ebpf

I'm playing with gobpf and have got an issue with calculating a duration of traced user-space function. I use bpf_ktime_get_ns() to read time and then trying to calculate delta, but got enormous numbers, though traced function sleeps just 1 second. Here is the tested C-program, which has a function called "ameba". #include <stdio.h> #include <strings.h> #include <stdlib.h> #include <time.h> #include <unistd.h> char * ameba(char * s1, char * s2); int main(void) { time_t rawtime; struct tm * timeinfo; time(&rawtime); timeinfo = localtime(&rawtime); printf("enter: %s", asctime (timeinfo)); printf

After reading man bpf and a few other sources of documentation, I was under impression that a map can be only created by user process. However the following small program seems to magically create bpf map: struct bpf_map_def SEC("maps") my_map = { .type = BPF_MAP_TYPE_ARRAY, .key_size = sizeof(u32), .value_size = sizeof(long), .max_entries = 10, }; SEC("sockops") int my_prog(struct bpf_sock_ops *skops) { u32 key = 1; long *value; ... value = bpf_map_lookup_elem(&my_map, &key); ... return 1; } So I load the program with the kernel's tools/bpf/bpftool and also verify that program is loaded: $

To simulate some behavior I would like to attach a probe to a syscall and modify the return value when certain parameters are passed. Alternatively, it would also be enough to modify the parameters of the function before they are processes. Is this possible with BPF? I believe that attaching eBPF to kprobes/kretprobes gives you read access to function arguments and return values, but that you cannot tamper with them. I am NOT 100% sure; good places to ask for confirmation would be the IO Visor project mailing list or IRC channel (#iovisor at irc.oftc.net). As an alternative solution, I know