| title | description |
|---|---|
Syscall command 'BPF_OBJ_GET_INFO_BY_FD' |
This page documents the 'BPF_OBJ_GET_INFO_BY_FD' eBPF syscall command, including its defintion, usage, program types that can use it, and examples. |
This syscall command is used to get information about BPF objects.
This command will return 0 on success or a error number (negative integer) if something went wrong.
This syscall command returns information about the BPF object indicated by bpf_fd. The structure of the returned information is dependant on the object type. More on this in the info structures section.
This syscall is typically used by inspection tools to get information about loaded objects that you would normally "know" if you were the author or loader of a given object.
This command can also be used in a monitoring or benchmarking scenario in combination with the BPF_ENABLE_STATS syscall command.
??? abstract "C structure"
c struct { __u32 bpf_fd; __u32 info_len; __aligned_u64 info; };
This field indicates the file descriptor of the BPF object for which we want to request the information.
This field indicates the size of the buffer which info points to and will be changed by the syscall command to the actual amount of data written to the info buffer.
This field indicates a memory region to which the kernel will write the requested information, the structure of which is dependant on the object type to which bpf_fd refers (see info structures). This field should be a pointer.
??? abstract "C structure"
c struct bpf_prog_info { __u32 type; __u32 id; __u8 tag[BPF_TAG_SIZE]; __u32 jited_prog_len; __u32 xlated_prog_len; __aligned_u64 jited_prog_insns; __aligned_u64 xlated_prog_insns; __u64 load_time; /* ns since boottime */ __u32 created_by_uid; __u32 nr_map_ids; __aligned_u64 map_ids; char name[BPF_OBJ_NAME_LEN]; __u32 ifindex; __u32 gpl_compatible:1; __u32 :31; /* alignment pad */ __u64 netns_dev; __u64 netns_ino; __u32 nr_jited_ksyms; __u32 nr_jited_func_lens; __aligned_u64 jited_ksyms; __aligned_u64 jited_func_lens; __u32 btf_id; __u32 func_info_rec_size; __aligned_u64 func_info; __u32 nr_func_info; __u32 nr_line_info; __aligned_u64 line_info; __aligned_u64 jited_line_info; __u32 nr_jited_line_info; __u32 line_info_rec_size; __u32 jited_line_info_rec_size; __u32 nr_prog_tags; __aligned_u64 prog_tags; __u64 run_time_ns; __u64 run_cnt; __u64 recursion_misses; __u32 verified_insns; __u32 attach_btf_obj_id; __u32 attach_btf_id; } __attribute__((aligned(8)));
This field indicates the type of the program, values is one of program types.
This field indicates the unique ID of the program, as seen in BPF_PROG_GET_NEXT_ID
This field indicates the tag of the program. A tag is a hash of the program instructions. Its main purpose is to check compare programs, like a sort of checksum. It is explicitly not meant as a security feature, hence the small size of 8 bytes. Commit#f1f7714e
This field indicates the length of the buffer provided by jited_prog_insns when calling the command and will be set to the actual number of bytes available after calling the command.
This field indicates the length of the buffer provided by xlated_prog_len when calling the command and will be set to the actual number of bytes available after calling the command.
This field indicates a memory area where the kernel can write the jitted program instructions to. This field should be a pointer to a memory buffer.
The jitted instructions are machine code in the host architecture, the actual code that runs on the CPU.
This field indicates a memory area where the kernel can write the xlated/translated program instructions to. This field should be a pointer to a memory buffer.
The translated program instructions are still use the eBPF instruction set, but have been modified by the verifier.
- Some helper calls are inlined
- IMM64 instructions with file descriptors are changed to actual pointers
- Accesses into ctx are rewritten
- Some helper calls like map access are now specialized
This list is not exhaustive.
This field indicates when the program was loaded in nanoseconds since boot time.
This field indicates the User ID of the process who loaded the program.
This field indicates the number of map IDs that were written to map_ids.
This field indicates the list of maps that are used by this program directly. Its value should be a pointer to an array of 32-bit map IDs.
This field indicates the name of the program which was set via the prog_name attribute while loading.
