[RFC PATCH bpf-next] bpf: New bpf helpers to get perf type of [uk]probe

From: Yafang Shao <laoar.shao@gmail.com>
To: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org,
	kafai@fb.com, songliubraving@fb.com, yhs@fb.com,
	john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com,
	haoluo@google.com, jolsa@kernel.org
Cc: bpf@vger.kernel.org, Yafang Shao <laoar.shao@gmail.com>
Subject: [RFC PATCH bpf-next] bpf: New bpf helpers to get perf type of [uk]probe
Date: Wed, 21 Jun 2023 12:00:40 +0000	[thread overview]
Message-ID: <20230621120042.3903-1-laoar.shao@gmail.com> (raw)

We are utilizing BPF LSM to monitor BPF operations within our container
environment. Our goal is to examine the program type and perform the
respective audits in our LSM program.

When it comes to the perf_event BPF program, there are no specific
definitions for the perf types of kprobe or uprobe. In other words, there
is no PERF_TYPE_[UK]PROBE. It appears that defining them as UAPI at this
stage would be impractical.

Therefore, if we wish to determine whether a new BPF program created via
perf_event_open() is a kprobe or an uprobe, we need to retrieve the type in
userspace by reading /sys/bus/event_source/devices/[uk]probe/type and
subsequently store it in global variables within the LSM program. This
approach proves to be inconvenient.

Here is a short example of LSM program.

  static int perf_type_kprobe = -1; // set it from userspace
  static int perf_type_uprobe = -1; // set it from userspace

  SEC("lsm/perf_event_open")
  int BPF_PROG(perf_event_audit, struct perf_event_attr *attr, int type)
  {
      if (attr->type == perf_type_kprobe)
          return perf_event_kprobe_audit(attr);
      if (attr->type == perf_type_uprobe)
          return perf_event_uprobe_audit(attr);
      return 0;
  }

Two new BPF helpers have been introduced to enhance the functionality.
These helpers allow us to directly obtain the perf type of a kprobe or
uprobe within a BPF program.

After that change, the LSM prog as follows,

  static int perf_type_kprobe;
  static int perf_type_uprobe;

  SEC("lsm/perf_event_open")
  int BPF_PROG(perf_event_audit, struct perf_event_attr *attr, int type)
  {
      if (!perf_type_kprobe)
          perf_type_kprobe = bpf_perf_type_kprobe();
      if (!perf_type_uprobe)
          perf_type_uprobe = bpf_perf_type_uprobe();

      if (attr->type == perf_type_kprobe)
          return perf_event_kprobe_audit(attr);
      if (attr->type == perf_type_uprobe)
          return perf_event_uprobe_audit(attr);
      return 0;
  }

Yafang Shao (2):
  perf: Add perf_type_[uk]probe()
  bpf: Add two new bpf helpers bpf_perf_type_[uk]probe()

 include/linux/bpf.h            |  2 ++
 include/linux/perf_event.h     |  3 +++
 include/uapi/linux/bpf.h       | 18 ++++++++++++++++++
 kernel/bpf/core.c              |  2 ++
 kernel/bpf/helpers.c           | 23 +++++++++++++++++++++++
 kernel/events/core.c           | 18 ++++++++++++++++++
 kernel/trace/bpf_trace.c       |  4 ++++
 tools/include/uapi/linux/bpf.h | 18 ++++++++++++++++++
 8 files changed, 88 insertions(+)

-- 
1.8.3.1