[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20201201024106.k2jd5nysmokbymn5@ast-mbp>
Date: Mon, 30 Nov 2020 18:41:06 -0800
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Florent Revest <revest@...omium.org>
Cc: bpf@...r.kernel.org, ast@...nel.org, daniel@...earbox.net,
andrii@...nel.org, kpsingh@...omium.org, revest@...gle.com,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH bpf-next 1/2] bpf: Add a bpf_kallsyms_lookup helper
On Mon, Nov 30, 2020 at 05:23:22PM +0100, Florent Revest wrote:
> On Sat, 2020-11-28 at 17:07 -0800, Alexei Starovoitov wrote:
> > On Thu, Nov 26, 2020 at 05:57:47PM +0100, Florent Revest wrote:
> > > This helper exposes the kallsyms_lookup function to eBPF tracing
> > > programs. This can be used to retrieve the name of the symbol at an
> > > address. For example, when hooking into nf_register_net_hook, one
> > > can
> > > audit the name of the registered netfilter hook and potentially
> > > also
> > > the name of the module in which the symbol is located.
> > >
> > > Signed-off-by: Florent Revest <revest@...gle.com>
> > > ---
> > > include/uapi/linux/bpf.h | 16 +++++++++++++
> > > kernel/trace/bpf_trace.c | 41
> > > ++++++++++++++++++++++++++++++++++
> > > tools/include/uapi/linux/bpf.h | 16 +++++++++++++
> > > 3 files changed, 73 insertions(+)
> > >
> > > diff --git a/include/uapi/linux/bpf.h b/include/uapi/linux/bpf.h
> > > index c3458ec1f30a..670998635eac 100644
> > > --- a/include/uapi/linux/bpf.h
> > > +++ b/include/uapi/linux/bpf.h
> > > @@ -3817,6 +3817,21 @@ union bpf_attr {
> > > * The **hash_algo** is returned on success,
> > > * **-EOPNOTSUP** if IMA is disabled or **-EINVAL** if
> > > * invalid arguments are passed.
> > > + *
> > > + * long bpf_kallsyms_lookup(u64 address, char *symbol, u32
> > > symbol_size, char *module, u32 module_size)
> > > + * Description
> > > + * Uses kallsyms to write the name of the symbol at
> > > *address*
> > > + * into *symbol* of size *symbol_sz*. This is guaranteed
> > > to be
> > > + * zero terminated.
> > > + * If the symbol is in a module, up to *module_size* bytes
> > > of
> > > + * the module name is written in *module*. This is also
> > > + * guaranteed to be zero-terminated. Note: a module name
> > > + * is always shorter than 64 bytes.
> > > + * Return
> > > + * On success, the strictly positive length of the full
> > > symbol
> > > + * name, If this is greater than *symbol_size*, the
> > > written
> > > + * symbol is truncated.
> > > + * On error, a negative value.
> >
> > Looks like debug-only helper.
> > I cannot think of a way to use in production code.
> > What program suppose to do with that string?
> > Do string compare? BPF side doesn't have a good way to do string
> > manipulations.
> > If you really need to print a symbolic name for a given address
> > I'd rather extend bpf_trace_printk() to support %pS
>
> We actually use this helper for auditing, not debugging.
> We don't want to parse /proc/kallsyms from userspace because we have no
> guarantee that the module will still be loaded by the time the event
> reaches userspace (this is also faster in kernelspace).
so what are you going to do with that string?
print it? send to user space via ring buffer?
Where are you getting that $pc ?
Powered by blists - more mailing lists