Tiny repository containing work related to eBPF and Rust. The medium to long term objective is to use this repository to learn more about eBPF and how to use it with Rust.
For the time being this is mostly a scratchpad.
Simple eBPF program that uses bpftrace
to hook to the generic_file_open
kprobe and print out details regarding which file was opened and by who. This
currently filters by uid
being 1000
which generally refers to the current
user.
Attaching 2 probes...
uid, gid, filename
1000, 1000, HEAD
Decided to start recreating the program without using bpftrace
in order to
get a better understanding of the internal representations of eBPF programs.
We recreate the generic_file_open
example
in C and compile it to byte-code using clang
.
clang -target bpf -Wall -O2 -c generic_file_open_example.c -o generic_file_open_example.o
We can now use the Rust library, aya to load our program.
Using aya
Extended the generic_file_open example to now use Aya to load our program into the kernel.
cargo b
sudo ./target/debug/generic-file-open
We can then use bpftool prog
to validate that our program has loaded.
❯ sudo bpftool prog
2: cgroup_skb name egress tag b9d9f7a5d9d7e087 gpl
loaded_at 2022-06-08T13:03:02+0100 uid 0
xlated 360B jited 206B memlock 4096B map_ids 6,4,3