eBPF library for Go based on Linux libbpf

Related tags

Network golang bpf
Overview

libbpfgo


libbpfgo is a Go library for working with Linux's eBPF. It was created for Tracee, our open source Runtime Security and eBPF tracing tools written in Go. If you are interested in eBPF and it's applications, check out Tracee on Github: https://github.com/aquasecurity/tracee.

libbpfgo is built around libbpf - the standard library for interacting with eBPF from userspace, which is a C library maintained in Linux upstream. We have created libbpfgo as a thin Go wrapper around libbpf.

Installing

libbpfgo is using CGO to interop with libbpf and will expect to be linked with libbpf at run or link time. Simply importing libbpfgo is not enough to get started, and you will need to fulfill the required dependency in one of the following ways:

  1. Install the libbpf as a shared object in the system. Libbpf may already be packaged for you distribution, if not, you can build and install from source. More info here.
  2. Embed libbpf into your Go project as a vendored dependency. This means that the libbpf code is statically linked into the resulting binary, and there are no runtime dependencies. Tracee takes this approach and you can take example from it's Makefile.

Concepts

libbpfgo tries to make it natural for Go developers to use, by abstracting away C technicalities. For example, it will translate low level return codes into Go error, it will organize functionality around Go struct, and it will use channel as to let you consume events.

In a high level, this is a typical workflow for working with the library:

  1. Compile your bpf program into an object file.
  2. Initialize a Module struct - that is a unit of BPF functionality around your compiled object file.
  3. Load bpf programs from the object file using the BPFProg struct.
  4. Attach BPFProg to system facilities, for example to "raw tracepoints" or "kprobes" using the BPFProg's associated functions.
  5. Instantiate and manipulate BPF Maps via the BPFMap struct and it's associated methods.
  6. Instantiate and manipulate Perf Buffer for communicating events from your BPF program to the driving userspace program, using the RingBuffer struct and it's associated objects.

Example

// initializing
import bpf "github.com/aquasecurity/libbpfgo"
...
bpfModule := bpf.NewModuleFromFile(bpfObjectPath)
bpfModule.BPFLoadObject()

// maps
mymap, _ := bpfModule.GetMap("mymap")
mymap.Update(key, value)

// ring buffer
rb, _ := bpfModule.InitRingBuffer("events", eventsChannel, buffSize)
rb.Start()
e := <-eventsChannel

Please check our github milestones for an idea of the project roadmap. The general goal is to fully implement/expose libbpf's API in Go as seamlessly as possible.

Learn more

Issues
  • Makefile: improvements

    Makefile: improvements

    Makefile: improvements for the entire tree

    Currently you will find the following GNU Makefile rules:

    | Makefile Rule                                 | Description                                                                          | |--------------------------|-----------------------------------| | all | builds libbpfgo (dynamic) | | clean | cleans entire tree | | selftest | builds all selftests (static) | | selftest-run | runs all selftests (static) |

    • libbpf dynamically linked (libbpf from OS)

    | Makefile Rule                                 | Description                                                                          | |--------------------------|-----------------------------------| | libbpfgo-dynamic | builds dynamic libbpfgo (libbpf) | | libbpfgo-dynamic-test | 'go test' with dynamic libbpfgo | | selftest-dynamic | build tests with dynamic libbpfgo | | selftest-dynamic-run | run tests using dynamic libbpfgo |

    • statically compiled (libbpf submodule)

    | Makefile Rule                                 | Description                                                                          | |--------------------------|-----------------------------------| | libbpfgo-static | builds static libbpfgo (libbpf) | | libbpfgo-static-test | 'go test' with static libbpfgo | | selftest-static | build tests with static libbpfgo | | selftest-static-run | run tests using static libbpfgo |

    • examples
    $ make libbpfgo-static => libbpfgo statically linked with libbpf
    $ make -C selftest/perfbuffers => single selftest build (static libbpf)\
    $ make -C selftest/perfbuffers run-dynamic => single selftest run (dynamic libbpf)
    $ make selftest-static-run => will build & run all static selftests
    

    Note 01: dynamic builds need your OS to have a recent enough libbpf package (and its headers) installed. Sometimes, recent features might require the use of backported OS packages in order for your OS to contain latest libbpf features (sometimes required by libbpfgo).

    Note 02: static builds need git submodule init first. Make sure to sync the libbpf git submodule before trying to statically compile or test the libbpfgo repository.

    opened by rafaeldtinoco 27
  • "operation not permitted" errors for batch operations

    I have been trying to debug the reason for this, but so far I haven't managed to be successful. Thus, I'm asking for help.

    We try to use GetValuesAndBatch and it receives "operation not permitted" error.

    https://github.com/parca-dev/parca-agent/blob/bd9807a3a0e16302b5944d570967ef5a828dfc80/pkg/profiler/profiler.go#L344-L358

    I have tried to bump the rlimits (usually that's the culprit under this error) but no luck with that either https://github.com/parca-dev/parca-agent/blob/bd9807a3a0e16302b5944d570967ef5a828dfc80/pkg/profiler/profiler.go#L623-L642

    Do you happen to have any pointers or guideline for me to further debug this? Or could this be related to error handling?

    opened by kakkoyun 17
  • Use map definition for key and value sizes instead of arguments

    Use map definition for key and value sizes instead of arguments

    Previously this was quite error prone and somewhat unnecessary, as one had to keep sizes consistent in Go and C code, but we can actually read the sizes from the map definition improving developer experience and making the API less error prone.

    Already verified these changes in my usage of libbpfgo.

    @grantseltzer @yanivagman @eyakubovich

    opened by brancz 12
  • Tracepoint naming isn't libbpf 1:1

    Tracepoint naming isn't libbpf 1:1

    The libbpf convention is to split the tracepoint SEC name using slash / as separator.

    https://github.com/libbpf/libbpf/blob/a3c0cc19d4b93cb0b7088c5604b0cec1c6863fde/src/libbpf.c#L9433-L9456

    In a different way, libbpfgo is using colon : as separator.

    https://github.com/aquasecurity/libbpfgo/blob/20c69197ee3bf24e6b6aaa732fe2bfc766a0b314/libbpfgo.go#L755-L762

    opened by geyslan 11
  • Standardize error checking across libbpfgo

    Standardize error checking across libbpfgo

    This handles correcting how we check errors in libbpfgo in accordance with how libbpf recommends handling errors leading into libbpf.

    Particularly this follows the following rules:

    • APIs that return an error code (int) should have error codes checked directly. The error codes correspond with error codes in the syscall package.

      For example:

      errCodeInt := C.libbpf_api_function()
      if errCodeInt != 0 {
        log.Errorf("uh oh: %s\n", syscall.Errno(errCodeInt))
      }
      
    • APIs that return a pointer should be checked for NULL which indicates error. The error code is stored in errno. We can get the value of errno using the second return.

      For example:

      ptr, errno := C.libbpf_api_function()
      if ptr == nil {
        log.Errorf("uh oh: %s\n", errno)
      }
      

      We can also check if errno corresponds with a specific error (it implements the standard error interface).

      For example:

      ptr, errno := C.libbpf_api_function()
      if ptr == nil {
        if errno.Is(syscall.ENODENT) {
           // handle accordingly
        } else {
          log.Errorf("uh oh: %s\n", errno)
        }
      }
      
      

    Signed-off-by: grantseltzer [email protected]

    opened by grantseltzer 9
  • Add `no_bpf` build tag to disable the dependencies

    Add `no_bpf` build tag to disable the dependencies

    To be able to use libbpfgo optionally in projects we require a build tag to disable the third party cgo dependencies. This can be now done as opt-out by using the no_bpf build tag.

    opened by saschagrunert 7
  • BTF: support providing external kconfig

    BTF: support providing external kconfig

    When running libbpf in an environment where BTF is enabled, it requires having kconfig data which is read from either /proc/config.gzor /boot/config-xxx. When working from a container in an environment where kconfig is located under /boot and it is not mounted, libbpf might fail to load the BPF object. To avoid this situation, we can expand libbpfgo to support providing extra kconfig values and give it as an argument to libbpf. See https://github.com/libbpf/libbpf/blob/master/src/libbpf.h#L96

    opened by yanivagman 7
  • Handle errno better and enoent better for batch operations

    Handle errno better and enoent better for batch operations

    Details in the commits but essentially we should only check errno if we detect an error condition (commit 1) and we should also still return information from batch operations even if we get ENOENT because that just means we've read everything. Not returning the information to the user will cause that data to be lost.

