A collection of interesting links regarding (e)BPF.
BPF (Berkeley Packet Filter) is an instruction set that's classically
used for packet filtering (described here), and more recently for
seccomp and kernel
tracing on Linux. Kernel tracing uses eBPF, which also lets you
dereference pointers and access user space memory.
still stuck with regular BPF. (Accessing user space is tricky for
that use case, because you can run into race conditions.)
Usage of BPF is currently rather difficult, since BPF programs are tricky to put together by hand.
For eBPF, there is a LLVM target that can be used with
clang --target=bpf (LLVM 3.7+), and the
BCC (BPF Compiler Collection)
project building on top of that, which provides convenient bindings
seccomp is enabled through the
seccomp syscalls, which are called with pointers to compiled BPF (not eBPF!) programs.
Kernel documentation: https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
To help in the construction of the BPF code, there is just the libseccomp library. The library is very nice to use, but then again, it's a rather bloaty runtime dependency as well.
Projects using seccomp right now:
Even when the
seccomp man page is already suggesting to use
libseccomp, these projects are not using it.
It would be nice if seccomp support could just be dropped into existing C projects in the form of a precompiled BPF blob rather than introducing additional runtime dependencies.
More related links
- Good sample BPF code in Linux's samples/seccomp directory (includes macros to deal with the difference between 32 and 64 bit architectures)
- Kees Cook's tutorial