bpf_attach¶
Intro¶
bpf_attach - a BPF program is attached to a probe (kprobe/uprobe/tracepoint)
Description¶
An event marking that a BPF program was attached to a probe in the system. It occurs whenever a BPF program is attached to a perf event of the types: kprobe, uprobe or tracepoint. The purpose of the event is to give the user information about the BPF program, as well as information about the probe itself.
Arguments¶
prog_type:int[K] - the BPF program type.prog_name:const char*[K] - the BPF program name (first 16 bytes only, as this is how it is saved in the kernel).prog_id:u32[K] - the BPF program ID as set by the kernel.prog_helpers:unsigned long[][K] - list of all BPF helpers being used by the BPF program.perf_symbol:const char*[K] - name/path of the symbol the BPF program is being attached to.perf_addr:u64[K] - address/offset of the symbol the BPF program is being attached to.perf_type:int[K] - the probe's type.
Hooks¶
security_file_ioctl¶
Type¶
kprobe
Purpose¶
Catch the attachment of the BPF program to the perf event
security_bpf¶
Type¶
kprobe
Purpose¶
Catch the attachment of the BPF program to the perf event
security_bpf_prog¶
Type¶
kprobe
Purpose¶
save data of the BPF program for when we output the event
check_helper_call¶
Type¶
kprobe
Purpose¶
get information about which helper functions are used by the BPF program
check_map_func_compatibility¶
Type¶
kprobe
Purpose¶
get information about which helper functions are used by the BPF program
Example Use Case¶
./tracee -f e=bpf_attach