bm

module
v0.0.0-...-d95844e Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 14, 2022 License: MIT

README

try to wrap a ebpf message receiver with golang

now not usable

install library

  • install tools

apt install llvm-13 llvm-strip-13 clang-13 
go install github.com/cilium/ebpf/cmd/bpf2go@v0.9.3

  • generate ebpf bytecode file (very important)

    go get github.com/hakur/bm@latest
    find library version in your go.mod file . find package file path in your filesystem 
    cd $(go env GOMODCACHE)/github.com/hakur/bm@v0.0.0-20221210084109-4507644bce2d && make generate
    in this library version, you will see many *_bpfel.o files under path 
    github.com/hakur/bm@v0.0.0-20221210084109-4507644bce2d/tp/syscalls/loader
    use command check install is success 
    ls $(go env GOMODCACHE)/github.com/hakur/bm@v0.0.0-20221210084109-4507644bce2d/tp/syscalls/loader/*_bpfel.o

Example

package main

import (
	"context"
	"errors"
	"fmt"

	"github.com/hakur/bm/tp/syscalls"
)

func main() {
	ctx, cancel := context.WithCancel(context.Background())
	defer cancel()

    // you need to exec chmod command for trigger event print
	if err := SysEnterFchmodat(ctx, func(evt *loader.FchmodatEnterEvent) (err error) {
		fmt.Println(fmt.Sprintf("SysEnterFchmodat event accepted,pid=%d ppid=%d mode=%d command=%s filename=%s", msg.HostPID, msg.HostPPID, msg.FileMode, msg.Command[:], msg.Filename[:]))
		return nil
	}); err != nil && !errors.Is(err, types.ErrCtxDone) {
		t.Fatal(err)
	}
}

faq:

  • add more bpf program for this lib when you want add your private code

    install libbpf follow the tutorial https://github.com/libbpf/libbpf#building-libbpf

  • vmlinux.h not found problem

    use libbpf's tool, bpttool is in libbpf souce code, your may need build it from source

    bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h

    then move it into /usr/include/bpf/vmlinux.h

  • WSL2 dev

    install kernel update after 5.10.74 https://www.catalog.update.microsoft.com/Search.aspx?q=wsl

    # error example      link to tracepoint err -> trace event syscalls/sys_enter_fchmodat: file does not exist
# need run this command
sudo mount -t debugfs debugfs /sys/kernel/debug

  • how to show testing.Logf message in VSCode

    edit vscode setttings.json (recommend global settings.json).

    add filed

    "go.testFlags": [
    "-v"
]

Directories

Path Synopsis
tp
syscalls
syscalls/loader
Package loader generated by bpf2go tool,do not edit go code in this package
 Package loader generated by bpf2go tool,do not edit go code in this package

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.