    opened by derekparker 6
  • Link Detach support is missing

    Link Detach support is missing

    I've just spoke to @rafaeldtinoco and it might there be a need for us to support detach/unloading of specific ebpf programs links without to close the object (and consequently its other relations).

    opened by geyslan 6
  • examples: Add tcpconnect as a libbpfgo example

    examples: Add tcpconnect as a libbpfgo example

    $ make -C examples/tcpconnect

    will build:

    • tcpconnect-static
    • tcpconnect-dynamic
    • tcpconnect-go-static
    • tcpconnect-go-dynamic

    as an example on how to use libbpfgo (or libbpf) to probe kernel function "tcp_connection" and get data from it.

    opened by rafaeldtinoco 6
  • Remove kprobe legacy logic once upstream accepts it

    Remove kprobe legacy logic once upstream accepts it

    Discussing libbpf: add legacy kprobe attach support at:

    https://github.com/libbpf/libbpf/issues/317

    libbpfgo "cgo: attach_kprobe_legacy" and "doAttachKprobeLegacy" logic should be removed once libbpf accepts that patch.

    opened by rafaeldtinoco 6
  • Combine BPFMap.Update and BPFMap.UpdateValueFlags

    Combine BPFMap.Update and BPFMap.UpdateValueFlags

    In https://github.com/aquasecurity/libbpfgo/pull/154 we added a new helper that lets the user pass flags to bpf_map_update_elem. This was to not break the API, but in reality we can just have the one function.

    API Break 
    opened by grantseltzer 0
  • `make clean` does not remove output directory

    `make clean` does not remove output directory

    [*] make clean
    SELFTESTERR=0; for DIR in ./selftest/iterators ./selftest/map-pin-info ./selftest/map-update ./selftest/perfbuffers ./selftest/ringbuffers ./selftest/uprobe ./selftest/version ./selftest/map-batch ./selftest/tcpconnect ./selftest/tc ./selftest/create-map ./selftest/error-handling ./selftest/spinlocks ./selftest/percpu ./selftest/set-attach ./selftest/tracing ./selftest/probe-features ./selftest/object-iterator ./selftest/atomic-operations ./selftest/xdp; do echo "INFO: entering $DIR..."; make -j8 -C $DIR  clean || SELFTESTERR=1; done; if [ $SELFTESTERR -eq 1 ]; then exit 1; fi
    INFO: entering ./selftest/iterators...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/iterators'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/iterators'
    INFO: entering ./selftest/map-pin-info...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/map-pin-info'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/map-pin-info'
    INFO: entering ./selftest/map-update...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/map-update'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/map-update'
    INFO: entering ./selftest/perfbuffers...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/perfbuffers'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/perfbuffers'
    INFO: entering ./selftest/ringbuffers...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/ringbuffers'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/ringbuffers'
    INFO: entering ./selftest/uprobe...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/uprobe'
    rm -f *.o main-static main-dynamic ctest gotest
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/uprobe'
    INFO: entering ./selftest/version...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/version'
    make[1]: *** No rule to make target 'clean'.  Stop.
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/version'
    INFO: entering ./selftest/map-batch...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/map-batch'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/map-batch'
    INFO: entering ./selftest/tcpconnect...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/tcpconnect'
    make[1]: *** No rule to make target 'clean'.  Stop.
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/tcpconnect'
    INFO: entering ./selftest/tc...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/tc'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/tc'
    INFO: entering ./selftest/create-map...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/create-map'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/create-map'
    INFO: entering ./selftest/error-handling...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/error-handling'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/error-handling'
    INFO: entering ./selftest/spinlocks...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/spinlocks'
    make[1]: *** No rule to make target 'clean'.  Stop.
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/spinlocks'
    INFO: entering ./selftest/percpu...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/percpu'
    make[1]: *** No rule to make target 'clean'.  Stop.
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/percpu'
    INFO: entering ./selftest/set-attach...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/set-attach'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/set-attach'
    INFO: entering ./selftest/tracing...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/tracing'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/tracing'
    INFO: entering ./selftest/probe-features...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/probe-features'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/probe-features'
    INFO: entering ./selftest/object-iterator...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/object-iterator'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/object-iterator'
    INFO: entering ./selftest/atomic-operations...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/atomic-operations'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/atomic-operations'
    INFO: entering ./selftest/xdp...
    make[1]: Entering directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/xdp'
    rm -f *.o *-static *-dynamic
    make[1]: Leaving directory '/home/rotscale/go/src/github.com/aquasecurity/libbpfgo/selftest/xdp'
    make: *** [Makefile:163: selftest-clean] Error 1
    
