Skip to content

bpf

Intro

bpf - installs or removes a filter program

Description

The bpf() system call is used to transfer a filter program to the kernel and/or query kernel-managed filter programs. It has capability to extend the kernel by allowing user-defined programs to be attached to probe points specified with the bpf_attach context(8) function.

It can perform many actions such as attaching a filter to sockets, attaching an endpoint-agnostic program, attaching a tracking program to kprobes, or creating a seccomp policy. Depending on the command argument supplied, other effects may be observed.

There are some edge cases and drawbacks related to using bpf. The kernel can reject user-defined programs that are found to be invalid according to certain criteria. Additionally, an overly complex program may suffer from performance penalties.

Arguments

  • cmd:int[K] - command to execute, determines what other arguments are used.
  • attr:union bpf_attr*[K] - points to a structure of type bpf_attr. This must be present in all bpf commands and specifies attributes used by kernels to interpret the bpf program
  • size:unsigned int[K] - maximum size of attr in bytes

Available Tags

  • K - Originated from kernel-space.

Hooks

bpf

Type

kprobe + tracepoint

Purpose

This function is hooked to allow user-defined programs to be attached to probe points specified with the bpf_attach() context.

Example Use Case

A use case for bpf() is to examine the output data from database applications. To do this, a user can write a program that monitors database connections to determine the amount of data being sent and received for each connection. This data can then be used to identify and diagnose database performance bottlenecks.

Issues

The bpf() system call only works on Linux kernels, so it is not available on other operating systems.

  • bpf_attach()
  • bpf_prog_load()
  • seccomp(2)

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.