BPF notes
A collection of interesting links regarding (e)BPF.
BPF (Berkeley Packet Filter) is an instruction set that's classically
used for packet filtering (described here), and more recently for seccomp
and kernel
tracing on Linux. Kernel tracing uses eBPF, which also lets you
dereference pointers and access user space memory. seccomp
is
still stuck with regular BPF. (Accessing user space is tricky for
that use case, because you can run into race conditions.)
Usage of BPF is currently rather difficult, since BPF programs are tricky to put together by hand.
eBPF tooling
For eBPF, there is a LLVM target that can be used with clang --target=bpf
(LLVM 3.7+), and the
BCC (BPF Compiler Collection)
project building on top of that, which provides convenient bindings
for it.
Seccomp
seccomp
is enabled through the prctl
or seccomp
syscalls, which are called with pointers to compiled BPF (not eBPF!) programs.
Kernel documentation: https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
To help in the construction of the BPF code, there is just the libseccomp library. The library is very nice to use, but then again, it's a rather bloaty runtime dependency as well.
Projects using seccomp right now:
- Chromium, described here
- OpenSSH, which uses some C macros to construct the code
- and a few others
Even when the seccomp
man page is already suggesting to use
libseccomp
, these projects are not using it.
It would be nice if seccomp support could just be dropped into existing C projects in the form of a precompiled BPF blob rather than introducing additional runtime dependencies.
Update: There is a feature request for that and a related discussion on the mailing list.
More related links
- Good sample BPF code in Linux's samples/seccomp directory (includes macros to deal with the difference between 32 and 64 bit architectures)
- Kees Cook's tutorial
- https://outflux.net/blog/archives/2015/11/11/evolution-of-seccomp/
- https://eigenstate.org/notes/seccomp
- https://blog.fefe.de/?ts=aafb7696