    fedo rotscale in ~> libbpfgo on ~> upgrade-libbpf-v0.8.0 
    [*] ls                                                                                                                                                                                    2 ↵
    dist  docs  go.mod  go.sum  helpers  libbpf  libbpf_cb.go  libbpfgo.go  libbpfgo_test.go  LICENSE  Makefile  output  Readme.md  samples  selftest  testing
    
    bug 
    opened by grantseltzer 0
  • Rewrite and simplify makefiles

    Rewrite and simplify makefiles

    The makefile system for the selftests and dynamic building is somewhat complex, it can be simplified if we can mirror the makefiles in tracee: https://github.com/aquasecurity/tracee/tree/main/builder

    opened by grantseltzer 0
  • PoC of checking available kernel features to determine what bpf programs to load

    PoC of checking available kernel features to determine what bpf programs to load

    See samples/feature-detect/README.md

    Note that the intention isn't to merge this into libbpfgo as is, I would remove reference to tracee before that, but it would be good to have as a sample. This is just a convenient way of discussing the PoC.

    PR/draft 
    opened by grantseltzer 0
  • selftests/tcpconnect needs fixing

    selftests/tcpconnect needs fixing

    @grantseltzer

    We need to run selftests each PR. I would recommend us running staticchecker and gofmt/govet as well (check https://github.com/aquasecurity/tracee/pull/1734/ for examples). I'll try to fix this soon.

    clang -g -O2 -Wall -fpie -Wno-unused-variable -Wno-unused-function -target bpf -D__TARGET_ARCH_amd64 -I../../output -c main.bpf.c -o main.bpf.o
    CC=clang \
    	CGO_CFLAGS="-I/home/rafaeldtinoco/work/ebpf/libbpfgo-review/output" \
    	CGO_LDFLAGS="-lelf -lz /home/rafaeldtinoco/work/ebpf/libbpfgo-review/output/libbpf.a" \
    	GOOS=linux GOARCH=amd64 \
    	go build \
    	-tags netgo -ldflags '-w -extldflags "-static"' \
    	.
    make[2]: Leaving directory '/home/rafaeldtinoco/work/ebpf/libbpfgo-review'
    main.bpf.c:191:5: error: Must specify a BPF target arch via __TARGET_ARCH_xxx
    int BPF_KPROBE(tcp_connect, struct sock *sk)
        ^
    ../../output/bpf/bpf_tracing.h:444:20: note: expanded from macro 'BPF_KPROBE'
            return ____##name(___bpf_kprobe_args(args));                        \
                              ^
    ../../output/bpf/bpf_tracing.h:424:41: note: expanded from macro '___bpf_kprobe_args'
    #define ___bpf_kprobe_args(args...)     ___bpf_apply(___bpf_kprobe_args, ___bpf_narg(args))(args)
                                            ^
    ../../output/bpf/bpf_helpers.h:157:29: note: expanded from macro '___bpf_apply'
    #define ___bpf_apply(fn, n) ___bpf_concat(fn, n)
                                ^
    note: (skipping 2 expansions in backtrace; use -fmacro-backtrace-limit=0 to see all)
    ../../output/bpf/bpf_tracing.h:419:72: note: expanded from macro '___bpf_kprobe_args1'
    #define ___bpf_kprobe_args1(x)          ___bpf_kprobe_args0(), (void *)PT_REGS_PARM1(ctx)
                                                                           ^
    ../../output/bpf/bpf_tracing.h:310:29: note: expanded from macro 'PT_REGS_PARM1'
    #define PT_REGS_PARM1(x) ({ _Pragma(__BPF_TARGET_MISSING); 0l; })
                                ^
    <scratch space>:21:6: note: expanded from here
     GCC error "Must specify a BPF target arch via __TARGET_ARCH_xxx"
         ^
    1 error generated.
    make[1]: *** [Makefile:63: main.bpf.o] Error 1
    make[1]: Leaving directory '/home/rafaeldtinoco/work/ebpf/libbpfgo-review/selftest/tcpconnect'
    
    opened by rafaeldtinoco 0
Releases(v0.2.5-libbpf-0.7.0)
  • v0.2.5-libbpf-0.7.0(Mar 2, 2022)

    v0.2.5-libbpf-0.7.0 contains various new helpers, APIs, and code improvements as well as official support for libbpf v0.7.0!

    What's Changed

    • Add version API by @saschagrunert in https://github.com/aquasecurity/libbpfgo/pull/125
    • helpers: Added dynamic symbol resolver by @guyarb in https://github.com/aquasecurity/libbpfgo/pull/128
    • argumentParsers: precompile argument and string maps by @NDStrahilevitz in https://github.com/aquasecurity/libbpfgo/pull/130
    • Error handling fixes by @grantseltzer in https://github.com/aquasecurity/libbpfgo/pull/127
    • introduce kernelsyms helper by @itamarmaouda101 in https://github.com/aquasecurity/libbpfgo/pull/133
    • Compile tracee submodule against local libbpfgo by @grantseltzer in https://github.com/aquasecurity/libbpfgo/pull/126
    • Fix selftest with deprecated api by @grantseltzer in https://github.com/aquasecurity/libbpfgo/pull/134
    • Update libbpf to v0.7.0 by @saschagrunert in https://github.com/aquasecurity/libbpfgo/pull/131
    Source code(tar.gz)
    Source code(zip)
  • v0.2.4-libbpf-0.6.1(Jan 21, 2022)

    v0.2.4-libbpf-0.6.1 is being release to revert changes to error handling that were introduced in the previous release. It reverts commits 088c6393 and 3a827b2 but keeps all other parts of the previous release. It also contains small fixes and properly bumps libbpf submodule to 0.6.1.

    Source code(tar.gz)
    Source code(zip)
  • v0.2.3-libbpf-0.6.1(Jan 11, 2022)

    v0.2.3-libbpf-0.6.1

    v0.2.3-libbpf-0.6.1 is a small but impactful release that contains newly implemented libbpf apis, adds many new helper functions, and various quality of life fixes.

    Breaking changes

    • #89 contains breaking changes to the helper functions used for parsing system call arguments

    New APIs

    • Map batch operations (#97)
    • Program pinning (#96)

    New Helpers

    • Parsing of raw arguments from system calls (#89)
    • Security lockdown type detection (#103)
    Source code(tar.gz)
    Source code(zip)
  • v0.2.2-libbpf-0.5.0(Nov 29, 2021)

    v0.2.2-libbpf-0.5.0 contains various new helpers, documentation additions, and bug fixes. This includes official support for libbpf v0.5.0.

    See here for information about how we semantically version libbpfgo releases.

    What's Changed

    • Fix error message in BPFMap.Update by @derekparker in https://github.com/aquasecurity/libbpfgo/pull/29
    • Change BPFMap method Update to unsafe.Pointer by @grantseltzer in https://github.com/aquasecurity/libbpfgo/pull/32
    • Makefile: improvements by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/28
    • Fix iterators selftest to use updated unsafe Pointer API by @grantseltzer in https://github.com/aquasecurity/libbpfgo/pull/36
    • New helper (getter) functions and some refactoring by @geyslan in https://github.com/aquasecurity/libbpfgo/pull/41
    • fix potential memory leaks by @yanivagman in https://github.com/aquasecurity/libbpfgo/pull/46
    • Makefile: download libbpf submodule when not found by @geyslan in https://github.com/aquasecurity/libbpfgo/pull/44
    • examples: Add tcpconnect as a libbpfgo example by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/45
    • Add section in README about release versioning by @grantseltzer in https://github.com/aquasecurity/libbpfgo/pull/47
    • Fix init_perf_buf error handling by @josedonizetti in https://github.com/aquasecurity/libbpfgo/pull/49
    • Initial BTF support by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/50
    • libbpfgo: change BPFProg.GetFd() return to int Go type by @geyslan in https://github.com/aquasecurity/libbpfgo/pull/52
    • helpers: add initial btfinfo by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/53
    • libbpfgo: run lint tool and fix issues by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/54
    • kernel_features: bring MissingKernelConfigOptions to helper by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/57
    • checking if new operation in newbtfino succeeded by @mtcherni95 in https://github.com/aquasecurity/libbpfgo/pull/59
    • kernel_features: fix tests for new KernelConfig by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/58
    • kernel_features: fix kconfig file read logic for procfs config.gz by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/63
    • osinfo and kernel_features (kernel_config) refactoring and improvements by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/67
    • helpers/kernel_config.go: allow kconfig files logic by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/70
    • Add BPFLink.Destroy by @derekparker in https://github.com/aquasecurity/libbpfgo/pull/69
    • Update README for semantic versioning by @grantseltzer in https://github.com/aquasecurity/libbpfgo/pull/71
    • address kconfig post merge issues and document api by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/73
    • Updates by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/76
    • Remove soon to be deprecated resize api by @grantseltzer in https://github.com/aquasecurity/libbpfgo/pull/79
    • libbpfgo: make AttachTracepoint() signature 1:1 with libbpf by @geyslan in https://github.com/aquasecurity/libbpfgo/pull/77
    • libbpfgo: do not set btf_custom_path when no BTF is given by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/82
    • Fix NewModuleFromBuffer by @derekparker in https://github.com/aquasecurity/libbpfgo/pull/83
    • Introduce GetFd() for BPFLink by @geyslan in https://github.com/aquasecurity/libbpfgo/pull/78
    • selftests: ringbuffers: give time to ringbuffer consumer by @geyslan in https://github.com/aquasecurity/libbpfgo/pull/86
    • helpers/osinfo: host architecture detection by @rafaeldtinoco in https://github.com/aquasecurity/libbpfgo/pull/87
    • Add helper to check if ftrace is enabled by @grantseltzer in https://github.com/aquasecurity/libbpfgo/pull/94

    New Contributors

    • @derekparker made their first contribution in https://github.com/aquasecurity/libbpfgo/pull/29
    • @rafaeldtinoco made their first contribution in https://github.com/aquasecurity/libbpfgo/pull/28
    • @geyslan made their first contribution in https://github.com/aquasecurity/libbpfgo/pull/41
    • @josedonizetti made their first contribution in https://github.com/aquasecurity/libbpfgo/pull/49
    • @mtcherni95 made their first contribution in https://github.com/aquasecurity/libbpfgo/pull/59

    Full Changelog: https://github.com/aquasecurity/libbpfgo/compare/v0.1.1...v0.2.2-libbpf-0.5.0

    Source code(tar.gz)
    Source code(zip)
  • v0.2.1-libbpf-0.4.0(Sep 3, 2021)

    v0.2.1-libbpf-0.4.0

    • Extensions to the API for libbpf including the ability to support custom BTF files
    • An overhaul to helpers for checking kernel config
    • Minor bug fixes

    See here for information about how we semantically version libbpfgo releases.

    List of changes

    29bc86e - Add BPFLink.Destroy (#69) (Derek Parker) 1d1da58 - helpers/common: nit fix: gotfmt (Rafael David Tinoco) efc3f40 - helpers/kernel_config: AddCustomKernelConfigs prototype change (Rafael David Tinoco) dc406ff - helpers/kernel_config: force KernelConfigOption type to be used (Rafael David Tinoco) b137715 - helpers/kernel_config: add custom KernelConfigOption's to the logic (Rafael David Tinoco) 3179924 - helpers/kernel_config.go: create export kConfigFilePath through function (Rafael David Tinoco) 0ccd53e - helpers/osinfo: export functions to access internal fields (Rafael David Tinoco) a453321 - helpers/common: move CompareKernelRelease to common (Rafael David Tinoco) afc530e - helpers/osinfo: unexport internal types (Rafael David Tinoco) 4dd0441 - helpers/common: make UnameRelease() a common function (Rafael David Tinoco) 3c1567b - helpers/osinfo: osinfo refactoring for env variable (Rafael David Tinoco) 95380e5 - helpers/kernel_config: kernel_features refactoring (Rafael David Tinoco) 59c9cc3 - helpers/common: functions common to all helpers (Rafael David Tinoco) 43fae25 - helpers/btfinfo: rename to osinfo and improve API (Rafael David Tinoco) 1e07685 - helpers/kernel_features: allow kconfig override (Rafael David Tinoco) 5fde94f - kernel_features: fix kconfig file read logic for procfs config.gz (Rafael David Tinoco) 7b38633 - kernel_features: fix tests for new KernelConfig (Rafael David Tinoco) c3b9bd6 - checking if new operation in newbtfino succeeded (Michael Tcherniack) a2a0e13 - kernel_features: bring MissingKernelConfigOptions to helper (#57) (Rafael David Tinoco) 0bbee70 - libbpfgo: run lint tool and fix issues (#54) (Rafael David Tinoco) e8b2d25 - helpers: add initial btfinfo (Rafael David Tinoco) 0438957 - libbpfgo: change BPFProg.GetFd() return to int Go type (Geyslan G. Bem) 871dc67 - libbpfgo: support external BTF files (Rafael David Tinoco) 239e902 - libbpf: update to latest to have btf_custom_path support (Rafael David Tinoco) 391db95 - Fix init_perf_buf error handling (Jose Donizetti)

