Skip to content

SpriteDay/ebpf-assembly-program

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 

Repository files navigation

About this project

I wanted to go deep into how eBPF works to the bones — both as a foundation for understanding userspace eBPF runtimes like rbpf, and eventually sBPF which Solana programs run on.

Doing things on lowest level helps me internalize how things are going on bare metal, and I made this little project

Explanation of code

Let's look at the first line:

    .section socket,"",@progbits

What are these arguments:

  • socket - eBPF programs can be attached at different points in the kernel and will be called like a function (eBPF docs). That's why we specify the type via "socket". Program types: https://docs.ebpf.io/linux/program-type/. Linking of socket to BPF_PROG_TYPE_SOCKET_FILTER
  • "" - The second argument currently set to "" is optional flags argument specified here: https://sourceware.org/binutils/docs/as/Section.html. In regular Linux programs it tells to a regular program loader how to set up memory (A - alloc, X - executable, W - writeable)
  • @progbits - The last element is section type, it is used to mark whether we have initialized data or not (@progbits for cases where we have actual program data in section). Reference: https://sourceware.org/binutils/docs/as/Section.html
    .type start,@function

We need to declare type of start label, without marking it as function ELF will skip it: https://github.com/libbpf/libbpf/blob/master/src/libbpf.c#L920

    .global start

start:
    r0 = 0
    exit

So we connect our eBPF program to kernel events of sockets, and we filter every of them by setting r0 to 0:

    .size start, .-start

We declare the size of start function explicitly, because ELF will check it here: https://github.com/libbpf/libbpf/blob/master/src/libbpf.c#L923

Prerequisites

Basically we need:

  • clang
  • llvm
  • bpftool

You can try this command that will install everything in a bulk:

sudo apt install clang llvm libbpf-dev libelf-dev linux-tools-common linux-headers-generic

Build

I set up basic Makefile for build:

make

Running

To attach the process under the name myprog:

sudo bpftool prog load build/main.o /sys/fs/bpf/myprog type socket

To see it in the list programs:

sudo bpftool prog list

To remove:

sudo rm /sys/fs/bpf/myprog

Nice to have (VS Code extension)

I made a custom spriteday.ebpf-assembly VS Code extension, it should be published at this point at Open VSX, but if it's unavailable you should be able to find installable release at https://github.com/SpriteDay/vscode-ebpf-assembly

About

eBPF exploration, done as practice for better eBPF and sBPF udnerstanding

Topics

assembly ebpf sbpf

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages