libbpfgo: make AttachTracepoint() signature 1:1 with libbpf #77
Conversation
|
I have tested this with: SEC("tp/syscalls/sys_enter_sync")
int tracepoint__sys_enter_sync(struct trace_event_raw_sys_enter *args)
{
return dealwithit(args);
} // attach to BPF program to kprobe
//_, err = bpfProgKsysSync.AttachTracepoint("syscalls:sys_enter_sync")
_, err = bpfProgKsysSync.AttachTracepoint("syscalls", "sys_enter_sync")
if err != nil {
errExit(err)
}it works the same way (simplifying the split logic done within AttachTracepoint. I think its okay to accept this (not that is changing anything meaningful but... it removes any doubts about category versus name. |
|
ORTHOGONAL to this change: tracepoint attachment does not seem to be working in older kernels (not sure if because of what I predicted: tracepoint and perf events attachment share same baseline functions for attachment).
GO code: Equivalent C code: GO code works in newer kernels: |
|
|
libbpfgo.go
Outdated
| C.free(unsafe.Pointer(tpCategory)) | ||
| C.free(unsafe.Pointer(tpName)) |
There was a problem hiding this comment.
nit: what was wrong with freeing the C strings here that we need to defer it?
There was a problem hiding this comment.
It's just a nitpicking, perhaps trying to use the Golang idioms. But this change is not mandatory. If rejected I can get rid of it.
There was a problem hiding this comment.
Well in this case, we can just free the allocated objects right after we use them, and it seems to be clearer (at least for me).
I would use defer when there is an operation (like closing a file) that can't happen right away, and I want to ensure that will happen in any return path of the function.
libbpfgo.go
Outdated
| } | ||
|
|
||
| bpfLink := &BPFLink{ | ||
| link: link, | ||
| prog: p, | ||
| linkType: Tracepoint, | ||
| eventName: tp, | ||
| eventName: fmt.Sprintf("%s:%s", category, name), |
There was a problem hiding this comment.
I think that it is ok if we just use name here so it will match the above error message where we also return name
There was a problem hiding this comment.
I see. Consider it done.
@rafaeldtinoco I'm not sure that this problem has anything to do with tracepoints. It seems to me more of a CO-RE problem ( |
No, actually there is a bug in a logic I added to NewModuleFromFileArgs(). If there are no BTF files specified, I specify "/sys/kernel/btf/vmlinux". In this particular environment my BTF is coming from the debug package (which is hardcoded in libbpf and should work). With this change: diff --git a/libbpfgo.go b/libbpfgo.go
index 5bc8a80..02093a1 100644
--- a/libbpfgo.go
+++ b/libbpfgo.go
@@ -348,15 +348,15 @@ func NewModuleFromFileArgs(args NewModuleArgs) (*Module, error) {
if err := bumpMemlockRlimit(); err != nil {
return nil, err
}
- if args.BTFObjPath == "" {
- args.BTFObjPath = "/sys/kernel/btf/vmlinux"
- }
- btfFile := C.CString(args.BTFObjPath)
+ //if args.BTFObjPath == "" {
+ //args.BTFObjPath = "/sys/kernel/btf/vmlinux"
+ //}
+ //btfFile := C.CString(args.BTFObjPath)
bpfFile := C.CString(args.BPFObjPath)
opts := C.struct_bpf_object_open_opts{}
opts.sz = C.sizeof_struct_bpf_object_open_opts
- opts.btf_custom_path = btfFile // instruct libbpf to use user provided kernel BTF file
+ //opts.btf_custom_path = btfFile // instruct libbpf to use user provided kernel BTF file
if strings.Compare(args.KConfigFilePath, "") != 0 {
kConfigFile := C.CString(args.KConfigFilePath)
@@ -370,7 +370,7 @@ func NewModuleFromFileArgs(args NewModuleArgs) (*Module, error) {
}
C.free(unsafe.Pointer(bpfFile))
- C.free(unsafe.Pointer(btfFile))
+ //C.free(unsafe.Pointer(btfFile))
return &Module{
obj: obj,It works again. I have opened #81 to fix this as we shouldn't specify a custom BTF file if there isn't one. |
geyslan
force-pushed
the
75-attach-tp-signature
branch
from
4ac9860 to
04fa5a7
Compare
Reflecting changes in libbpfgo. aquasecurity/libbpfgo#77
These changes, along with some refactoring, also update the
libbpfgo_test.go.Fixes: #75