On Wed, Jul 06, 2022 at 05:41:17PM -0700, Andrii Nakryiko wrote:
SNIP
> +static int probe_kern_syscall_wrapper(void)
> +{
> + /* available_filter_functions is a few times smaller than
> + * /proc/kallsyms and has simpler format, so we use it as a faster way
> + * to check that __<arch>_sys_bpf symbol exists, which is a sign that
> + * kernel was built with CONFIG_ARCH_HAS_SYSCALL_WRAPPER and uses
> + * syscall wrappers
> + */
> + static const char *kprobes_file = "/sys/kernel/tracing/available_filter_functions";
> + char func_name[128], syscall_name[128];
> + const char *ksys_pfx;
> + FILE *f;
> + int cnt;
> +
> + ksys_pfx = arch_specific_syscall_pfx();
> + if (!ksys_pfx)
> + return 0;
> +
> + f = fopen(kprobes_file, "r");
> + if (!f)
> + return 0;
> +
> + snprintf(syscall_name, sizeof(syscall_name), "__%s_sys_bpf", ksys_pfx);
> +
> + /* check if bpf() syscall wrapper is listed as possible kprobe */
> + while ((cnt = fscanf(f, "%127s%*[^\n]\n", func_name)) == 1) {
nit cnt is not used/needed
jirka
> + if (strcmp(func_name, syscall_name) == 0) {
> + fclose(f);
> + return 1;
> + }
> + }
> +
> + fclose(f);
> + return 0;
> +}
> +
> enum kern_feature_result {
> FEAT_UNKNOWN = 0,
> FEAT_SUPPORTED = 1,
> @@ -4722,6 +4781,9 @@ static struct kern_feature_desc {
> [FEAT_BTF_ENUM64] = {
> "BTF_KIND_ENUM64 support", probe_kern_btf_enum64,
> },
> + [FEAT_SYSCALL_WRAPPER] = {
> + "Kernel using syscall wrapper", probe_kern_syscall_wrapper,
> + },
> };
>
SNIP
