Hi, These patches make it possible to attach BPF programs directly to tracepoints using ftrace (/sys/kernel/debug/tracing) without needing the process doing the attach to be alive. This has the following benefits:
1. Simplified Security: In Android, we have finer-grained security controls to specific ftrace trace events using SELinux labels. We control precisely who is allowed to enable an ftrace event already. By adding a node to ftrace for attaching BPF programs, we can use the same mechanism to further control who is allowed to attach to a trace event.
2. Process lifetime: In Android we are adding usecases where a tracing program needs to be attached all the time to a tracepoint, for the full life time of the system. Such as to gather statistics where there no need for a detach for the full system lifetime. With perf or bpf(2)'s BPF_RAW_TRACEPOINT_OPEN, this means keeping a process alive all the time. However, in Android our BPF loader currently (for hardeneded security) involves just starting a process at boot time, doing the BPF program loading, and then pinning them to /sys/fs/bpf. We don't keep this process alive all the time. It is more suitable to do a one-shot attach of the program using ftrace and not need to have a process alive all the time anymore for this. Such process also needs elevated privileges since tracepoint program loading currently requires CAP_SYS_ADMIN anyway so by design Android's bpfloader runs once at init and exits.
This series add a new bpf file to /sys/kernel/debug/tracing/events/X/Y/bpf The following commands can be written into it: attach:<fd> Attaches BPF prog fd to tracepoint detach:<fd> Detaches BPF prog fd to tracepoint
Reading the bpf file will show all the attached programs to the tracepoint.
Joel Fernandes (Google) (4): Move bpf_raw_tracepoint functionality into bpf_trace.c trace/bpf: Add support for attach/detach of ftrace events to BPF lib/bpf: Add support for ftrace event attach and detach selftests/bpf: Add test for ftrace-based BPF attach/detach
include/linux/bpf_trace.h | 16 ++ include/linux/trace_events.h | 1 + kernel/bpf/syscall.c | 69 +----- kernel/trace/bpf_trace.c | 225 ++++++++++++++++++ kernel/trace/trace.h | 1 + kernel/trace/trace_events.c | 8 + tools/lib/bpf/bpf.c | 53 +++++ tools/lib/bpf/bpf.h | 4 + tools/lib/bpf/libbpf.map | 2 + .../raw_tp_writable_test_ftrace_run.c | 89 +++++++ 10 files changed, 410 insertions(+), 58 deletions(-) create mode 100644 tools/testing/selftests/bpf/prog_tests/raw_tp_writable_test_ftrace_run.c
-- 2.22.0.410.gd8fdbe21b5-goog