    Source code(tar.gz)
    Source code(zip)
  • v0.2.0-libbpf_0.4.0(Aug 3, 2021)

    v0.2.0-libbpf_0.4.0

    THIS RELEASE CONTAINS BREAKING CHANGES!

    See #32 for all details on the breaking change, but the following API methods are affected:

    • BPFMap.DeleteKey
    • BPFMap.Update
    • BPFMap.GetValue

    This release comes with added helper functions, additional selftests and various improvements. There are many new makefile build targets for added flexibility for using libbpfgo in your project.

    This is also the first release of our new release versioning scheme. See #47.

    List of Changes:

    c500b62 - Add section in README about release versioning (#47) (grantseltzer) cd17c66 - examples: Add tcpconnect as a libbpfgo example (#45) (Rafael David Tinoco) 00b656d - Makefile: download libbpf submodule when not found (#44) (Geyslan) 95bc2ee - fix potential memory leaks (Yaniv Agman) 770570f - save some cycles (Geyslan G. Bem) e6b569a - add selftest/map-pin-info (Geyslan G. Bem) bd1fb6b - add new GetModule() helper function (Geyslan G. Bem) d0f3751 - add new helper (getter) functions (Geyslan G. Bem) c97a3be - Fix iterators selftest to use updated unsafe Pointer API (#36) (grantseltzer) a683635 - Makefile: improvements (#28) (Rafael David Tinoco) 4928d36 - Change BPFMap method Update to unsafe.Pointer (#32) (grantseltzer) 8ce3840 - Fix error message in BPFMap.Update (#29) (Derek Parker)

    Source code(tar.gz)
    Source code(zip)
  • v0.1.1(Jun 15, 2021)

    The main new feature of this release is support for loading/attaching of tc bpf programs.

    • Adds support for tc programs
    • Adds support for uprobe programs
    • Selftests
    • Improved logo
    • Improved README
    Source code(tar.gz)
    Source code(zip)
  • v0.1.0(May 19, 2021)

    An initial baseline release which includes the following features:

    • Loading of bpf objects to initialize a type Module.
    • Attachment of bpf programs to hooks of the following types:
      • Kprobe
      • Kretprobe
      • LSM
      • Raw tracepoint
      • tracepoint
    • A generic BPFMap mechanism for interacting with (updating, getting values, deleting keys, iterating, resizing,...) bpf maps.
    • Reading of perf buffers and ring buffers

    See the discussion here about moving libbpfgo to its own repository from tracee.

    Source code(tar.gz)
    Source code(zip)
Owner
Aqua Security
Full lifecycle security for containers and cloud-native applications
Aqua Security
eBPF-based EDR for Linux

ebpf-edr A proof-of-concept eBPF-based EDR for Linux Seems to be working fine with the 20 basic rules implemented. Logs the alerts to stdout at the mo

null 16 May 6, 2022
A distributed Layer 2 Direct Server Return (L2DSR) load balancer for Linux using XDP/eBPF

VC5 A distributed Layer 2 Direct Server Return (L2DSR) load balancer for Linux using XDP/eBPF This is very much a proof of concept at this stage - mos

David Coles 29 Jun 21, 2022
SailFirewall - Linux firewall powered by eBPF and XDP

SailFirewall Linux firewall powered by eBPF and XDP Requirements Go 1.16+ Linux

Hevienz 0 May 4, 2022
eBPF based TCP observability.

