Generate Linux kernel wrappers dynamically

jpsamaroo / BPFnative.jl

Native Julia codegen for eBPF bytecode

Other

9 stars 1 forks source link

Generate Linux kernel wrappers dynamically #13

Closed jpsamaroo closed 3 years ago

jpsamaroo commented 3 years ago

This should be helpful when writing various kinds of probes, so that we can introspect (and potentially modify) kernel data structures.

jpsamaroo commented 3 years ago

This is blocked on sending some Clang improvements upstream, but I figured I'd post this now.

krrutkow commented 3 years ago

@jpsamaroo Have you looked at using CBinding.jl/CBindingGen.jl instead? It already has support for C bitfields, unions, field alignment, etc. and I have used it to wrap Linux headers on projects.

jpsamaroo commented 3 years ago

Looks interesting! Here are some initial comments from testing:

CBindingGen only supports Clang up to 9.x, whereas Julia 1.6 is on 11.x (which is the minimum version of Julia that BPFnative supports). This was easy to workaround via copy-pasta.
Using multiple libclangs (Julia's internal one, and Clang_jll's) on Linux musl systems such as Alpine Linux doesn't work due to symbol versioning issues in the musl linker, so I patched CBindingGen to use Julia's internal libclang instead.
After the above, using a simple binding generator I get the following: ERROR: LoadError: Unable to convert type CBindingGen.LibClang.CXTypeKind(<CXType_FunctionNoProto>(0x0000006e)), not yet implemented. I imagine I'll need to modify the cursor callback to explicitly skip such cursor types?

krrutkow commented 3 years ago

Very interesting! You are definitely taking the package off-roading a bit! I am not able to reproduce the problem on my Arch Linux x86_64 setup when parsing the libbpf headers (it works fine), so could you share where in the header the CXType_FunctionNoProto type of expression occurs or how I could reproduce your setup? Also, yes, you should be able to filter out that particular cursor and possibly dependent cursors as well.

jpsamaroo commented 3 years ago

If you test with the output of the bpftool command in this PR, you'll get a full dump of the kernel's data structures (it's ~2.5M of C definitions on my system). I'll try to find a simple reproducer when I get the chance!

krrutkow commented 3 years ago

Wow, that generated code has several challenging issues:

obsolete, empty-parentheses function declarations (void func() instead of void func(void))
unnamed bitfields
bitfields with enumeration types

Support for all 3 is nearly complete. They will probably be available in the next day or so unless more suicidal C is encountered.

jpsamaroo commented 3 years ago

Alright, new strategy! Now we use @krrutkow 's excellent CBinding.jl to generate vmlinux bindings at precompile time. From initial testing, this works spectacularly, although it does take about 2GB of memory and 3 minutes on my machine to precompile. I've gated this functionality behind a Preferences variable, and it's disabled by default. If it works out really well, we can make this the default.

This PR is now just blocked on tests of probe functionality under root mode. I want to make it possible for root-mode tests to pass without vmlinux enabled, so we'll have to keep some simple fallback definitions for things like pt_regs. I also want to try doing something realistic, like hooking a kfunc with task_struct as an argument and reading some values.