Example how to run eBPF probes without a usermode process using fentry

Related tags

ebpf-pinned-fentry
Overview

Pinning eBPF Probes

Simple example to demonstrate how to pin kernel function and syscall probes.

Overview

From my reading of the kernel code, KProbe and Tracepoint eBPF Programs can't be fully pinned to the filesystem, so they can't run without an accompaning usermode process also running.

However, fentry and fexit traces were introduced in Kernel 5.5, and these can be pinned.

These behave similarly to KProbes in that they can be attached to most kernel functions, and also have the benefit of having the function input paramaters availibe at the exit hook.

I encounted an issue when trying to parse paramaters when attaching Fentry/exit probes to syscalls, so I created this project to demonstrate not only pinning probes to the bpf filesytem, but also how to parse data from syscalls.

Building

This project is heavily based upon libpf-bootstrap, so follow it's guide to install any required pre-requisites.

Fentry was introduced in kernel 5.5, so you require at least this kernel. Code was written only for x64 machines, although they could be altered to work wherever eBPF works.

To build, checkout this project and run make:

git clone --recursive https://github.com/pathtofile/ebpf-pinned-fentry.git
cd ebpf-pinned-fentry/examples/c
make

This produces an eBPF loader and 4 eBPF Programs attached to:

  • The entry to the openat syscall
  • The exit to the openat syscall
  • The entry to the do_openat kernel function
  • The exit to the do_openat kernel function

Running

First ensure the bpffs is mounted in the right spot:

sudo mount bpffs -t bpf /sys/fs/bpf

Then build and run the pinned program as root:

cd ebpf-pinned-fentry/examples/c
make
sudo ./pinned

This will pin 4 eBPF Programs and 4 eBPF Links to the folder /sys/fs/bpf/pinned:

$> ls -l /sys/fs/bpf/pinned
total 0
drwx------ 2 root root 0 Jun  3 14:50 ./
drwxrwxrwt 3 root root 0 Jun  3 14:50 ../
-rw------- 1 root root 0 Jun  3 14:50 do_unlinkat_entry_link
-rw------- 1 root root 0 Jun  3 14:50 do_unlinkat_entry_prog
-rw------- 1 root root 0 Jun  3 14:50 do_unlinkat_exit_link
-rw------- 1 root root 0 Jun  3 14:50 do_unlinkat_exit_prog
-rw------- 1 root root 0 Jun  3 14:50 unlinkat_syscall_entry_link
-rw------- 1 root root 0 Jun  3 14:50 unlinkat_syscall_exit_link
-rw------- 1 root root 0 Jun  3 14:50 unlink_syscall_entry_prog
-rw------- 1 root root 0 Jun  3 14:50 unlink_syscall_exit_prog

Then cat the trace pipe to watch for proof the programs are running:

sudo cat /sys/kernel/debug/tracing/trace_pipe

Then just attempt to delete a file using rm:

rm /non/existant/file
touch test_file && rm test_file

Cleanup

Just delete the /sys/fs/bpf/pinned folder:

sudo rm -r /sys/fs/bpf/pinned
eBPF bytecode assembler and compiler

An eBPF bytecode assembler and compiler that * Assembles the bytecode to object code. * Compiles the bytecode to C macro preprocessors. Symbolic

Emil Masoumi 6 Jul 15, 2021
Cross-connect Linux interfaces with XDP

Cross-connect Linux interfaces with XDP redirect xdp-xconnect daemon is a long-running process that uses a YAML file as its configuration API. For exa

Michael Kashin 18 Jul 14, 2021
libsinsp, libscap, the kernel module driver, and the eBPF driver sources

falcosecurity/libs As per the OSS Libraries Contribution Plan, this repository has been chosen to be the new home for libsinsp, libscap, the kernel mo

Falco 47 Jul 14, 2021
XMap is a fast network scanner designed for performing Internet-wide IPv6 & IPv4 network research scanning.

XMap is reimplemented and improved thoroughly from ZMap and is fully compatible with ZMap, armed with the "5 minutes" probing speed and novel scanning techniques. XMap is capable of scanning the 32-bits address space in under 45 minutes.

idealeer 56 Jul 18, 2021
Linux Application Level Firewall based on eBPF and NFQUEUE.

eBPFSnitch eBPFSnitch is a Linux Application Level Firewall based on eBPF and NFQUEUE. It is inspired by OpenSnitch, and Douane, but utilizing modern

Harpo Roeder 599 Jul 20, 2021
Open hardware to measure EC and pH, drive pumps, and otherwise manage a mid-size hydroponic grow over Wi-Fi.

Hydromisc This is a single PCBA with all the necessary I/O to automate a typical small to mid-size hydroponic grow, controllable over Wi-Fi

null 25 Jul 23, 2021
API for the AFBR-S50 Time-Of-Flight Sensor Family.

AFBR-S50 API Introduction The AFBR-S50 API is the appertaining software for the AFBR-S50 Time-of-Flight Sensor family by Broadcom Inc. The repository

Broadcom Inc 10 Jun 29, 2021
the LIBpcap interface to various kernel packet capture mechanism

LIBPCAP 1.x.y by The Tcpdump Group To report a security issue please send an e-mail to [email protected] To report bugs and other problems, contri

The Tcpdump Group 1.7k Jul 19, 2021
C++ library for creating an embedded Rest HTTP server (and more)

The libhttpserver reference manual Tl;dr libhttpserver is a C++ library for building high performance RESTful web servers. libhttpserver is built upon

Sebastiano Merlino 507 Jul 24, 2021
Ultra fast and low latency asynchronous socket server & client C++ library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and 10K connections problem solution

CppServer Ultra fast and low latency asynchronous socket server & client C++ library with support TCP, SSL, UDP, HTTP, HTTPS, WebSocket protocols and

Ivan Shynkarenka 646 Jul 24, 2021
Local OXID Resolver (LCLOR) : Research and Tooling

hazmat5 Local OXID Resolver (LCLOR) : Research and Tooling Welcome to a repository on my research into DCOM's Local OXID Resolution mechanisms, and RP

Alex Ionescu 13 May 25, 2021
canonical libwebsockets.org networking library

Libwebsockets Libwebsockets is a simple-to-use, MIT-license, pure C library providing client and server for http/1, http/2, websockets, MQTT and other

lws-team 3.1k Jul 24, 2021
Zyre - an open-source framework for proximity-based peer-to-peer applications

Zyre - Local Area Clustering for Peer-to-Peer Applications Linux & MacOSX Windows Contents Overview Scope and Goals Ownership and License Using Zyre B

The ZeroMQ project 749 Jul 26, 2021
nghttp2 - HTTP/2 C Library and tools

nghttp2 - HTTP/2 C Library This is an implementation of the Hypertext Transfer Protocol version 2 in C. The framing layer of HTTP/2 is implemented as

nghttp2 3.8k Jul 25, 2021