globals/my-name`

Types

type AttachType

type AttachType int
const (
	IngressType AttachType = iota
	EgressType
	SockCreateType
)

type CgroupProgram

type CgroupProgram struct {
	Name string
	// contains filtered or unexported fields
}

CgroupProgram represents a cgroup skb/sock program

func (*CgroupProgram) Fd

func (p *CgroupProgram) Fd() int

type CloseOptions

type CloseOptions struct {
	// Set Unpin to true to close pinned maps as well
	Unpin   bool
	PinPath string
}

CloseOptions can be used for custom `Close` parameters

type Kprobe

type Kprobe struct {
	Name string
	// contains filtered or unexported fields
}

Kprobe represents a kprobe or kretprobe and has to be declared in the C file,

func (*Kprobe) Fd

func (kp *Kprobe) Fd() int

type Map

type Map struct {
	Name string
	// contains filtered or unexported fields
}

Map represents a eBPF map. An eBPF map has to be declared in the C file.

func (*Map) Fd

func (m *Map) Fd() int

type Module

type Module struct {
	// contains filtered or unexported fields
}

func NewModule

func NewModule(fileName string) *Module

func NewModuleFromReader

func NewModuleFromReader(fileReader io.ReaderAt) *Module

func NewModuleFromReaderWithLog

func NewModuleFromReaderWithLog(fileReader io.ReaderAt, logSize uint32) *Module

func NewModuleWithLog

func NewModuleWithLog(fileName string, logSize uint32) *Module

func (*Module) AttachXDP

func (b *Module) AttachXDP(devName string, secName string) error

func (*Module) AttachXDPWithFlags

func (b *Module) AttachXDPWithFlags(devName string, secName string, flags uint32) error

AttachXDPWithFlags attaches an xdp section to a device with flags.

func (*Module) CgroupProgram

func (b *Module) CgroupProgram(name string) *CgroupProgram

func (*Module) Close

func (b *Module) Close() error

Close takes care of terminating all underlying BPF programs and structures. That is:

* Closing map file descriptors and unpinning them where applicable * Detaching BPF programs from kprobes and closing their file descriptors * Closing cgroup-bpf file descriptors * Closing socket filter file descriptors * Closing XDP file descriptors

It doesn't detach BPF programs from cgroups or sockets because they're considered resources the user controls. It also doesn't unpin pinned maps. Use CloseExt and set Unpin to do this.

func (*Module) CloseExt

func (b *Module) CloseExt(options map[string]CloseOptions) error

CloseExt takes a map "elf section -> CloseOptions"

func (*Module) DeleteElement

func (b *Module) DeleteElement(mp *Map, key unsafe.Pointer) error

DeleteElement deletes the given key in the the map stored in mp. The key is stored in the key unsafe.Pointer.

func (*Module) EnableKprobe

func (b *Module) EnableKprobe(secName string, maxactive int) error

EnableKprobe enables a kprobe/kretprobe identified by secName. For kretprobes, you can configure the maximum number of instances of the function that can be probed simultaneously with maxactive. If maxactive is 0 it will be set to the default value: if CONFIG_PREEMPT is enabled, this is max(10, 2*NR_CPUS); otherwise, it is NR_CPUS. For kprobes, maxactive is ignored.

func (*Module) EnableKprobes

func (b *Module) EnableKprobes(maxactive int) error

EnableKprobes enables all kprobes/kretprobes included in the module. The value in maxactive will be applied to all the kretprobes.

func (*Module) EnableOptionCompatProbe

func (b *Module) EnableOptionCompatProbe()

EnableOptionCompatProbe will attempt to automatically convert function names in kprobe and kretprobe to maintain compatibility between kernel versions. See: https://github.com/accuknox/gobpf/issues/146

func (*Module) EnableTracepoint

func (b *Module) EnableTracepoint(secName string) error

func (*Module) IterCgroupProgram

func (b *Module) IterCgroupProgram() <-chan *CgroupProgram

func (*Module) IterKprobes

func (b *Module) IterKprobes() <-chan *Kprobe

IterKprobes returns a channel that emits the kprobes that included in the module.

func (*Module) IterMaps

func (b *Module) IterMaps() <-chan *Map

func (*Module) IterSchedProgram

func (b *Module) IterSchedProgram() <-chan *SchedProgram

IterSchedProgram returns a channel that emits the sched programs included in the module.

func (*Module) IterSocketFilter

func (b *Module) IterSocketFilter() <-chan *SocketFilter

func (*Module) IterTracepointProgram

func (b *Module) IterTracepointProgram() <-chan *TracepointProgram

func (*Module) IterUprobes

func (b *Module) IterUprobes() <-chan *Uprobe

IterUprobes returns a channel that emits the uprobes included in the module.

func (*Module) IterXDPProgram

func (b *Module) IterXDPProgram() <-chan *XDPProgram

func (*Module) Kprobe

func (b *Module) Kprobe(name string) *Kprobe

func (*Module) Load

func (b *Module) Load(parameters map[string]SectionParams) error

Load loads the BPF programs and BPF maps in the module. Each ELF section can optionally have parameters that changes how it is configured.

func (*Module) Log

func (b *Module) Log() []byte

Log gives users access to the log buffer with verifier messages

func (*Module) LookupAndDeleteElement

func (b *Module) LookupAndDeleteElement(mp *Map, value unsafe.Pointer) error

LookupAndDeleteElement picks up and delete the element in the the map stored in mp. The value is stored in the value unsafe.Pointer.

