This RFC patch set is to gather feedback about new
SEC("ksyscall") and SEC("kretsyscall") section definitions meant to simplify
life of BPF users that want to trace Linux syscalls without having to know or
care about things like CONFIG_ARCH_HAS_SYSCALL_WRAPPER and related arch-specific
vs arch-agnostic __<arch>_sys_xxx vs __se_sys_xxx function names, calling
convention woes ("nested" pt_regs), etc. All this is quite annoying to
remember and care about as BPF user, especially if the goal is to write
achitecture- and kernel version-agnostic BPF code (e.g., things like
libbpf-tools, etc).
By using SEC("ksyscall/xxx")/SEC("kretsyscall/xxx") user clearly communicates
the desire to kprobe/kretprobe kernel function that corresponds to the
specified syscall. Libbpf will take care of all the details of determining
correct function name and calling conventions.
This patch set also improves BPF_KPROBE_SYSCALL (and renames it to
BPF_KSYSCALL to match SEC("ksyscall")) macro to take into account
CONFIG_ARCH_HAS_SYSCALL_WRAPPER instead of hard-coding whether host
architecture is expected to use syscall wrapper or not (which is less reliable
and can change over time).
It would be great to get feedback about the overall feature, but also I'd
appreciate help with testing this, especially for non-x86_64 architectures.
Cc: Ilya Leoshkevich <iii@xxxxxxxxxxxxx>
Cc: Kenta Tada <kenta.tada@xxxxxxxx>
Cc: Hengqi Chen <hengqi.chen@xxxxxxxxx>
Andrii Nakryiko (3):
libbpf: improve and rename BPF_KPROBE_SYSCALL
libbpf: add ksyscall/kretsyscall sections support for syscall kprobes
selftests/bpf: use BPF_KSYSCALL and SEC("ksyscall") in selftests
tools/lib/bpf/bpf_tracing.h | 44 +++++--
tools/lib/bpf/libbpf.c | 109 ++++++++++++++++++
tools/lib/bpf/libbpf.h | 16 +++
tools/lib/bpf/libbpf.map | 1 +
tools/lib/bpf/libbpf_internal.h | 2 +
.../selftests/bpf/progs/bpf_syscall_macro.c | 6 +-
.../selftests/bpf/progs/test_attach_probe.c | 6 +-
.../selftests/bpf/progs/test_probe_user.c | 27 +----
8 files changed, 172 insertions(+), 39 deletions(-)
--
2.30.2
