Struct oxidebpf::Program

source · []
pub struct Program<'a> { /* private fields */ }
Expand description

The description of an individual eBPF program. Note: This is not the same as the eBPF program itself, the actual binary is loaded from a ProgramBlueprint.

Implementations

Create a new program specification.

You must provide the program type, the name of the program section in your blueprint’s object file (see ‘ProgramBlueprint’) and a vector of attachment points.

Note

If your blueprint contains duplicate names or if you provide multiple Programs with the same specified blueprint program, the loader will attempt to pairwise load all combinations. For example, if you have two programs kprobe/program and kretprobe/program and give the ProgramVersion two Program objects, both with program program, then the loader will attempt to load and attach each probe twice. To avoid this, give the programs in your ELF binary unique names.

Example
use oxidebpf::{Program, ProgramType};

Program::new(
    "sys_ptrace_write",
    &["do_mount"],
).optional(false).syscall(true);

Specify a pid to attach to, if this program should trace a specific pid.

The pid is mainly used for uprobes.

Specify whether or not the program is optional to load.

If the Program is optional then any encapsulating ProgramVersion will ignore any errors when attempting to load or attach it.

Specify whether or not the program is tracing a syscall.

The syscall setting is used to automatically discover syscall wrappers for the system we are running on. For example, if we want to trace sys_ptrace we may want to trace __x64_sys_ptrace instead. By setting syscall(true), oxidebpf will attempt to discover and fix this for you, and you can simply pass sys_ptrace as the attachment point.

Specify that the program should be loaded into the given tail call map at the given index.

The tail_call_index argument is used to know which indices to insert programs at in the program’s tail call map. The map that it is inserted into is the map with the given map_name. If no map exists with map_name, a runtime OxidebpfError::MapNotFound error will be thrown.

Example

If another one of your programs will tail call into this program and expects it to exist at index 5, you should call this function with 5 as the argument.

use oxidebpf::Program;

let program = Program::new(
    "my_program", &["do_mount"]
).tail_call_map_index("my_map", 5);

Optionally specify what type of program this is.

If the type specified matches what is read from the ELF file, this has no effect. If the type specified is a different, but compatible, type (e.g., kprobe and kretprobe) then the type will be “switched” and the program will be loaded as the specified type. If the types are incompatible (e.g., kprobe vs uprobe), an attempt will be made to load the program as directed, but you will likely receive an error on loading or attaching.

Example

This will tell the loader to attempt to load this program as a kretprobe, despite whatever it exists as in the ELF file.

use oxidebpf::{Program, ProgramType};

let program = Program::new(
   "my_program", &["do_mount"]
).program_type(ProgramType::Kretprobe);

Trait Implementations

Returns a copy of the value. Read more

Performs copy-assignment from source. Read more

Returns the “default value” for a type. Read more

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Performs the conversion.

Performs the conversion.

The resulting type after obtaining ownership.

Creates owned data from borrowed data, usually by cloning. Read more

🔬 This is a nightly-only experimental API. (toowned_clone_into)

Uses borrowed data to replace owned data, usually by cloning. Read more

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.