bpfsys

package
v0.6.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 22, 2022 License: MIT Imports: 7 Imported by: 1

Documentation

Overview

Package bpfsys contains low level functions related to syscalls and kernel interactions. It is separated out into this package so the docs of the gobpfld package aren't cluttered. It is recommended to use the more abstract/high level functions available in gobpfld if at all possible. However this package is available for anyone how wants to use more low level functionality

Index

Constants

This section is empty.

Variables

View Source 
var ErrNotSupported = errors.New("feature not supported by kernel version")

ErrNotSupported is returned when attempting to use a feature that is not supported by the kernel version on which the program is executed.

Functions

func BTFGetFDByID 

func BTFGetFDByID(attr *BPFAttrGetID) error

BTFGetFDByID opens a file descriptor for the BPF Type Format (BTF) corresponding to attr.ID.

func BTFGetNextID 

func BTFGetNextID(attr *BPFAttrGetID) error

BTFGetNextID fetches the next BPF Type Format (BTF) object currently loaded into the kernel.

Looks for the BTF object with an id greater than attr.ID and updates attr.NextID on success. If no other BTF objects remain with ids higher than attr.ID, an error with errno ENOENT(2) is returned.

func LinkDetach 

func LinkDetach(attr *BPFAttrLinkDetach) error

LinkDetach forcefully detaches the specified attr.LinkFD from its corresponding attachment point.

func LinkGetNextID 

func LinkGetNextID(attr *BPFAttrGetID) error

LinkGetNextID fetches the next eBPF program currently loaded into the kernel. Looks for the eBPF link with an id greater than attr.ID and updates attr.NextID on success. If no other eBPF links remain with ids higher than attr.ID, an error with errno ENOENT(2) is returned.

func LinkUpdate 

func LinkUpdate(attr *BPFAttrLinkUpdate) error

LinkUpdate updates the eBPF program in the specified attr.LinkFD to attr.NewProgFD.

func MapDeleteBatch 

func MapDeleteBatch(attr *BPFAttrMapBatch) error

MapDeleteBatch deletes multiple elements in a map.

The attr.Keys parameter is an input parameter which must point to memory large enough to hold attr.Count items based on the key size of the map attr.MapFD, that is, sizeof(key_type) * attr.Count.

Each element specified in attr.Keys is sequentially deleted. The attr.InBatch, attr.OutBatch, and attr.Values parameters are ignored and should be zeroed.

The attr.ElemFlags argument may be specified as one of the following:

BPFMapElemLock 

Look up the value of a spin-locked map without
returning the lock. This must be specified if the
elements contain a spinlock.

On success, attr.Count elements from the map are updated.

If an error is returned and errno is not unix.EFAULT, attr.Count is set to the number of successfully processed elements. If errno is unix.EFAULT, up to attr.Count elements may be been deleted.

func MapDeleteElem 

func MapDeleteElem(attr *BPFAttrMapElem) error

MapDeleteElem looks up and delete an element by key in a specified map.

func MapFreeze 

func MapFreeze(attr *BPFAttrMapElem) error

MapFreeze freezes the permissions of the specified map.

Write permissions may be frozen by passing zero attr.Flags. Upon success, no future syscall invocations may alter the map state of attr.MapFD. Write operations from eBPF programs are still possible for a frozen map.

Not supported for maps of type bpftypes.BPF_MAP_TYPE_STRUCT_OPS.

func MapGetNextID 

func MapGetNextID(attr *BPFAttrGetID) error

MapGetNextID fetches the next eBPF map currently loaded into the kernel. Looks for the eBPF map with an id greater than attr.ID and updates attr.NextID on success. If no other eBPF maps remain with ids higher than attr.ID, an error with errno ENOENT(2) is returned.

func MapGetNextKey 

func MapGetNextKey(attr *BPFAttrMapElem) error

MapGetNextKey looks up an element by attr.Key in a specified map and sets the key of the key of the next element in attr.Value_NextValue. Can be used to iterate over all elements

The following cases can be used to iterate over all elements of the map:

  • If attr.Key is not found, the operation sets the attr.Value_NextValue pointer to the key of the first element.
  • If attr.Key is found, the operation returns sets the attr.Value_NextValue pointer to the key of the next element.
  • If attr.Key is the last element, an error with errno ENOENT(2) is returned.

func MapLookupAndDeleteElement 

func MapLookupAndDeleteElement(attr *BPFAttrMapElem) error

MapLookupAndDeleteElement looks up an element with the given attr.Key in the map referred to 

by the file descriptor attr.MapFD, and if found, delete the element.

