Skip to content

bpf_attach

Intro

bpf_attach - a BPF program is attached to a probe (kprobe/uprobe/tracepoint)

Description

An event marking that a BPF program was attached to a probe in the system. It occurs whenever a BPF program is attached to a perf event of the types: kprobe, uprobe or tracepoint. The purpose of the event is to give the user information about the BPF program, as well as information about the probe itself.

Arguments

  • prog_type:int[K] - the BPF program type.
  • prog_name:const char*[K] - the BPF program type (first 16 bytes only, as this is how it is saved in the kernel).
  • perf_symbol:const char*[K] - name/path of the symbol the BPF program is being attached to.
  • perf_addr:u64[K] - address/offset of the symbol the BPF program is being attached to.
  • prog_write_user:int[K] - whether the BPF program uses the bpf_probe_write_user() helper function.
  • prog_override_return:int[K] - whether the BPF program uses the bpf_override_return() helper function.
  • perf_type:int[K] - the probe's type.

Hooks

security_file_ioctl

Type

kprobe

Purpose

Catch the attachment of the BPF program to the perf event

security_bpf

Type

kprobe

Purpose

Catch the attachment of the BPF program to the perf event

security_bpf_prog

Type

kprobe

Purpose

save data of the BPF program for when we output the event

check_helper_call

Type

kprobe

Purpose

check whether the BPF program uses helper functions of interest

check_map_func_compatibility

Type

kprobe

Purpose

check whether the BPF program uses helper functions of interest

Example Use Case

./tracee -f e=bpf_attach

Issues

the 'check_helper_call' and 'check_map_func_compatibility' serves the same purpose. in some kernels one of this symbols would not exist - therefore libbpf will output an error (execution will continue successfully due to the other hook).