Code Monkey home page Code Monkey logo

Comments (8)

geyslan avatar geyslan commented on June 12, 2024 1

Check if your vmlinux.h has a definition for BPF_MAP_TYPE_BLOOM_FILTER.

libbpfgo/selftest/common/vmlinux.h

Line 128 in 3c5cd66

BPF_MAP_TYPE_BLOOM_FILTER = 30,

More related:

from libbpfgo.

geyslan avatar geyslan commented on June 12, 2024

Hi @Hugo96870, it's nice to see you trying libbpfgo.

We recommend you build it statically since you'll have a different libbpf system version (most of the time).

For building your code correctly, please refer to the selftests Makefile that sets the required flags: https://github.com/aquasecurity/libbpfgo/blob/main/selftest/common/Makefile

from libbpfgo.

Hugo96870 avatar Hugo96870 commented on June 12, 2024

Hi @Hugo96870, it's nice to see you trying libbpfgo.

We recommend you build it statically since you'll have a different libbpf system version (most of the time).

For building your code correctly, please refer to the selftests Makefile that sets the required flags: https://github.com/aquasecurity/libbpfgo/blob/main/selftest/common/Makefile

Hi @geyslan! I'm sorry for the delayed response
Upon build libbpfgo statically a new error started popping up:

go build -o ./trace_write/loader ./trace_write/loader.go

# github.com/aquasecurity/libbpfgo

../libbpfgo/map-common.go:51:39: could not determine kind of name for C.BPF_MAP_TYPE_BLOOM_FILTER

Even if I comment everything related with BPF_MAP_TYPE_BLOOM_FILTER, we get the following error:

go build -o ./trace_write/loader ./trace_write/loader.go

# github.com/aquasecurity/libbpfgo

cgo: ../libbpfgo/prog.go:520:18: unexpected: -1-byte enum type - enum bpf_cgroup_iter_order {}

These are with the changes to use the local repos (example of my go.mod file):

module github.com/cilium/ebpf

go 1.22.0

require (
	github.com/aquasecurity/libbpfgo v0.1.1
	github.com/libbpf/libbpf v1.3.0
	github.com/go-quicktest/qt v1.101.0
	github.com/google/go-cmp v0.5.9
	golang.org/x/exp v0.0.0-20230224173230-c95f2b4c22f2
	golang.org/x/sys v0.17.0
)

replace github.com/aquasecurity/libbpfgo => ../libbpfgo
replace github.com/libbpf/libbpf => ../libbpf

require (
	github.com/kr/pretty v0.3.1 // indirect
	github.com/kr/text v0.2.0 // indirect
	github.com/rogpeppe/go-internal v1.11.0 // indirect
)

If I don't use the local repos the error is the one I started with as expected

from libbpfgo.

Hugo96870 avatar Hugo96870 commented on June 12, 2024

Check if your vmlinux.h has a definition for BPF_MAP_TYPE_BLOOM_FILTER.

libbpfgo/selftest/common/vmlinux.h

Line 128 in 3c5cd66

BPF_MAP_TYPE_BLOOM_FILTER = 30,

More related:

Yes the vmlinux.h has a definition for BPF_MAP_TYPE_BLOOM_FILTER
Upon overpassing this issue I'm now facing a new one:

sudo go build -o ./trace_write/loader ./trace_write/loader.go

# github.com/aquasecurity/libbpfgo

cgo: ../libbpfgo/prog.go:520:18: unexpected: -1-byte enum type - enum bpf_cgroup_iter_order {}

This also happens on version of libbpf 1.2 and libbpfgo v0.5.1-libbpf-1.2, from what I could gather the issue is in the struct cgo_bpf_iter_attach_opts_new not being able to recognise bpf_cgroup_iter_order, which is defined in libbpf

I see its definition in here: /<My_path>/libbpfgo/libbpf/.github/actions/build-selftests/vmlinux.h and here:
/home/hugo/Desktop/libbpfgo/libbpf/include/uapi/linux/bpf.h

from libbpfgo.

geyslan avatar geyslan commented on June 12, 2024

Upon overpassing this issue I'm now facing a new one:

How did you solved it (BPF_MAP_TYPE_BLOOM_FILTER missing def)? I ask since the lack of bpf_cgroup_iter_order seems related to it.

This also happens on version of libbpf 1.2 and libbpfgo v0.5.1-libbpf-1.2

The last libbpfgo release - v0.6.0-libbpf-1.3 - requires libbpf 1.3.

Please, try using the last release and itslibbpf 1.3 submodule. We don't recommend to use the system or other local version.

from libbpfgo.

Hugo96870 avatar Hugo96870 commented on June 12, 2024

How did you solved it (BPF_MAP_TYPE_BLOOM_FILTER missing def)? I ask since the lack of bpf_cgroup_iter_order seems related to it.

With some local changes, but it led to a dead end.

The last libbpfgo release - v0.6.0-libbpf-1.3 - requires libbpf 1.3.

With this version the error that pops is the first one:

/root/go/pkg/mod/github.com/aquasecurity/[email protected]/map-common.go:51:39: could not determine kind of name for C.BPF_MAP_TYPE_BLOOM_FILTER

All the selftests pass and following the other threads led to dead ends as well
Also the vmlinux.h I'm using to compile the ebpf program has the type BPF_MAP_TYPE_BLOOM_FILTER defined in the enum
bpf_map_type

from libbpfgo.

geyslan avatar geyslan commented on June 12, 2024

Well, I did a local test with your code and realized that your golang import is wrong:

"github.com/aquasecurity/tracee/libbpfgo"

Replace it with:

"github.com/aquasecurity/libbpfgo"

My local test:

::::::::::::::
ebpf.c
::::::::::::::
// +build ignore

#include <vmlinux.h>
#include <bpf/bpf_helpers.h>

// Define a map to hold the count of bytes written
struct {
    __uint(type, BPF_MAP_TYPE_PERCPU_ARRAY);
    __type(key, u32);
    __type(value, long);
    __uint(max_entries, 64);
} write_count SEC(".maps");

SEC("kprobe/sys_write")
int bpf_prog1(const struct pt_regs *ctx)
{
    u32 key = 0;
    long bytes_written;

    bpf_probe_read(&bytes_written, sizeof(bytes_written), (void *)ctx + 24);

    // Update the map with the count of bytes written
    bpf_map_update_elem(&write_count, &key, &bytes_written, BPF_ANY);

    return 0;
}

char LICENSE[] SEC("license") = "GPL";
::::::::::::::
loader.go
::::::::::::::
package main

import (
    "fmt"
    "os"
    "os/signal"
    "syscall"
    "github.com/aquasecurity/libbpfgo"
)

func main() {
    // Load the BPF Object
    bpfModule, err := libbpfgo.NewModuleFromFile("write_trace.bpf.o")
    if err != nil {
        fmt.Fprintf(os.Stderr, "could not load bpf module: %v\n", err)
        os.Exit(1)
    }
    defer bpfModule.Close()

    // Load and attach tracepoint
    err = bpfModule.BPFLoadObject()
    if err != nil {
        fmt.Fprintf(os.Stderr, "could not load bpf object: %v\n", err)
        os.Exit(1)
    }

	prog, err := bpfModule.GetProgram("bpf_prog1")
	if err != nil {
		fmt.Fprintf(os.Stderr, "could not get BPF program: %v\n", err)
		os.Exit(1)
	}

	_, err = prog.AttachKprobe("sys_write")
	if err != nil {
		fmt.Fprintf(os.Stderr, "could not attach kprobe: %v\n", err)
		os.Exit(1)
	}

    // Setup ring buffer
    eventsMap, err := bpfModule.GetMap("events")
    if err != nil {
        fmt.Fprintf(os.Stderr, "could not find events map: %v\n", err)
        os.Exit(1)
    }

    ringBuffer, err := libbpfgo.NewRingBuffer(eventsMap, func(data []byte) {
        // Process each event
        fmt.Println("Event received")
        // Add your logic to process ring buffer events here
    })
    if err != nil {
        fmt.Fprintf(os.Stderr, "could not create ring buffer: %v\n", err)
        os.Exit(1)
    }
    ringBuffer.Start()
    defer ringBuffer.Stop()

    // Wait for the user to press Ctrl+C
    fmt.Println("Waiting for events... Press Ctrl+C to stop.")
    c := make(chan os.Signal, 1)
    signal.Notify(c, os.Interrupt, syscall.SIGTERM)
    <-c
    fmt.Println("Detaching and closing BPF program")
}
::::::::::::::
go.mod
::::::::::::::
module testbpf.com

go 1.22.0

require github.com/aquasecurity/libbpfgo v0.6.0-libbpf-1.3

replace github.com/aquasecurity/libbpfgo => ./libbpfgo
::::::::::::::
go.sum
::::::::::::::
github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
github.com/stretchr/testify v1.9.0 h1:HtqpIVDClZ4nwg75+f6Lvsy/wHu+3BoSGCbBAcpTsTg=
github.com/stretchr/testify v1.9.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY=
gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=

Command to compile it:

GOOS=linux CC=clang GOARCH=amd64 CGO_CFLAGS="-I ./libbpfgo/output -I ./libbpfgo/selftest/common" CGO_LDFLAGS="$(pkg-config --libs libelf zlib) ./libbpfgo/output/libbpf/libbpf.a" go build -ldflags='-w -extldflags "-static"' -o loader

It outputs other error since you don't have a BPF_MAP_TYPE_RINGBUF.

from libbpfgo.

geyslan avatar geyslan commented on June 12, 2024

I'm going to convert it to a discussion since we didn't detect any issue.

from libbpfgo.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.