This field indicates the network interface index of the device on which this program is offloaded. Or 0 if the program is not offloaded.
This field indicates if the program was loaded with a GPL compatible license.
This field indicates the device number of the device on which this program is offloaded. Or 0 if the program is not offloaded.
This field indicates the inode number of the device on which this program is offloaded. Or 0 if the program is not offloaded.
This field indicates the number of kernel symbols available via jited_ksyms
This field indicates the number of entries available via jited_func_lens
This field indicates a list of 64-bit memory addresses. The value of this field should be a pointer to an array of 64-bit numbers.
These memory addresses can be translated to kernel symbols using the /prog/kallsyms mapping.
This field indicates a list of function lengths. This value should be a pointer to an array of 32-bit numbers.
These function lengths can be used in combination with jited_ksyms and jited_prog_insns to separate the single blob of instructions back into separate BPF-to-BPF functions.
This field indicates the id of the BTF object which is associated with this program.
This field indicates the size of the records available via func_info
This field indicates a list of function info records. This should be a pointer to an array of function info blobs the size of func_info_rec_size with nr_func_info elements.
These are the func info records supplied during program loading via func_info. And are aligned to the xlated_prog_insns.
This field indicates the amount of function info records are available via func_info.
This field indicates the amount of function info records are available via line_info.
This field indicates a list of function info records. This should be a pointer to an array of function info blobs the size of line_info_rec_size with nr_line_info elements.
These are the line info records supplied during program loading via line_info. And are aligned to the xlated_prog_insns.
This field indicates a list of function info records. This should be a pointer to an array of function info blobs the size of jited_line_info_rec_size with nr_jited_line_info elements.
These are the line info records supplied during program loading via line_info. And are aligned to the jitted_prog_insns.
This field indicates the number of line info records available via jited_line_info
This field indicates the size of the line info records available via line_info
This field indicates the size of the line info records available via jited_line_info
This field indicates the number of sub-program tags in prog_tags
This field indicates a list of tags for the sub-programs. This value should be a pointer to an array of 8-byte tags.
These are tags for the sub-programs/bpf-to-bpf functions. Their value is derived the same way as the tag field.
This field indicates the total amount of nanoseconds this program has been running accumulatively. This field is only updated by the kernel if when enabled via the BPF_ENABLE_STATS syscall command.
This field indicates the total amount of times this program has been called/executed accumulatively. This field is only updated by the kernel if when enabled via the BPF_ENABLE_STATS syscall command.
This field indicates how often the "recursion prevention" mechanism has kicked in.
This mechanism was introduced in this commit. Its purposes seems to be to prevent the case where an fentry/fexit tracing program starts code paths it uses itself which cause cause issue.
This field indicates the amount of verified instructions. This is the same number as would be logged by the verifier when initially loading the program.
This field indicates the id of the BTF object which contains the type indicated by attach_btf_id to which this program is attached.
This field indicates the type id of the BTF func type to which this program is attached. Currently used for BPF_LSM_CGROUP programs.
??? abstract "C structure"
c struct bpf_map_info { __u32 type; __u32 id; __u32 key_size; __u32 value_size; __u32 max_entries; __u32 map_flags; char name[BPF_OBJ_NAME_LEN]; __u32 ifindex; __u32 btf_vmlinux_value_type_id; __u64 netns_dev; __u64 netns_ino; __u32 btf_id; __u32 btf_key_type_id; __u32 btf_value_type_id; __u32 :32; /* alignment pad */ __u64 map_extra; } __attribute__((aligned(8)));
This field indicates the map type which should be one of map types
This field indicates the unique ID of the program, as seen in BPF_MAP_GET_NEXT_ID
This field indicates the size of the map key in bytes.
This field indicates the size of the map value in bytes
This field indicates the maximum amount of elements that the map can hold.
This field indicates the flags with which the map has been loaded, see flags for possible values.
This field indicates the name of the map given to it when it was created.
This field indicates the network interface index of the network interface onto which the map has been offloaded.