TCPDog is a total solution from exporting TCP statistics from Linux kernel by eBPF very efficiently to store them at your Elasticsearch or InfluxDB da

Mehrdad Arshad Rad 189 Jun 16, 2022
A tool based on eBPF, prometheus and grafana to monitor network connectivity.

Connectivity Monitor Tracks the connectivity of a kubernetes cluster to its api server and exposes meaningful connectivity metrics. Uses ebpf to obser

Gardener 20 Jun 2, 2022
Library to work with eBPF programs from Go

Go eBPF A nice and convenient way to work with eBPF programs / perf events from Go. Requirements Go 1.10+ Linux Kernel 4.15+ Supported eBPF features e

Dropbox 933 Jun 28, 2022
eBPF Library for Go

eBPF eBPF is a pure Go library that provides utilities for loading, compiling, and debugging eBPF programs. It has minimal external dependencies and i

Cilium 2.9k Jun 20, 2022
Trace Go program execution with uprobes and eBPF

Weaver PLEASE READ! - I am currently refactoring Weaver to use libbpf instead of bcc which would include various other major improvements. If you're c

grantseltzer 242 Jun 18, 2022
Edb - An eBPF program debugger

EDB (eBPF debugger) edb is a debugger(like gdb and dlv) for eBPF programs. Norma

null 121 Jun 8, 2022
An ebpf's tool to watch traffic

watch-dog watch-dog利用ebpf的能力,监听指定网卡的流量来达到旁路检测流量的目的,并使用图数据库neo4j保存节点之间的流量关系。 Get go get github.com/TomatoMr/watch-dog Install make build Usage sudo ./w

null 0 Feb 5, 2022
Seesaw v2 is a Linux Virtual Server (LVS) based load balancing platform.

Seesaw v2 Note: This is not an official Google product. About Seesaw v2 is a Linux Virtual Server (LVS) based load balancing platform. It is capable o

Google 5.4k Jun 24, 2022
一个不限速的天翼云网盘下载器。(支持分享链接下载、支持Windows、Linux、macOS)Based Go.

189Cloud-Downloader 一个不限速的天翼云网盘下载器。(支持分享链接下载、支持Windows、Linux、macOS)Based Go. 使用说明 NAME: 189Cloud-Downloader - 一个189云盘的下载器。(支持分享链接) USAGE: 189Cl

Otokaze 207 Jun 20, 2022
A simple Go library to toggle on and off pac(proxy auto configuration) for Windows, MacOS and Linux

pac pac is a simple Go library to toggle on and off pac(proxy auto configuration

null 0 Dec 26, 2021
Library for directly interacting and controlling an Elgato Stream Deck on Linux.

Stream Deck Library for directly interacting and controlling an Elgato Stream Deck on Linux. This library is designed to take exclusive control over a

Matthew Penner 3 Jan 23, 2022
A Go package for sending and receiving ethernet frames. Currently supporting Linux, Freebsd, and OS X.

ether ether is a go package for sending and receiving ethernet frames. Currently supported platform: BPF based OS X FreeBSD AF_PACKET based Linux Docu

Song Gao 77 Jun 20, 2022
netstat-nat - Display NAT entries on Linux systems

netstat-nat This is a reimplementation of the netstat-nat tool, written entirely in Go. It uses the same command line flags and almost the same output

Dominik Honnef 17 Oct 26, 2021
Automatically spawn a reverse shell fully interactive for Linux or Windows victim

Girsh (Golang Interactive Reverse SHell) Who didn't get bored of manually typing the few lines to upgrade a reverse shell to a full interactive revers

null 265 Jun 27, 2022
Experimental system call tracer for Linux x86-64, written in Go

gtrace A system call tracer for Linux x86-64. DISCLAIMER: This software is experimental and not considered stable. Do not use it in mission-critical e

Agis Anastasopoulos 74 Mar 28, 2022
OliveTin is a web interface for running Linux shell commands.

OliveTin OliveTin is a web interface for running Linux shell commands. Some example use cases; Give controlled access to run shell commands to less te

OliveTin 670 Jun 26, 2022