The bpftypes.BPF_MAP_TYPE_QUEUE and bpftypes.BPF_MAP_TYPE_STACK map types
implement this command as a "pop" operation, deleting the top
element rather than one corresponding to attr.Key.
The attr.Key parameter should be zeroed when issuing this operation for these map types.

This command is only valid for the following map types:
* bpftypes.BPF_MAP_TYPE_QUEUE
* bpftypes.BPF_MAP_TYPE_STACK

func MapLookupBatch 

func MapLookupBatch(attr *BPFAttrMapBatch) error

MapLookupBatch iterates and fetches multiple elements in a map.

Two opaque values are used to manage batch operations, attr.InBatch and attr.OutBatch. Initially, attr.InBatch must be set to NULL to begin the batched operation. After each subsequent MapLookupBatch, the caller should pass the resultant attr.OutBatch as the attr.InBatch for the next operation to continue iteration from the current point.

The attr.Keys and attr.Values are output parameters which must point to memory large enough to hold attr.Count items based on the key and value size of the map attr.MapFD. The attr.Keys buffer must be of sizeof(key_type) * attr.Count. The attr.Values buffer must be of sizeof(value_type) * attr.Count.

The attr.ElemFlags argument may be specified as one of the following:

BPFMapElemLock 

  Look up the value of a spin-locked map without
	 returning the lock. This must be specified if the
	 elements contain a spinlock.

On success, attr.Count elements from the map are copied into the user buffer, with the keys copied into attr.Keys and the values copied into the corresponding indices in attr.Values.

If an error is returned and errno is not unix.EFAULT, attr.Count is set to the number of successfully processed elements.

func MapLookupBatchAndDelete 

func MapLookupBatchAndDelete(attr *BPFAttrMapBatch) error

MapLookupBatchAndDelete iterates and delete all elements in a map. This operation has the same behavior as MapLookupBatch with two exceptions:

  • Every element that is successfully returned is also deleted from the map. This is at least attr.Count elements. Note that attr.Count is both an input and an output parameter.
  • Upon returning with errno set to unix.EFAULT, up to attr.Count elements may be deleted without returning the keys and values of the deleted elements.

func MapLookupElem 

func MapLookupElem(attr *BPFAttrMapElem) error

MapLookupElem looks up an element with a given 'Key' in the map referred to by the file descriptor 'MapFD'. Key must be a pointer to the key value, Value_NextKey must be a pointer to a value which the kernel will overwrite with the value in the map. For this call, only a 'Flags' value of 0 or BPFMapElemLock is allowed

func MapUpdateBatch 

func MapUpdateBatch(attr *BPFAttrMapBatch) error

MapUpdateBatch updates multiple elements in a map by *key*.

The attr.Keys and attr.Value are input parameters which must point to memory large enough to hold attr.Count items based on the key and value size of the map attr.MapFD. The attr.Keys buffer must be of sizeof(key_type) * attr.Count. The attr.Values buffer must be of sizeof(value_type) * attr.Count.

Each element specified in attr.Keys is sequentially updated to the value in the corresponding index in attr.Values. The attr.InBatch and attr.OutBatch parameters are ignored and should be zeroed.

The attr.ElemFlags argument should be specified as one of the following:

BPFMapElemAny 

Create new elements or update a existing elements.

BPFMapElemNoExists 

Create new elements only if they do not exist.

BPFMapElemExists 

Update existing elements.

BPFMapElemLock 

Update spin_lock-ed map elements. This must be
specified if the map value contains a spinlock.

On success, attr.Count elements from the map are updated.

If an error is returned and errno is not unix.EFAULT, attr.Count is set to the number of successfully processed elements.

func MapUpdateElem 

func MapUpdateElem(attr *BPFAttrMapElem) error

MapUpdateElem creates or update an element (key/value pair) in a specified map.

func ObjectGetInfoByFD 

func ObjectGetInfoByFD(attr *BPFAttrGetInfoFD) error

ObjectGetInfoByFD obtains information about the eBPF object corresponding to attr.BPFFD. Populates up to attr.InfoLen bytes of attr.Info, which will be in one of the following formats depending on the eBPF object type of attr.BPFFD:

  • bpftypes.BPFProgInfo
  • bpftypes.BPFMapInfo
  • struct bpf_btf_info (TODO make go version of struct in bpftypes)
  • struct bpf_link_info (TODO make go version of struct in bpftypes)

func ObjectPin 

func ObjectPin(attr *BPFAttrObj) error

ObjectPin pins an eBPF program or map referred by the specified attr.BPFfd to the provided attr.Pathname on the filesystem.

attr.Pathname must not contain a dot (".").

On success, attr.Pathname retains a reference to the eBPF object, preventing deallocation of the object when the original attr.BPFfd is closed. This allow the eBPF object to live beyond attr.BPFfd.Close(), and hence the lifetime of the parent process.

Applying unix.Unlink or similar calls to the attr.Pathname unpins the object from the filesystem, removing the reference. If no other file descriptors or filesystem nodes refer to the same object, it will be deallocated.

The filesystem type for the parent directory of attr.Pathname must be **BPF_FS_MAGIC**. On most systems the /sys/fs/bpf is a BPF_FS_MAGIC directory

func ProgBindMap 

func ProgBindMap(attr *BPFAttrProgBindMap) error

ProgBindMap Bind a map to the lifetime of an eBPF program.

The map identified by attr.MapFD is bound to the program identified by attr.ProgFD and only released when attr.ProgFD is released. This may be used in cases where metadata should be associated with a program which otherwise does not contain any references to the map (for example, embedded in the eBPF program instructions).

func ProgramAttach 

func ProgramAttach(attr *BPFAttrProgAttachDetach) error

ProgramAttach attaches an eBPF program to a attr.TargetFD at the specified attr.AttachType hook. The attr.AttachType specifies the eBPF attachment point to attach the program to, 

and must be one of bpftypes.BPFAttachType.

The attr.AttachBPFFD must be a valid file descriptor for a loaded eBPF program of a cgroup, flow dissector, LIRC, 

 sockmap or sock_ops type corresponding to the specified attr.AttachType.

	The attr.TargetFD must be a valid file descriptor for a kernel
	object which depends on the attach type of attr.AttachBPFFD:
	bpftypes.BPF_PROG_TYPE_CGROUP_DEVICE,
	bpftypes.BPF_PROG_TYPE_CGROUP_SKB,
	bpftypes.BPF_PROG_TYPE_CGROUP_SOCK,
	bpftypes.BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
	bpftypes.BPF_PROG_TYPE_CGROUP_SOCKOPT,
	bpftypes.BPF_PROG_TYPE_CGROUP_SYSCTL,
	bpftypes.BPF_PROG_TYPE_SOCK_OPS
		Control Group v2 hierarchy with the eBPF controller
		enabled. Requires the kernel to be compiled with
		CONFIG_CGROUP_BPF.
	bpftypes.BPF_PROG_TYPE_FLOW_DISSECTOR
		Network namespace (eg /proc/self/ns/net).
	bpftypes.BPF_PROG_TYPE_LIRC_MODE2
		LIRC device path (eg /dev/lircN). Requires the kernel
		to be compiled with CONFIG_BPF_LIRC_MODE2.
	bpftypes.BPF_PROG_TYPE_SK_SKB,
	bpftypes.BPF_PROG_TYPE_SK_MSG
		eBPF map of socket type (eg bpftypes.BPF_MAP_TYPE_SOCKHASH).

func ProgramDetach 

func ProgramDetach(attr *BPFAttrProgAttachDetach) error

ProgramDetach detaches the eBPF program associated with the attr.TargetFD at the hook specified by *attach_type*. The program must have been previously attached using ProgramAttach.

func ProgramGetNextID 

func ProgramGetNextID(attr *BPFAttrGetID) error

ProgramGetNextID fetches the next eBPF program currently loaded into the kernel. Looks for the eBPF program with an id greater than attr.ID and updates attr.NextID on success. If no other eBPF programs remain with ids higher than attr.ID, an error with errno ENOENT(2) is returned.

