Skip to content
#

bpf

Here are 179 public repositories matching this topic...

martinvonwittich
martinvonwittich commented Aug 25, 2021

Is your feature request related to a problem? Please describe.

I fiddled around with bpftrace to write internal documentation for my colleagues on how to use it. I chose tracepoint:syscalls:sys_enter_mkdir as a suitable tracepoint for a simple demo, and wrote this code:

bpftrace -e 'tracepoint:syscalls:sys_enter_mkdir { printf("mkdir %s %o\n", str(args->pathname), args->mode); }
yanivagman
yanivagman commented Jun 5, 2021

We currently only check for CAP_SYS_ADMIN when running Tracee (https://github.com/aquasecurity/tracee/blob/main/tracee-ebpf/main.go#L885), which was correct for old kernels.
For newer kernels, CAP_SYS_ADMIN was split into combination of 3 other capabilities:
CAP_BPF, CAP_PERFMON and CAP_NET_ADMIN as described in https://lwn.net/Articles/820560/, and https://lwn.net/Articles/822362/
Update check

anakryiko
anakryiko commented Aug 18, 2021

Almost every single BPF application out there has to implement bumping RLIMIT_MEMLOCK. What's worse, starting from some recent kernel version, RLIMIT_MEMLOCK is not necessary anymore for loading BPF programs and maps. Instead of asking all users to implement this detection logic and RLIMIT_MEMLOCK adjustment, do a sensible thing automatically:

  • on older kernels, bump RLIMIT_MEMLOCK to infinity

Improve this page

Add a description, image, and links to the bpf topic page so that developers can more easily learn about it.

Curate this topic

Add this topic to your repo

To associate your repository with the bpf topic, visit your repo's landing page and select "manage topics."

Learn more