search

eunomia-bpf / bpftime

Userspace eBPF runtime for Observability, Network & General Extensions Framework
https://eunomia.dev/bpftime/
MIT License
801 stars 75 forks source link

[FEATURE] Use kernel eBPF runtime for bpftime #122

Open yunwei37 opened 10 months ago

yunwei37 commented 10 months ago

Is your feature request related to a problem? Please describe.

As discussed before, we need to use kernel eBPF runtime if the prog access kernel data structures like task_struct.

We can use a syscall instead of trap, and may gain 2x less overhead because syscalls are more lightweight.

Describe the solution you'd like

See the kernel-vm branch for poc. We should find a better way to make it work with libbpf.

Describe alternatives you've considered

Provide usage examples

Additional context

Officeyutong commented 9 months ago

We may run eBPF programs with bpf_test_run when entering hooks such as uprobe. Maps might be automatically converted to shared maps.