func ProgramQuery 

func ProgramQuery(attr *BPFAttrProgQuery) error

ProgramQuery obtains information about eBPF programs associated with the specified attr.AttachType hook. The attr.TargetFD must be a valid file descriptor for a kernel object which depends on the attach type of attr.AttachType: 

bpftypes.BPF_PROG_TYPE_CGROUP_DEVICE,
bpftypes.BPF_PROG_TYPE_CGROUP_SKB,
bpftypes.BPF_PROG_TYPE_CGROUP_SOCK,
bpftypes.BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
bpftypes.BPF_PROG_TYPE_CGROUP_SOCKOPT,
bpftypes.BPF_PROG_TYPE_CGROUP_SYSCTL,
bpftypes.BPF_PROG_TYPE_SOCK_OPS
	Control Group v2 hierarchy with the eBPF controller
	enabled. Requires the kernel to be compiled with
	CONFIG_CGROUP_BPF.
bpftypes.BPF_PROG_TYPE_FLOW_DISSECTOR
	Network namespace (eg /proc/self/ns/net).
bpftypes.BPF_PROG_TYPE_LIRC_MODE2
	LIRC device path (eg /dev/lircN). Requires the kernel
	to be compiled with CONFIG_BPF_LIRC_MODE2.

ProgramQuery always fetches the number of programs
attached and the attr.AttachFlags which were used to attach those
programs. Additionally, if attr.ProgIDs is nonzero and the number
of attached programs is less than attr.ProgCnt, populates
attr.ProgIDs with the eBPF program ids of the programs attached
at attr.TargetFD.

The following flags may alter the result:

ProgQueryQueryEffective
	Only return information regarding programs which are
	currently effective at the specified attr.TargetFD.

func ProgramTestRun 

func ProgramTestRun(attr *BPFAttrProgTestRun) error

ProgramTestRun runs the eBPF program associated with the attr.ProgFD a attr.Repeat number of times against a provided program context attr.CtxIn and data attr.DataIn, and return the modified program context attr.CtxOut, attr.DataOut (for example, packet data), result of the execution attr.Retval, and attr.Duration of the test run.

func TaskFDQuery 

func TaskFDQuery(attr *BPFAttrTaskFDQuery) error

TaskFDQuery obtains information about eBPF programs associated with the 

target process identified by attr.PID and attr.FD.

If the attr.PID and attr.fd are associated with a tracepoint, kprobe
or uprobe perf event, then the attr.ProgID and attr.FDType will
be populated with the eBPF program id and file descriptor type
of type bpftypes.BPFTaskFDType. If associated with a kprobe or
uprobe, the  attr.ProbeOffset and attr.ProbeAddr will also be
populated. Optionally, if attr.Buf is provided, then up to
attr.BufLen bytes of attr.Buf will be populated with the name of
the tracepoint, kprobe or uprobe.

The resulting attr.ProgID may be introspected in deeper detail
using ProgramGetFDByID and ObjectGetInfoByFD.

Types

type BPFAttrBTFLoad 

type BPFAttrBTFLoad struct {
	BTF         uintptr
	BTFLogBuf   uintptr
	BTFSize     uint32
	BTFLogSize  uint32
	BTFLogLevel bpftypes.BPFLogLevel
}

BPFAttrBTFLoad is the attribute for the BPF_BTF_LOAD command

func (*BPFAttrBTFLoad) Size 

func (abl *BPFAttrBTFLoad) Size() uintptr

func (*BPFAttrBTFLoad) ToPtr 

func (abl *BPFAttrBTFLoad) ToPtr() unsafe.Pointer

type BPFAttrEnableStats 

type BPFAttrEnableStats struct {
	Type uint32
}

BPFAttrEnableStats is used by BPF_ENABLE_STATS command

func (*BPFAttrEnableStats) Size 

func (aes *BPFAttrEnableStats) Size() uintptr

func (*BPFAttrEnableStats) ToPtr 

func (aes *BPFAttrEnableStats) ToPtr() unsafe.Pointer

type BPFAttrGetID 

type BPFAttrGetID struct {
	ID        uint32
	NextID    uint32
	OpenFlags uint32
}

BPFAttrGetID is used as attribute in the BPF_*_GET_*_ID commands

func (*BPFAttrGetID) Size 

func (agi *BPFAttrGetID) Size() uintptr

func (*BPFAttrGetID) ToPtr 

func (agi *BPFAttrGetID) ToPtr() unsafe.Pointer

type BPFAttrGetInfoFD 

type BPFAttrGetInfoFD struct {
	BPFFD   BPFfd
	InfoLen uint32  // Length of the info buffer
	Info    uintptr // Pointer to buffer where the kernel will store info
}

