yanivagman
commented
2 years ago I'm writing here some ideas for the implementation:
- As this kind of programs require BTF support in the running kernel, we can add a new BTF field to the dependencies section of each event. During startup we can query if BTF is supported in the system, and check if the requested events fulfil the requirements.
- The same thing can be done for other BPF features, or kernel version requirement. Just add the requirements to the event description, and check during startup if (or which) program can be loaded
Starting from kernel 5.5, a new type of bpf programs is supported, called BPF_PROG_TYPE_TRACING, which uses fentry/fexit for attachment (https://lwn.net/Articles/804937/) Such programs have zero overhead compared to kprobes, and are thus preferable. We should use these as the default for kernels >= 5.5