0

I'm currently working on a use case where I'm running an eBPF program inside a Docker container. I want to filter requests based on the process ID (PID), but I've encountered an issue with the pids obtained from my hooks(refer). Specifically, I've put a hook on cgroup/connect4, but when I try to load the program, I receive the error message unknown func bpf_get_ns_current_pid_tgid#120.

However, when I use the bpf_get_ns_current_pid_tgid function within a kprobe method, it works fine. I suspect that bpf_get_ns_current_pid_tgid might not be supported in every eBPF program type.

Could anyone provide information on which eBPF program types support the bpf_get_ns_current_pid_tgid helper function? I would greatly appreciate any insights or references to documentation that can help clarify this compatibility issue.

Thank you in advance for your assistance!

Gourav Kumar
  • 205
  • 1
  • 7

1 Answers1

1

You are correct, not all helper functions are available in all contexts. The bpf_get_ns_current_pid_tgid function is only available in the following program types:

  • BPF_PROG_TYPE_KPROBE
  • BPF_PROG_TYPE_LSM
  • BPF_PROG_TYPE_PERF_EVENT
  • BPF_PROG_TYPE_RAW_TRACEPOINT
  • BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE
  • BPF_PROG_TYPE_SYSCALL
  • BPF_PROG_TYPE_TRACEPOINT
  • BPF_PROG_TYPE_TRACING

However, if its the PID of the calling process you can use the bpf_get_current_pid_tgid helper which is available in the following program types:

  • BPF_PROG_TYPE_CGROUP_SOCK
  • BPF_PROG_TYPE_CGROUP_SOCK_ADDR
  • BPF_PROG_TYPE_KPROBE
  • BPF_PROG_TYPE_LSM
  • BPF_PROG_TYPE_PERF_EVENT
  • BPF_PROG_TYPE_RAW_TRACEPOINT
  • BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE
  • BPF_PROG_TYPE_SK_MSG
  • BPF_PROG_TYPE_SYSCALL
  • BPF_PROG_TYPE_TRACEPOINT
  • BPF_PROG_TYPE_TRACING

For other helper functions you can run the bpftool feature command to figure this out of any helper function on your local system.

Alternatively you can find the struct bpf_verifier_ops for the program type you are interested in. Then look at the *_func_proto function indicated by the .get_func_proto field. sock_addr_func_proto in this case, which reveals what helper calls are allowed. The advantage of going to the sources is that they also show additional requirements such as kconfig settings, attachment types and runtime mode restrictions not detailed in the bpftool output

Dylan Reimerink
  • 5,874
  • 2
  • 15
  • 21
  • Thanks alot, btw is there any docs where you see these supported types. – Gourav Kumar May 31 '23 at 14:59
  • I am working on docs which list this. But coverage is a bit lacking as of writing this. https://ebpf-docs.dylanreimerink.nl/linux/helper-function/ – Dylan Reimerink May 31 '23 at 15:04
  • Maybe a pointer to how to get this information would help? – pchaigno May 31 '23 at 18:27
  • Is it possible to set up a kprobe on a system call that is triggered before invoking `cgroup/connect4`? This way, I can utilize maps to retrieve the namespace pid within the connect4 which was set in kprobe hook. – Gourav Kumar Jun 01 '23 at 06:28
  • I found that system call `tcp_v4_pre_connect` is called everytime before `cgroup/connect4` gets called. Is there any other system call which doesn't get triggered this often but only once before `cgroup/connect4`. – Gourav Kumar Jun 01 '23 at 08:51