BPFAttrGetInfoFD is used as attribute in the BPF_OBJ_GET_INFO_BY_FD command

func (*BPFAttrGetInfoFD) Size 

func (agi *BPFAttrGetInfoFD) Size() uintptr

func (*BPFAttrGetInfoFD) ToPtr 

func (agi *BPFAttrGetInfoFD) ToPtr() unsafe.Pointer

type BPFAttrIterCreate 

type BPFAttrIterCreate struct {
	LinkFD uint32
	Flags  uint32
}

BPFAttrIterCreate is used by BPF_ITER_CREATE command

func (*BPFAttrIterCreate) Size 

func (aic *BPFAttrIterCreate) Size() uintptr

func (*BPFAttrIterCreate) ToPtr 

func (aic *BPFAttrIterCreate) ToPtr() unsafe.Pointer

type BPFAttrLinkCreate 

type BPFAttrLinkCreate struct {
	ProgFD                 BPFfd
	TargetFD_TargetIFIndex uint32
	AttachType             bpftypes.BPFAttachType
	Flags                  uint32
}

BPFAttrLinkCreate is used by BPF_LINK_CREATE command

func (*BPFAttrLinkCreate) Size 

func (alc *BPFAttrLinkCreate) Size() uintptr

func (*BPFAttrLinkCreate) ToPtr 

func (alc *BPFAttrLinkCreate) ToPtr() unsafe.Pointer

type BPFAttrLinkDetach 

type BPFAttrLinkDetach struct {
	LinkID uint32
}

func (*BPFAttrLinkDetach) Size 

func (ald *BPFAttrLinkDetach) Size() uintptr

func (*BPFAttrLinkDetach) ToPtr 

func (ald *BPFAttrLinkDetach) ToPtr() unsafe.Pointer

type BPFAttrLinkUpdate 

type BPFAttrLinkUpdate struct {
	LinkFD    uint32
	NewProgFD BPFfd
	Flags     uint32
	OldProgFD BPFfd
}

BPFAttrLinkUpdate is used by BPF_LINK_UPDATE command

func (*BPFAttrLinkUpdate) Size 

func (alu *BPFAttrLinkUpdate) Size() uintptr

func (*BPFAttrLinkUpdate) ToPtr 

func (alu *BPFAttrLinkUpdate) ToPtr() unsafe.Pointer

type BPFAttrMapBatch 

type BPFAttrMapBatch struct {
	InBatch   uintptr // start batch, NULL to start from beginning
	OutBatch  uintptr // output: next start batch
	Keys      uintptr
	Values    uintptr
	Count     uint32 // input/output:  input: # of key/value elements, output: # of filled elements
	MapFD     BPFfd
	ElemFlags BPFAttrMapElemFlags
	Flags     BPFAttrMapElemFlags
}

BPFAttrMapBatch is used as attribute for the BPF_MAP_*_BATCH commands

func (*BPFAttrMapBatch) Size 

func (amb *BPFAttrMapBatch) Size() uintptr

func (*BPFAttrMapBatch) ToPtr 

func (amb *BPFAttrMapBatch) ToPtr() unsafe.Pointer

type BPFAttrMapCreate 

type BPFAttrMapCreate struct {
	MapType               bpftypes.BPFMapType  // one of enum bpf_map_type
	KeySize               uint32               // size of key in bytes
	ValueSize             uint32               // size of value in bytes
	MaxEntries            uint32               // max number of entries in a map
	MapFlags              bpftypes.BPFMapFlags // BPF_MAP_CREATE related flags
	InnerMapFD            BPFfd                // fd pointing to the inner map
	NumaNode              uint32               // numa node (effective only if BPF_F_NUMA_NODE is set)
	MapName               [bpftypes.BPF_OBJ_NAME_LEN]byte
	MapIFIndex            uint32 // ifindex of netdev to create on
	BTFFD                 BPFfd  // fd pointing to a BTF type data
	BTFKeyTypeID          uint32 // BTF type_id of the key
	BTFValueTypeID        uint32 // BTF type_id of the value
	BTFVMLinuxValueTypeID uint32 // BTF type_id of a kernel-struct stored as the map value
}

BPFAttrMapCreate is the attribute for the BPF_MAP_CREATE command

func (*BPFAttrMapCreate) Size 

func (amc *BPFAttrMapCreate) Size() uintptr

func (*BPFAttrMapCreate) ToPtr 

func (amc *BPFAttrMapCreate) ToPtr() unsafe.Pointer

type BPFAttrMapElem 

type BPFAttrMapElem struct {
	MapFD BPFfd
	Key   uintptr // Pointer to the key value
	// In the kernel this is a union, so depending on context this field is pointer to "Value" or "NextKey"
	Value_NextKey uintptr
	Flags         BPFAttrMapElemFlags
}

BPFAttrMapElem is used as attribute for the BPF_MAP_*_ELEM commands

func (*BPFAttrMapElem) Size 

func (ame *BPFAttrMapElem) Size() uintptr

func (*BPFAttrMapElem) ToPtr 

func (ame *BPFAttrMapElem) ToPtr() unsafe.Pointer

type BPFAttrMapElemFlags 

type BPFAttrMapElemFlags uint64

BPFAttrMapElemFlags should be one of the following:

  • BPFMapElemAny
  • BPFMapElemNoExists
  • BPFMapElemExists
  • BPFMapElemLock
const (
	// BPFMapElemAny Create new elements or update a existing elements.
	BPFMapElemAny BPFAttrMapElemFlags = iota
	// BPFMapElemNoExists Create new elements only if they do not exist.
	BPFMapElemNoExists
	// BPFMapElemExists Update existing elements.
	BPFMapElemExists
	// BPFMapElemLock Update spin_lock-ed map elements. This must be
	// specified if the map value contains a spinlock.
	BPFMapElemLock
)

type BPFAttrObj 

type BPFAttrObj struct {
	Pathname  uintptr // pointer to cstring
	BPFfd     BPFfd
	FileFlags uint32
}

BPFAttrObj is used as attribute in the BPF_OBJ_* commands

func (*BPFAttrObj) Size 

func (ao *BPFAttrObj) Size() uintptr

func (*BPFAttrObj) ToPtr 

func (ao *BPFAttrObj) ToPtr() unsafe.Pointer

type BPFAttrProgAttachDetach 

type BPFAttrProgAttachDetach struct {
	TargetFD     uint32 // container object to attach to
	AttachBPFFD  BPFfd  // eBPF program to attach
	AttachType   bpftypes.BPFAttachType
	AttachFlags  bpftypes.BPFProgAttachFlags
	ReplaceBPFFD BPFfd // previously attached eBPF program to replace if BPF_F_REPLACE is used
}

BPFAttrProgAttachDetach is used as attribute in the BPF_PROG_ATTACH/DETACH commands

func (*BPFAttrProgAttachDetach) Size 

func (apa *BPFAttrProgAttachDetach) Size() uintptr

func (*BPFAttrProgAttachDetach) ToPtr 

func (apa *BPFAttrProgAttachDetach) ToPtr() unsafe.Pointer

type BPFAttrProgBindMap 

type BPFAttrProgBindMap struct {
	ProgID uint32
	MapFD  BPFfd
	Flags  uint32
}

BPFAttrProgBindMap is uses as attribute for the BPF_PROG_BIND_MAP command

func (*BPFAttrProgBindMap) Size 

func (abm *BPFAttrProgBindMap) Size() uintptr

func (*BPFAttrProgBindMap) ToPtr 

func (abm *BPFAttrProgBindMap) ToPtr() unsafe.Pointer

type BPFAttrProgQuery 

type BPFAttrProgQuery struct {
	TargetFD    uint32
	AttachType  bpftypes.BPFAttachType
	QueryFlags  BPFAttrProgQueryFlags
	AttachFlags uint32
	ProgIDs     uintptr // Pointer to buffer where ids will be stored
	ProgCnt     uint32
}

BPFAttrProgQuery is used as attribute in the BPF_PROG_QUERY command

func (*BPFAttrProgQuery) Size 

func (apq *BPFAttrProgQuery) Size() uintptr

func (*BPFAttrProgQuery) ToPtr 

func (apq *BPFAttrProgQuery) ToPtr() unsafe.Pointer

type BPFAttrProgQueryFlags 

type BPFAttrProgQueryFlags uint32
const (
	// ProgQueryQueryEffective Query effective (directly attached + inherited from ancestor cgroups)
	// programs that will be executed for events within a cgroup.
	// attach_flags with this flag are returned only for directly attached programs.
	ProgQueryQueryEffective BPFAttrProgQueryFlags = 1 << 0
)

type BPFAttrProgTestRun 

type BPFAttrProgTestRun struct {
	ProgFD      BPFfd
	Retval      uint32
	DataSizeIn  uint32  // Size of the input data buffer
	DataSizeOut uint32  // Size of the output data buffer
	DataIn      uintptr // Pointer to a buffer with input data
	DataOut     uintptr // Pointer to a buffer with output data
	Repeat      uint32
	Duration    uint32
	CtxSizeIn   uint32  // Size of the input ctx
	CtxSizeOut  uint32  // Size of the output ctx
	CtxIn       uintptr // Pointer to the input ctx
	CtxOut      uintptr // Pointer to the output ctx
	Flags       uint32
	CPU         uint32
}

BPFAttrProgTestRun is the attribute for the BPF_PROG_TEST_RUN command

func (*BPFAttrProgTestRun) Size 

func (apt *BPFAttrProgTestRun) Size() uintptr

func (*BPFAttrProgTestRun) ToPtr 

func (apt *BPFAttrProgTestRun) ToPtr() unsafe.Pointer

type BPFAttrProgramLoad 

type BPFAttrProgramLoad bpfAttrProgramLoad5_5

func (*BPFAttrProgramLoad) Size 

func (amb *BPFAttrProgramLoad) Size() uintptr

Size returns the size of the struct, we always pass a pointer to the full struct, but the kernel will only read up to the given amount of bytes. The kernel will throw an error if the size is larger than it expects thus we have to return different sizes depending on the current kernel version.

We use internal structs to calculate the size, we do this since the same struct might be a different size depending on the architecture(32/64 bit addresses).

func (*BPFAttrProgramLoad) ToPtr 

func (amb *BPFAttrProgramLoad) ToPtr() unsafe.Pointer

type BPFAttrRawTracepointOpen 

type BPFAttrRawTracepointOpen struct {
	Name   uintptr
	ProgFD BPFfd
}

BPFAttrRawTracepointOpen is used as attribute in the BPF_RAW_TRACEPOINT_OPEN command

func (*BPFAttrRawTracepointOpen) Size 

func (art *BPFAttrRawTracepointOpen) Size() uintptr

func (*BPFAttrRawTracepointOpen) ToPtr 

func (art *BPFAttrRawTracepointOpen) ToPtr() unsafe.Pointer

type BPFAttrTaskFDQuery 

type BPFAttrTaskFDQuery struct {
	PID         uint32
	FD          BPFfd
	Flags       uint32
	BufLen      uint32
	Buf         uintptr
	ProgID      uint32
	FDType      bpftypes.BPFTaskFDType
	ProbeOffset uint64
	ProbeAddr   uint64
}

func (*BPFAttrTaskFDQuery) Size 

func (atq *BPFAttrTaskFDQuery) Size() uintptr

func (*BPFAttrTaskFDQuery) ToPtr 

func (atq *BPFAttrTaskFDQuery) ToPtr() unsafe.Pointer

type BPFAttribute 

type BPFAttribute interface {
	ToPtr() unsafe.Pointer
	Size() uintptr
}

type BPFSyscallError 

type BPFSyscallError syscall.Error

func (*BPFSyscallError) Error 

func (e *BPFSyscallError) Error() string

type BPFfd 

type BPFfd uint32

BPFfd is an alias of a file descriptor returned by bpf to identify a map, program or link. Since not all the usual file descriptor functions are available to these types of fds.

eBPF objects (maps and programs) can be shared between processes.

  • After **fork**\ (2), the child inherits file descriptors referring to the same eBPF objects.
  • File descriptors referring to eBPF objects can be transferred over **unix**\ (7) domain sockets.
  • File descriptors referring to eBPF objects can be duplicated in the usual way, using **dup**\ (2) and similar calls.
  • File descriptors referring to eBPF objects can be pinned to the filesystem using the **BPF_OBJ_PIN** command of **bpf**\ (2).

An eBPF object is deallocated only after all file descriptors referring to the object have been closed and no references remain pinned to the filesystem or attached (for example, bound to a program or device).

func BTFLoad 

func BTFLoad(attr *BPFAttrBTFLoad) (fd BPFfd, err error)

BTFLoad verifies and loads BPF Type Format (BTF) metadata into the kernel, returning a new file descriptor associated with the metadata. BTF is described in more detail at https://www.kernel.org/doc/html/latest/bpf/btf.html.

The attr.BTF parameter must point to valid memory providing attr.BTFSize bytes of BTF binary metadata.

The returned file descriptor can be passed to other functions such as ProgramLoad or MapCreate to associate the BTF with those objects.

Similar toProgramLoad, BTFLoad has optional parameters to specify a attr.BTFLog, attr.BTFLogSize and attr.BTFLogLevel which allow the kernel to return freeform log output regarding the BTF verification process.

func Bpf 

func Bpf(cmd bpftypes.BPFCommand, attr BPFAttribute, size int) (fd BPFfd, err error)

Bpf is a wrapper around the BPF syscall, so a very low level function. It is not recommended to use it directly unless you know what you are doing

func EnableStats 

func EnableStats(attr *BPFAttrEnableStats) (fd BPFfd, err error)

EnableStats enables eBPF runtime statistics gathering. Runtime statistics gathering for the eBPF runtime is disabled by default to minimize the corresponding performance overhead. This command enables statistics globally.

Multiple programs may independently enable statistics. After gathering the desired statistics, eBPF runtime statistics may be disabled again by calling Close() for the file descriptor returned by this function. Statistics will only be disabled system-wide when all outstanding file descriptors returned by prior calls for this subcommand are closed.

func IterCreate 

func IterCreate(attr *BPFAttrIterCreate) (fd BPFfd, err error)

IterCreate creates an iterator on top of the specified attr.LinkFD (as previously created using LinkUpdate) and return a file descriptor that can be used to trigger the iteration.

If the resulting file descriptor is pinned to the filesystem using ObjectPin, then subsequent unix.Read syscalls for that path will trigger the iterator to read kernel state using the eBPF program attached to attr.LinkFD.

func LinkCreate 

func LinkCreate(attr *BPFAttrLinkCreate) (fd BPFfd, err error)

LinkCreate attaches an eBPF program to a attr.TargetFD at the specified attr.AttachType hook and return a file descriptor handle for managing the link.

func LinkGetFDByID 

func LinkGetFDByID(attr *BPFAttrGetID) (fd BPFfd, err error)

LinkGetFDByID opens a file descriptor for the eBPF Link corresponding to attr.LinkID

func LoadProgram 

func LoadProgram(attr *BPFAttrProgramLoad) (fd BPFfd, err error)

LoadProgram verifies and loads an eBPF program, returning a new file descriptor associated with the program. The close-on-exec file descriptor flag (see fcntl(2) in linux man pages) is automatically enabled for the new file descriptor.

Calling Close on the returned file descriptor will unload the program.

func MapCreate 

func MapCreate(attr *BPFAttrMapCreate) (fd BPFfd, err error)

MapCreate creates a map and return a file descriptor that refers to the map. The close-on-exec file descriptor flag (see fcntl(2) in linux man pages) is automatically enabled for the new file descriptor.

Calling Close on the returned file descriptor will delete the map.

func MapGetFDByID 

func MapGetFDByID(attr *BPFAttrGetID) (fd BPFfd, err error)

MapGetFDByID queries the kernel for the file descriptor of a map with the given ID. If successful the syscall will return the file descriptor as the first return value

func ObjectGet 

func ObjectGet(attr *BPFAttrObj) (fd BPFfd, err error)

ObjectGet opens a file descriptor for the eBPF object pinned to the specified attr.Pathname

func ProgramGetFDByID 

func ProgramGetFDByID(attr *BPFAttrGetID) (fd BPFfd, err error)

ProgramGetFDByID opens a file descriptor for the eBPF program corresponding to attr.ID.

func RawTracepointOpen 

func RawTracepointOpen(attr *BPFAttrRawTracepointOpen) (fd BPFfd, err error)

RawTracepointOpen attaches an eBPF program to a tracepoint *name* to access kernel internal arguments of the tracepoint in their raw form.

The attr.ProgID must be a valid file descriptor associated with a loaded eBPF program of type bpftypes.BPF_PROG_TYPE_RAW_TRACEPOINT.

No ABI guarantees are made about the content of tracepoint arguments exposed to the corresponding eBPF program.

Applying Close to the file descriptor returned by RawTracepointOpen will delete the map.

func (BPFfd) Close 

func (fd BPFfd) Close() error

Close closes a file descriptor

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.