func (*Module) LookupElement

func (b *Module) LookupElement(mp *Map, key, value unsafe.Pointer) error

LookupElement looks up the given key in the the map stored in mp. The value is stored in the value unsafe.Pointer.

func (*Module) LookupNextElement

func (b *Module) LookupNextElement(mp *Map, key, nextKey, value unsafe.Pointer) (bool, error)

LookupNextElement looks up the next element in mp using the given key. The next key and the value are stored in the nextKey and value parameter. Returns false at the end of the mp.

func (*Module) Map

func (b *Module) Map(name string) *Map

func (*Module) PerfMapStop

func (b *Module) PerfMapStop(mapName string) error

PerfMapStop stops the BPF program from writing into the perf ring buffers. However, the userspace program can still read the ring buffers.

func (*Module) RemoveXDP

func (b *Module) RemoveXDP(devName string) error

func (*Module) SchedProgram

func (b *Module) SchedProgram(name string) *SchedProgram

func (*Module) SocketFilter

func (b *Module) SocketFilter(name string) *SocketFilter

func (*Module) UpdateElement

func (b *Module) UpdateElement(mp *Map, key, value unsafe.Pointer, flags uint64) error

UpdateElement stores value in key in the map stored in mp. The flags can have the following values (if you include "uapi/linux/bpf.h"): C.BPF_ANY to create new element or update existing; C.BPF_NOEXIST to create new element if it didn't exist; C.BPF_EXIST to update existing element.

func (*Module) Uprobe

func (b *Module) Uprobe(name string) *Uprobe

func (*Module) XDPProgram

func (b *Module) XDPProgram(name string) *XDPProgram

type OrderedBytesArray

type OrderedBytesArray struct {
	// contains filtered or unexported fields
}

Assume the timestamp is at the beginning of the user struct

func (OrderedBytesArray) Len

func (a OrderedBytesArray) Len() int

func (OrderedBytesArray) Less

func (a OrderedBytesArray) Less(i, j int) bool

func (OrderedBytesArray) Swap

func (a OrderedBytesArray) Swap(i, j int)

type PerfEventHeader

type PerfEventHeader struct {
	Type      uint32
	Misc      uint16
	TotalSize uint16
}

Matching 'struct perf_event_header in <linux/perf_event.h>

type PerfEventLost

type PerfEventLost struct {
	PerfEventHeader
	Id   uint64
	Lost uint64
}

Matching 'struct perf_event_lost in kernel sources

type PerfEventSample

type PerfEventSample struct {
	PerfEventHeader
	Size uint32
	// contains filtered or unexported fields
}

Matching 'struct perf_event_sample in kernel sources

type PerfMap

type PerfMap struct {
	// contains filtered or unexported fields
}

func InitPerfMap

func InitPerfMap(b *Module, mapName string, receiverChan chan []byte, lostChan chan uint64) (*PerfMap, error)

func (*PerfMap) DumpBackward

func (pm *PerfMap) DumpBackward() (out [][]byte)

func (*PerfMap) PollStart

func (pm *PerfMap) PollStart()

func (*PerfMap) PollStop

func (pm *PerfMap) PollStop()

PollStop stops the goroutine that polls the perf event map. Callers must not close receiverChan or lostChan: they will be automatically closed on the sender side.

func (*PerfMap) SetTimestampFunc

func (pm *PerfMap) SetTimestampFunc(timestamp func(*[]byte) uint64)

SetTimestampFunc registers a timestamp callback that will be used to reorder the perf events chronologically.

If not set, the order of events sent through receiverChan is not guaranteed.

Typically, the ebpf program will use bpf_ktime_get_ns() to get a timestamp and store it in the perf event. The perf event struct is opaque to this package, hence the need for a callback.

func (*PerfMap) SwapAndDumpBackward

func (pm *PerfMap) SwapAndDumpBackward() (out [][]byte)

type SchedProgram

type SchedProgram struct {
	Name string
	// contains filtered or unexported fields
}

SchedProgram represents a traffic classifier program

func (*SchedProgram) Fd

func (sp *SchedProgram) Fd() int

type SectionParams

type SectionParams struct {
	PerfRingBufferPageCount    int
	SkipPerfMapInitialization  bool
	PinPath                    string // path to be pinned, relative to "/sys/fs/bpf"
	MapMaxEntries              int    // Used to override bpf map entries size
	PerfRingBufferBackward     bool
	PerfRingBufferOverwritable bool
}

type SocketFilter

type SocketFilter struct {
	Name string
	// contains filtered or unexported fields
}

SocketFilter represents a socket filter

func (*SocketFilter) Fd

func (sf *SocketFilter) Fd() int

type TracepointProgram

type TracepointProgram struct {
	Name string
	// contains filtered or unexported fields
}

TracepointProgram represents a tracepoint program

func (*TracepointProgram) Fd

func (tp *TracepointProgram) Fd() int

type Uprobe

type Uprobe struct {
	Name string
	// contains filtered or unexported fields
}

func (*Uprobe) Fd

func (up *Uprobe) Fd() int

type XDPProgram

type XDPProgram struct {
	Name string
	// contains filtered or unexported fields
}

XDPProgram represents a XDP hook program

func (*XDPProgram) Fd

func (xdpp *XDPProgram) Fd() int

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL