Dynamic addition of kprobe and tracepoint #44
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
jundizhou
reviewed
Aug 5, 2024
| @@ -1324,6 +1375,93 @@ int32_t scap_bpf_close(scap_t *handle) | |||
| return SCAP_SUCCESS; | |||
| } | |||
|
|
|||
| static int32_t scap_bpf_handle_kt_mask( scap_t *handle, uint32_t op, uint32_t kt_index) | |||
There was a problem hiding this comment.
We are preparing to add uprobe as a new program type in some other plans. Can we abstract k_t to another level. #37
There was a problem hiding this comment.
uprobe function is not merge yet , now we can merge first
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Dynamically enable and disable kprobe and tracepoint events using file descriptors (fd).
Description
Utilize the file descriptors (fd) generated when loading BPF programs into the kernel and hooking them to control the enabling of kprobe and tracepoint events dynamically.
Why add a new way to implement event toggling?
1.In an eBPF program, complete shutdown can be dynamically achieved without the need for logical checks.
2.To toggle new events via BPF maps, developers must be familiar not only with agent-lib code but also with Kindling's CGO code to implement the necessary functionality. This involves calling map functions for kernel interaction in agent-libs and knowing the event type for shutdown. While macro definitions hide the logical checks in the eBPF program, reducing the need for manual developer intervention, it adds complexity to code reading and may not completely close events. Using file descriptors (fd) to control event toggling only requires switching based on the mounted eBPF program's name, eliminating the need to pass the tracepoint type for closure. This allows Kindling to develop a universal interface where specifying the event name is sufficient for complete shutdown of new events, facilitating rapid implementation of toggling functionalities by specifying kprobe and tracepoint names.