Hello World!

Last Update : 21 December, 2023 | Published : 13 April, 2023 | 2 Min Read

Info

Here is the github link to the code. hello_world-demo

Our ebpf program is depended on few header files. Run the following commands to move them to your current project location.

bpftool btf dump file /sys/kernel/btf/vmlinux format c > headers/vmlinux.h

This header file provides defintions for data types, data structures and other kernel related information. In other terms it is called as dumping BTF(BPF Type Format) of the kernel

cp /usr/include/bpf/bpf_helpers.h headers/bpf_helpers.h && 
cp /usr/include/bpf/bpf_helper_defs.h headers/bpf_helper_defs.h

This header file provides defintions for linux ABI’s and also provides definitions for the different types of helper functions that are available.

User space and kernel space part

//go:build ignore

#include "vmlinux.h"
#include "bpf_helpers.h"

SEC("tp/syscalls/sys_enter_execve")
void execve(){
   bpf_printk("Hello World! I am triggered by enter point of execve.");
};

char _license[] SEC("license") = "Dual MIT/GPL";

This is our kernel space program. This program will get triggered every time execve syscall was invoked.

package main

//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang -cflags $BPF_CFLAGS bpf index.bpf.c -- -I./headers

import (
"fmt"

"github.com/cilium/ebpf/link"
)

func main() {
ebpfObj := bpfObjects{}
err := loadBpfObjects(&ebpfObj, nil)
if err != nil {
 panic(err)
}
defer ebpfObj.Close()

hook, err := link.Tracepoint("syscalls", "sys_enter_execve", ebpfObj.Execve, nil)
if err != nil {
 panic(err)
}
defer hook.Close()

fmt.Println("Waiting for event to trigger!")

for {
}
}

This our user space program. This program loads and attaches the ebpf program to the hook and wait for it till we terminate the program.

Compilation

To compile this program we are the following the way defined by cilium/ebpf.

//go:generate go run github.com/cilium/ebpf/cmd/bpf2go -cc clang -cflags $BPF_CFLAGS bpf index.bpf.c -- -I./headers

This line is responsible for compling the kernel space code. It will also generate big endian and little endian version based go files which provides the definition for bpfObjects and loadBpfObjects.

go generate

This triggers the above line it then complies the kernel space code and generates the defintion for ebpf objects.

go generate 
go build -o demo

This builds the code and generates the executable with name demo.

go build

Execution

sudo ./demo
run

Output

In order to see the print statements we need to move to /sys/kernel/debug/tracing directory. Run the following command.

 cat trace_pipe | grep -i hello
output

Looking for Cloud-Native Implementation?

Finding the right talent is pain. More so, keeping up with concepts, culture, technology and tools. We all have been there. Our AI-based automated solutions helps eliminate these issues, making your teams lives easy.

Contact Us