search

iovisor / bcc

BCC - Tools for BPF-based Linux IO analysis, networking, monitoring, and more
Apache License 2.0
20.62k stars 3.89k forks source link

How to generate BPF code(`sock_fprog`) through bcc? #2492

Open hazelnutsgz opened 5 years ago

hazelnutsgz commented 5 years ago

Hi, I am planning to generate the BPF "assembly" code(BPF_JUMP, BPF_STMT etc.) by writing C or Python code. 

struct sock_filter filter[] = {
            BPF_STMT(BPF_LD+BPF_W+BPF_ABS, (offsetof(struct seccomp_data, nr))),
            BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_prctl, 0, 1),
        BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
        BPF_JUMP(BPF_JMP+BPF_JEQ+BPF_K, __NR_write, 0, 1),
            BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_ALLOW),
            BPF_STMT(BPF_RET+BPF_K, SECCOMP_RET_KILL),
        };

I was wondering if bcc could provide such interfaces to users. Since what I have found is all about higher API (like tracing), Thanks~

pchaigno commented 5 years ago

bcc doesn't support cBPF, only eBPF. I also don't know any C or Python to cBPF compilers...

hazelnutsgz commented 5 years ago

bcc doesn't support cBPF, only eBPF. I also don't know any C or Python to cBPF compilers...

Yes, what I am saying is C => eBPF.

I happened to come across this one https://github.com/iovisor/ubpf, hope it could be of help.

pchaigno commented 5 years ago

sock_fprog is for cBPF. Also, your code snippet contains cBPF bytecode. seccomp-bpf supports only cBPF.

You can compile from C to eBPF using the Clang compiler. uBPF is a userspace eBPF VM. It can execute your eBPF bytecode, but won't help you compile.

hazelnutsgz commented 5 years ago

@pchaigno Thanks~