This field indicates the type id of the struct which the values of the map are replacing the function pointers. This field is specifically used for map of type BPF_MAP_TYPE_STRUCT_OPS
This field indicates the device number of the network device onto which the maps has been offloaded.
This field indicates the inode number of the network device onto which the maps has been offloaded.
This field indicates the ID of the BTF object which contain the types for btf_key_type_id and btf_value_type_id.
This field indicates the BTF type id representing the keys of this map.
This field indicates the BTF type id representing the values of this map.
This field indicates any extra settings a map might have. Currently this is only used for BPF_MAP_TYPE_BLOOM_FILTER maps.
??? abstract "C structure"
c struct bpf_btf_info { __aligned_u64 btf; __u32 btf_size; __u32 id; __aligned_u64 name; __u32 name_len; __u32 kernel_btf; } __attribute__((aligned(8)));
This field indicates the serialized BTF information. This value should be a pointer to a memory buffer where the kernel will write the BTF to.
This field indicates the size of btf in bytes.
This field indicates the unique ID of the BTF object.
This field indicates the name of the BTF object. Which in the case of the kernels builtin BTF will be "vmlinux" and may be different for the BTF objects of kernel modules.
This field indicates the length of the name field.
This field indicates if the BTF is the kernels own BTF (vmlinux, 1) or a user loaded BTF blob (0).
??? abstract "C structure" ```c struct bpf_link_info { __u32 type; __u32 id; __u32 prog_id; union { struct { __aligned_u64 tp_name; /* in/out: tp_name buffer ptr / __u32 tp_name_len; / in/out: tp_name buffer len / } raw_tracepoint; struct { __u32 attach_type; __u32 target_obj_id; / prog_id for PROG_EXT, otherwise btf object id / __u32 target_btf_id; / BTF type id inside the object / } tracing; struct { __u64 cgroup_id; __u32 attach_type; } cgroup; struct { __aligned_u64 target_name; / in/out: target_name buffer ptr / __u32 target_name_len; / in/out: target_name buffer len */
/* If the iter specific field is 32 bits, it can be put
* in the first or second union. Otherwise it should be
* put in the second union.
*/
union {
struct {
__u32 map_id;
} map;
};
union {
struct {
__u64 cgroup_id;
__u32 order;
} cgroup;
struct {
__u32 tid;
__u32 pid;
} task;
};
} iter;
struct {
__u32 netns_ino;
__u32 attach_type;
} netns;
struct {
__u32 ifindex;
} xdp;
};
} __attribute__((aligned(8)));
```
This field indicates the link type, which is one of:
BPF_LINK_TYPE_RAW_TRACEPOINT=1BPF_LINK_TYPE_TRACING=2BPF_LINK_TYPE_CGROUP=3BPF_LINK_TYPE_ITER=4BPF_LINK_TYPE_NETNS=5BPF_LINK_TYPE_XDP=6BPF_LINK_TYPE_PERF_EVENT=7BPF_LINK_TYPE_KPROBE_MULTI=8
This field indicates the unique ID of the link object.
This field indicates the ID of the program which is linked.
These fields apply for the BPF_LINK_TYPE_RAW_TRACEPOINT link type.
This field indicates the name of the tracepoint to which this link is attached.
This field indicates the length of tp_name
These fields apply for the BPF_LINK_TYPE_TRACING link type.
This field indicates the attach type of the link.
This field indicates the id of the program we are attached to for BPF_PROG_TYPE_EXT program types or the BTF object ID of other tracing programs.
This field indicates the BTF type id of the type to which we are attached. The type id is within the BTF objected indicated by target_obj_id.
These fields apply for the BPF_LINK_TYPE_CGROUP link type.
This field indicates the ID of the cGroup we are attached to.
This field indicates the attach type of the link.
These fields apply for the BPF_LINK_TYPE_ITER link type.
This field indicates the cgroup ID.
This field indicates the thread ID.
This field indicates the process ID.
These fields apply for the BPF_LINK_TYPE_RAW_NETNS link type.
This field indicates the attach type of the link.
These fields apply for the BPF_LINK_TYPE_XDP link type.
This field indicates the network interface index to which the XDP program is attached.