Is it possible to modify a syscall's arguments using bpftrace #2280
-
I'm new to eBPF, and I'm studying bpftrace. I have read the Linux Kernel Document - Kprobes, and it says that Kprobe can change register set and so that change the execution path. I'm wondering whether it is possible, in bpftrace, to probe a syscall and modify its arguments so that the syscall do something we want? If we can do this, how? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 5 replies
-
Hi @Taeyang123456, I think that this is not possible with eBPF. What is possible is to override the syscall's return value, in bpftrace this is done using the override builtin. This only works if your kernel is compiled with |
Beta Was this translation helpful? Give feedback.
Hi @Taeyang123456, I think that this is not possible with eBPF.
What is possible is to override the syscall's return value, in bpftrace this is done using the override builtin. This only works if your kernel is compiled with
CONFIG_BPF_KPROBE_OVERRIDE
and the function you override must be tagged withALLOW_ERROR_INJECTION
(which, AFAIK, all syscalls are).