BPF notes

A collection of interesting links regarding (e)BPF.

BPF (Berkeley Packet Filter) is an instruction set that's classically used for packet filtering (described here), and more recently for seccomp and kernel tracing on Linux. Kernel tracing uses eBPF, which also lets you dereference pointers and access user space memory. seccomp is still stuck with regular BPF. (Accessing user space is tricky for that use case, because you can run into race conditions.)

Usage of BPF is currently rather difficult, since BPF programs are tricky to put together by hand.

eBPF tooling

For eBPF, there is a LLVM target that can be used with clang --target=bpf (LLVM 3.7+), and the BCC (BPF Compiler Collection) project building on top of that, which provides convenient bindings for it.


seccomp is enabled through the prctl or seccomp syscalls, which are called with pointers to compiled BPF (not eBPF!) programs.

Kernel documentation: https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt

To help in the construction of the BPF code, there is just the libseccomp library. The library is very nice to use, but then again, it's a rather bloaty runtime dependency as well.

Projects using seccomp right now:

Even when the seccomp man page is already suggesting to use libseccomp, these projects are not using it.

It would be nice if seccomp support could just be dropped into existing C projects in the form of a precompiled BPF blob rather than introducing additional runtime dependencies.

Update: There is a feature request for that and a related discussion on the mailing list.

More related links