[SOLVED] Would it be possible to write new eBPF helper functions?

Issue

I want to write an eBPF program to attach to some kernel functions calls, and I need a new helper function that is not included now inside the kernel. Would it be possible for me to implement my own helper function? And if possible, how can I do so? Thank you.

I read the docs about eBPF but did not find much useful message.

Solution

As of now, no new helper function submissions are accepted anymore, in case you are planning on submitting your patch(es). Focus has shifted to kfuncs, which is a mechanism for calling kernel functions from eBPF, implementing and using those works a bit differently from helper functions.

If you are only planning on using a custom helper function in your own fork/build you can of-course still add new ones. I suggest looking at this commit which adds the jiffies64 helper. It is the least amount of work to do to add a new helper.

TL;DR or in case the link goes bad:

1. Add your helper name to include/uapi/linux/bpf.h as part of the #define __BPF_FUNC_MAPPER(FN) macro

2. Forward declare your function prototype in kernel/bpf/core.c

3. Define your function prototype, kernel/bpf/helpers.c is a common place for more generic helpers. Use one of the BPF_CALL_* macros depending on the amount of arguments to your helper. Define the actual logic within.

   BPF_CALL_0(bpf_jiffies64)
   {
       return get_jiffies_64();
   }
   

   Link your function above in the prototype, for field values and their meaning, take inspiration from others.

   const struct bpf_func_proto bpf_jiffies64_proto = {
       .func       = bpf_jiffies64,
       .gpl_only   = false,
       .ret_type   = RET_INTEGER,
   };
   

4. Lastly, map the function const created by step 1 to your prototype. All program types have their own list of allowed helper functions and translations, again take inspiration from others. If you want all program types to have access to your helper, add it to bpf_base_func_proto. case BPF_FUNC_jiffies64: return &bpf_jiffies64_proto;

Actually the additions in kernel/bpf/verifier.c are also not needed, this example commit inlines the function to avoid the function call, but this is not nessesery.

Depending on what you want your new function to do, you might need to do more work. I suggest picking a helper that is closely related and see how it was implemented.

I hope this gets you started.

Answered By - Dylan Reimerink

Answer Checked By - David Goodson (WPSolving Volunteer)