5bacd7805a
kprobe example that demonstrates how future seccomp programs may look like.
It attaches to seccomp_phase1() function and tail-calls other BPF programs
depending on syscall number.
Existing optimized classic BPF seccomp programs generated by Chrome look like:
if (sd.nr < 121) {
if (sd.nr < 57) {
if (sd.nr < 22) {
if (sd.nr < 7) {
if (sd.nr < 4) {
if (sd.nr < 1) {
check sys_read
} else {
if (sd.nr < 3) {
check sys_write and sys_open
} else {
check sys_close
}
}
} else {
} else {
} else {
} else {
} else {
}
the future seccomp using native eBPF may look like:
bpf_tail_call(&sd, &syscall_jmp_table, sd.nr);
which is simpler, faster and leaves more room for per-syscall checks.
Usage:
$ sudo ./tracex5
<...>-366 [001] d... 4.870033: : read(fd=1, buf=00007f6d5bebf000, size=771)
<...>-369 [003] d... 4.870066: : mmap
<...>-369 [003] d... 4.870077: : syscall=110 (one of get/set uid/pid/gid)
<...>-369 [003] d... 4.870089: : syscall=107 (one of get/set uid/pid/gid)
sh-369 [000] d... 4.891740: : read(fd=0, buf=00000000023d1000, size=512)
sh-369 [000] d... 4.891747: : write(fd=1, buf=00000000023d3000, size=512)
sh-369 [000] d... 4.891747: : read(fd=1, buf=00000000023d3000, size=512)
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
56 lines
2.0 KiB
C
56 lines
2.0 KiB
C
#ifndef __BPF_HELPERS_H
|
|
#define __BPF_HELPERS_H
|
|
|
|
/* helper macro to place programs, maps, license in
|
|
* different sections in elf_bpf file. Section names
|
|
* are interpreted by elf_bpf loader
|
|
*/
|
|
#define SEC(NAME) __attribute__((section(NAME), used))
|
|
|
|
/* helper functions called from eBPF programs written in C */
|
|
static void *(*bpf_map_lookup_elem)(void *map, void *key) =
|
|
(void *) BPF_FUNC_map_lookup_elem;
|
|
static int (*bpf_map_update_elem)(void *map, void *key, void *value,
|
|
unsigned long long flags) =
|
|
(void *) BPF_FUNC_map_update_elem;
|
|
static int (*bpf_map_delete_elem)(void *map, void *key) =
|
|
(void *) BPF_FUNC_map_delete_elem;
|
|
static int (*bpf_probe_read)(void *dst, int size, void *unsafe_ptr) =
|
|
(void *) BPF_FUNC_probe_read;
|
|
static unsigned long long (*bpf_ktime_get_ns)(void) =
|
|
(void *) BPF_FUNC_ktime_get_ns;
|
|
static int (*bpf_trace_printk)(const char *fmt, int fmt_size, ...) =
|
|
(void *) BPF_FUNC_trace_printk;
|
|
static void (*bpf_tail_call)(void *ctx, void *map, int index) =
|
|
(void *) BPF_FUNC_tail_call;
|
|
|
|
/* llvm builtin functions that eBPF C program may use to
|
|
* emit BPF_LD_ABS and BPF_LD_IND instructions
|
|
*/
|
|
struct sk_buff;
|
|
unsigned long long load_byte(void *skb,
|
|
unsigned long long off) asm("llvm.bpf.load.byte");
|
|
unsigned long long load_half(void *skb,
|
|
unsigned long long off) asm("llvm.bpf.load.half");
|
|
unsigned long long load_word(void *skb,
|
|
unsigned long long off) asm("llvm.bpf.load.word");
|
|
|
|
/* a helper structure used by eBPF C program
|
|
* to describe map attributes to elf_bpf loader
|
|
*/
|
|
struct bpf_map_def {
|
|
unsigned int type;
|
|
unsigned int key_size;
|
|
unsigned int value_size;
|
|
unsigned int max_entries;
|
|
};
|
|
|
|
static int (*bpf_skb_store_bytes)(void *ctx, int off, void *from, int len, int flags) =
|
|
(void *) BPF_FUNC_skb_store_bytes;
|
|
static int (*bpf_l3_csum_replace)(void *ctx, int off, int from, int to, int flags) =
|
|
(void *) BPF_FUNC_l3_csum_replace;
|
|
static int (*bpf_l4_csum_replace)(void *ctx, int off, int from, int to, int flags) =
|
|
(void *) BPF_FUNC_l4_csum_replace;
|
|
|
|
#endif
|