Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Custom CO-RE BPF probe #1320

Open
erthalion opened this issue Sep 11, 2023 · 0 comments
Open

Custom CO-RE BPF probe #1320

erthalion opened this issue Sep 11, 2023 · 0 comments

Comments

@erthalion
Copy link
Contributor

erthalion commented Sep 11, 2023
edited
Loading

Implement custom version of CO-RE BPF probe, following the same approach as for
the custom EBPF one. The proposed solution:

  • Restructure current kernel-modules/probe to contain two subdirectories,
    ebpf and core_bpf for custom ebpf and core_bpf probes correspondingly.

  • Construct a cmake configuration, similar to that in Falco, to build
    separate probes with modern_bpf dependencies.

  • For each captured syscall introduce one probe with two BPF progs
    tp_btf/sys_{enter|exit}_syscall, similar to attached progs from Falco.

  • Teach the cmake configuration to assemble the final probe by picking up the
    custom bits and the actual tail-called BPF program from the Falco build.

  • Verify it's limitations for other architectures.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@erthalion