v0.22.0: Linux 7.1 compat, BPF tokens and vmlinux BTF caching changes

Hi everyone! Today we announce the v0.22.0 release of ebpf-go. We ship Linux 7.1 compatibility, older versions of the library will not work on 7.1 kernels and above, so please upgrade if you are targeting the latest releases of Linux. We also made a breaking change to BTF caching, please read those notes. And of course a few fixes, improvements and minor features.

Kernel 7.1 compatibility

In kernel 7.1 the BTF header was extended to introduce a new feature called BTF layout. This change caused our BTF parser to fail when parsing vmlinux for this kernel. This has been fixed in this latest release, we recommend upgrading to this latest release to avoid breakage on 7.1 and newer kernels.

See #2042 for details. Special thanks to @Capricornus007 for making the bug report that allowed us to fix this in a timely manner.

BPF token support

Some BPF-related actions require the user to have root privileges (CAP_SYS_ADMIN). One example is loading and attaching programs that can inspect kernel memory. In some environments, you may want to permit a known good process to load such BPF programs, but you don't want to grant it CAP_SYS_ADMIN to avoid privilege escalation if that process gets compromised.

BPF tokens are a mechanism that allows a privileged process to delegate fine-grained BPF capabilities to an unprivileged process. The process of delegating is complex and typically handled by a container runtime such as LXC or a process manager like systemd. This part of the handshake is currently out of scope of ebpf-go, as the library is not in charge of process creation where this delegation takes place.

However, the consuming side is what's included in this release. ebpf-go will automatically detect when the current process is running in a namespace where a BPF token is provided, and will automatically try to obtain an use it for interacting with the BPF syscall. Unlike libbpf, this currently requires no extra configuration on behalf of the application.

See #1953 for more details.

BTF cache changes

Package btf used to cache kernel (vmlinux) BTF specs globally. This is a significant time gain when loading multiple Collections in a row. However, doing so comes at a fairly significant memory cost (~20 MiB), so users could flush this cache with btf.FlushKernelSpec. Unfortunately, the caching behaviour being opt-out means users would typically discover it while investigating memory usage, and would then have to find an appropriate time during execution to call the flush function. This was always a band-aid for something we didn't have a clear solution to.

With this update, we've removed the global cache and the btf.FlushKernelSpec function, which may slow down subsequent collection loading on busy systems. To opt back in, users can now maintain their own cache object, obtained from btf.NewCache and pass it to NewCollectionWithOptions via CollectionOptions.Cache. Typically, you would put this in a global variable in a bpf-related package in your application, or keep it around in function scope if you load multiple collections in a row.

See #1988 for more details. Thank you @matthyx for these changes.

New features

• btf: print member names of btf.Unions and Structs by @ti-mo in #1967
• bpf2go: Generate constant names for maps, programs, and variables by @mattijons in #1860
• Allow link.OpenExecutable for files without executable bit set by @ti-mo in #1982
• asm: add support for the may_goto insn and JCOND opcode by @mtardy in #1898

Bug fixes and improvements

• bpf2go: Improve error message when a C type cannot be resolved by @awandke in #1965
• btf: reject nil values or interfaces from being added to Builder by @ti-mo in #1966
• Use os.Getpagesize in tests instead of hardcoded 4k by @shaunduncan in #1970
• map: avoid misleading error message for storage maps by @venk8 in #1978
• struct_ops: Refactor struct_ops member population helpers by @shun159 in #1986
• prog: restore btf.ErrNotFound behaviour of findTargetInKernel by @ti-mo in #1991
• asm: fix wrong bpf call offset display for jited programs by @wucm667 in #1996
• internal/kconfig: reject bool arrays for string values by @immanuwell in #2006
• bpf2go: improve duplicate type name error message by @wucm667 in #1993
• doc: clarify Address vs Offset on Uprobe/Uretprobe by @Strykar in #2008
• fix(link): add missing BPF_F_REPLACE flag for RawAttachProgram by @wucm667 in #1995
• tracefs: discover mount via /proc/self/mountinfo by @yoav-orca in #2004
• prog.go: cache BTF for CAP_SYS_ADMIN-less freplace by @mejedi in #2011
• BTF: fixed panics during parsing of malformed input by @dylandreimerink in #2021
• internal/testutils: Fix capability restoration in WithCapabilities by @dylandreimerink in #2023
• ebpf: defer batch API probe for batch lookup by @arunsingh in #2018
• fix: prevent uint32 overflow in struct_ops bounds check by @DARSHANR007 in #2025
• Improve resilience of ELF parser to malformed input by @dylandreimerink in #2026
• memory: use unsafe.Add to align unsafe memory instead of uintptr conversion by @ti-mo in #2035
• fix: reject variable offsets that overflow uint32 bounds by @SAY-5 in #2031

Miscellaneous changes

• build(deps): bump requests from 2.32.5 to 2.33.0 in /docs by @dependabot[bot] in #1971
• docs: disable parallel processing in git date plugin by @ti-mo in #1976
• build(deps): bump pygments from 2.19.2 to 2.20.0 in /docs by @dependabot[bot] in #1975
• build(deps): bump the docs group in /docs with 2 updates by @dependabot[bot] in #1977
• ci: cache qemu-system-x86 dependency by @ti-mo in #1983
• ci: pin awalsh128/cache-apt-pkgs-action to v1.6.0 by @ti-mo in #1984
• testutils: rework and improve RunWithToken by @ti-mo in #1989
• build(deps): bump gitpython from 3.1.46 to 3.1.47 in /docs by @dependabot[bot] in #1992
• Go 1.25, run go fix in CI, fix nil derefs in reflect usage by @ti-mo in #1998
• build(deps): bump actions/github-script from 8 to 9 by @dependabot[bot] in #1997
• Go: bump golang.org/x/ dependencies by @florianl in #2001
• build(deps): bump gitpython from 3.1.47 to 3.1.49 in /docs by @dependabot[bot] in #2002
• build(deps): bump gitpython from 3.1.49 to 3.1.50 in /docs by @dependabot[bot] in #2005
• Makefile: use go tool for linting by @florianl in #1999
• ci: split workflows into build+lint and generate+fix by @ti-mo in #2009
• build(deps): bump urllib3 from 2.6.3 to 2.7.0 in /docs by @dependabot[bot] in #2007
• build(deps): bump pymdown-extensions from 10.21.2 to 10.21.3 in /docs by @dependabot[bot] in #2015
• build(deps): bump idna from 3.11 to 3.15 in /docs by @dependabot[bot] in #2014
• CODEOWNERS: allow reviewers to merge docs/, add rgo3 to link/ by @ti-mo in #2036

New Contributors

• @awandke made their first contribution in #1965
• @shaunduncan made their first contribution in #1970
• @mattijons made their first contribution in #1860
• @venk8 made their first contribution in #1978
• @wucm667 made their first contribution in #1996
• @immanuwell made their first contribution in #2006
• @Strykar made their first contribution in #2008
• @yoav-orca made their first contribution in #2004
• @matthyx made their first contribution in #1988
• @arunsingh made their first contribution in #2018
• @DARSHANR007 made their first contribution in #2025
• @SAY-5 made their first contribution in #2031

Full Changelog: v0.21.0...v0.22.0