-1

So I have llvm, kernel headers(5.14.1), clang, and also libbpf along with that I copied bpf_helpers.h in ebpf program directory from linux source. This is a simple program that I like to get it loaded and run when execve system get called from any program

#include <errno.h>
#include <stdio.h>
#include <string.h>
#include "bpf_helpers.h" // some helpers not found, why is that?

#define SEC(NAME) __attribute__((section(NAME), used))

SEC("kprobe/execve")
int bpf_prog1(struct pt_regs *ctx)
{
        char m[]="hello world";
        bpf_trace_printk(m,sizeof(m));
        
        return 0;
}

char _license[] SEC("license") = "GPL";

Really a simple program,

I compiled the program with clang but when I do llvm-objdump -S ./one.o but it gives message that unrecognized format,

so If my llvm is not understanding my .o file I like to know what that means. can I ignore this warning of llvm-objdum and move on to load the .o file using ebpf loader program, or is the way i created .o file and compiled with clang is wrong so in that case can some one tell how to create ebpf program from ebpf .c file and load it using loader program.

user786
  • 3,902
  • 4
  • 40
  • 72
  • load_bpf_file helper function also I could not find how to include the header file for this. this function supposed to be called from loader program to load ebpf .o binary – user786 Dec 15 '21 at 08:14
  • 1
    What is the command you use to compile? And what is the output of `file one.o`? That should give us some more info to work with. – Dylan Reimerink Dec 15 '21 at 18:41
  • @caveman the command is correct. But I am having problem with libbpf. I know it's installed on my system but don't know where I can find the exact headers for it. Is the headers of libbpf has location on system when I got installed. Headers like bpf_helpers.h bpf_helper_defs.h. – user786 Dec 16 '21 at 05:21

1 Answers1

1

If you run on Ubuntu and you installed libbpf-dev, you should be able to include libbpf headers like this:

#include <bpf/bpf_helpers.h>

and (in a loader program):

#include <bpf/libbpf.h>

As for llvm-objdump complaining, it may depend on the command that you are using to compile. Are you passing the -t bpf target? What command do you use exactly?

Qeole
  • 8,284
  • 1
  • 24
  • 52
  • I have installed `libbpf-dev` now its still giving me error that `user.c:5:10: fatal error: bpf_load.h: No such file or directory 5 | #include ` – user786 Dec 16 '21 at 10:12
  • where should I look for this file on my system in compile command – user786 Dec 16 '21 at 10:12
  • I think I found the answer https://lwn.net/Articles/625233/ – user786 Dec 16 '21 at 10:51
  • `bpf_load.h` is not part of libbpf, it is the header for an alternative (and deprecated) loading program which is part of the kernel samples. You may want to use libbpf instead, see [its documentation](https://libbpf.readthedocs.io/en/latest/). – Qeole Dec 16 '21 at 11:43
  • What ctx->data contains? Do u know? – user786 Dec 16 '21 at 12:49
  • How to extract execve parameters? Do u know? – user786 Dec 16 '21 at 12:50
  • `ctx->data` is a pointer to your packet's data when you attach a program to a networking hook (e.g. TC or XDP), but this is not the case here and you don't need it. You'd access the arguments with `bpf_probe_read_kernel()`, possibly with the help of `BTF_CORE_READ()` if you work with BTF. I'd suggest grepping for that function in the kernel samples to see how it is used. – Qeole Dec 16 '21 at 14:14
  • `You'd access the arguments with bpf_probe_read_kernel()` is there any document or book that I can download where it tell all this info, there are many helpers and understanding the man site page on bpf helpers is bit difficult for me – user786 Dec 16 '21 at 14:47