eBPF Kernel Side - Using eBPF to Go

Dockerfile

FROM golang:1.22.1

RUN apt update && \
        apt upgrade && apt install -y wget clang llvm libbpf-dev curl git make sudo build-essential && \
        ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm

ENTRYPOINT [ "tail", "-f", "/dev/null" ]

gen.go

package main

//go:generate go run github.com/cilium/ebpf/cmd/bpf2go test test.c

go.mod

module ebpf-test

go 1.21.0

toolchain go1.22.1

require github.com/cilium/ebpf v0.13.2

require (
	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
	golang.org/x/sys v0.15.0 // indirect
)

main.go

package main

import (
	"github.com/cilium/ebpf/link"
	"github.com/cilium/ebpf/rlimit"
	"log"
)

func main() {
	// Remove resource limits for kernels <5.11.
	if err := rlimit.RemoveMemlock(); err != nil {
		log.Fatal("Removing memlock:", err)
	}

	// Load the compiled eBPF ELF and load it into the kernel.
	var objs testObjects
	if err := loadTestObjects(&objs, nil); err != nil {
		log.Fatal("Loading eBPF objects:", err)
	}
	defer objs.Close()

	kp, err := link.Tracepoint("syscalls", "sys_enter_write", objs.HandleTp, nil)
	if err != nil {
		log.Fatalf("opening tracepoint: %s", err)
	}
	defer kp.Close()

	for {
	}
}

test.go

//go:build ignore

// This code is taken from eunomia eBPF tutorial
// https://eunomia.dev/tutorials/1-helloworld/#hello-world-minimal-ebpf-program

/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
#define BPF_NO_GLOBAL_DATA
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>

typedef unsigned int u32;
typedef int pid_t;
const pid_t pid_filter = 0;

char LICENSE[] SEC("license") = "Dual BSD/GPL";

SEC("tp/syscalls/sys_enter_write")
int handle_tp(void *ctx)
{
  pid_t pid = bpf_get_current_pid_tgid() >> 32;
  if (pid_filter && pid != pid_filter)
    return 0;
  bpf_printk("BPF triggered sys_enter_write from PID %d.\n", pid);
  return 0;
}

In this gist we will compile, build and run our eBPF kernel side script.

Golang Project

First we must initiate a go project:

go mod init ebpf-test
go mod tidy

Generating our Go files from Clang

Using go generate to compile the .c file into .o and .go files.

Running the eBPF script on the Kernel

By executing go generate && go build && sudo ./ebpf-test for a couple of seconds and then using ctrl+c we wrote some traces into /sys/kernel/debug/tracing/trace_pipe.

They can be viewed by sudo cat /sys/kernel/debug/tracing/trace_pipe | grep "BPF triggered sys_enter_write".

Enabling Tracing

If your Linux distribution (e.g. Ubuntu) does not have the tracing subsystem enabled by default, you may not see any output. Use the following command to enable this feature:

• sudo mount -t debugfs none /sys/kernel/debug
• sudo echo 1 > /sys/kernel/debug/tracing/tracing_on

Dockerfile

The Dockerfile contains everything that is needed to compile the .c code, build the .go files and run it on the kernel:

Build the image using docker build -t ebpf2go .
Run the Dockerfile using docker run --privileged -v C:\Path\To\Files:/ebpf ebpf2go:latest

MacOS

In the dockerfile there is a need to change the existing ln to ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm