Skip to content

Instantly share code, notes, and snippets.

@zigelboim-misha
Last active March 10, 2024 14:54
Show Gist options
  • Save zigelboim-misha/12b5c5f520fb0214afc93a0caf7115eb to your computer and use it in GitHub Desktop.
Save zigelboim-misha/12b5c5f520fb0214afc93a0caf7115eb to your computer and use it in GitHub Desktop.
eBPF Kernel Side - Using eBPF to Go
FROM golang:1.22.1
RUN apt update && \
apt upgrade && apt install -y wget clang llvm libbpf-dev curl git make sudo build-essential && \
ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm
ENTRYPOINT [ "tail", "-f", "/dev/null" ]
package main
//go:generate go run github.com/cilium/ebpf/cmd/bpf2go test test.c
module ebpf-test
go 1.21.0
toolchain go1.22.1
require github.com/cilium/ebpf v0.13.2
require (
golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2 // indirect
golang.org/x/sys v0.15.0 // indirect
)
package main
import (
"github.com/cilium/ebpf/link"
"github.com/cilium/ebpf/rlimit"
"log"
)
func main() {
// Remove resource limits for kernels <5.11.
if err := rlimit.RemoveMemlock(); err != nil {
log.Fatal("Removing memlock:", err)
}
// Load the compiled eBPF ELF and load it into the kernel.
var objs testObjects
if err := loadTestObjects(&objs, nil); err != nil {
log.Fatal("Loading eBPF objects:", err)
}
defer objs.Close()
kp, err := link.Tracepoint("syscalls", "sys_enter_write", objs.HandleTp, nil)
if err != nil {
log.Fatalf("opening tracepoint: %s", err)
}
defer kp.Close()
for {
}
}
//go:build ignore
// This code is taken from eunomia eBPF tutorial
// https://eunomia.dev/tutorials/1-helloworld/#hello-world-minimal-ebpf-program
/* SPDX-License-Identifier: (LGPL-2.1 OR BSD-2-Clause) */
#define BPF_NO_GLOBAL_DATA
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
#include <bpf/bpf_tracing.h>
typedef unsigned int u32;
typedef int pid_t;
const pid_t pid_filter = 0;
char LICENSE[] SEC("license") = "Dual BSD/GPL";
SEC("tp/syscalls/sys_enter_write")
int handle_tp(void *ctx)
{
pid_t pid = bpf_get_current_pid_tgid() >> 32;
if (pid_filter && pid != pid_filter)
return 0;
bpf_printk("BPF triggered sys_enter_write from PID %d.\n", pid);
return 0;
}
@zigelboim-misha
Copy link
Author

zigelboim-misha commented Mar 10, 2024

In this gist we will compile, build and run our eBPF kernel side script.

Golang Project

First we must initiate a go project:

go mod init ebpf-test
go mod tidy

Generating our Go files from Clang

Using go generate to compile the .c file into .o and .go files.

Running the eBPF script on the Kernel

By executing go generate && go build && sudo ./ebpf-test for a couple of seconds and then using ctrl+c we wrote some traces into /sys/kernel/debug/tracing/trace_pipe.

They can be viewed by sudo cat /sys/kernel/debug/tracing/trace_pipe | grep "BPF triggered sys_enter_write".

Enabling Tracing

If your Linux distribution (e.g. Ubuntu) does not have the tracing subsystem enabled by default, you may not see any output. Use the following command to enable this feature:

  • sudo mount -t debugfs none /sys/kernel/debug
  • sudo echo 1 > /sys/kernel/debug/tracing/tracing_on

Dockerfile

The Dockerfile contains everything that is needed to compile the .c code, build the .go files and run it on the kernel:

Build the image using docker build -t ebpf2go .
Run the Dockerfile using docker run --privileged -v C:\Path\To\Files:/ebpf ebpf2go:latest

MacOS

In the dockerfile there is a need to change the existing ln to ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/asm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment