Struct oxidebpf::ProgramBlueprint

source · []
pub struct ProgramBlueprint { /* private fields */ }
Expand description

Structure that parses eBPF objects from an ELF object.

Implementations

Create a new ProgramBlueprint from a given series of bytes.

The bytes can come from any source, but the easiest way is to load them directly from a file. See the included examples below. The program assumes a default ABI for specifying probes and maps by section name, as used in the redcanary-ebpf-sensor.

Default ABI

The default ABI assumes that probes are in their own section with the name <probe type>/<probe name> (e.g., kprobe/sys_process_vm_writev). Maps are also assumed to be prefixed with maps, followed by the map name (e.g., maps/wpm_events). It is common in many eBPF examples for maps to all be placed in the same section, simply called maps. If this is the case, you will need to provide your own custom section parser (see below examples).

Here is a snippet of what a default eBPF program might look like.

struct bpf_map_def SEC("maps/wpm_events") write_process_memory_events = {
    // map configuration goes here
};

SEC("kprobe/sys_ptrace_write")
int kprobe__sys_ptrace_write(struct pt_regs *__ctx)
{
    // probe configuration goes here
}
Examples

This example creates a new ProgramBlueprint with the default section parser.

use std::path::PathBuf;
use oxidebpf::ProgramBlueprint;
use std::fs;

ProgramBlueprint::new(
    fs::read(
        PathBuf::from(env!("CARGO_MANIFEST_DIR"))
        .join("test")
        .join(format!("test_program_{}", std::env::consts::ARCH)),
    )
    .unwrap()
    .as_slice(),
    None,
)
.unwrap();

This example creates a new ProgramBlueprint with a custom section parser.

use std::path::PathBuf;
use oxidebpf::blueprint::{ProgramBlueprint, SectionType};
use oxidebpf::ProgramType;
use std::fs;

let program_bytes = fs::read(
        // your program here
    )
    .unwrap()
    .as_slice();

let section_types = vec![
    SectionType::Map { section_prefix: "mymap" },
    SectionType::Program {
        section_prefix: "probes",
        program_type: ProgramType::Kprobe,
    },
];

let program_blueprint = ProgramBlueprint::new(&program_bytes, Some(section_types))?;

The test.o program loaded by this custom parser might look like this:

struct bpf_map_def SEC("mymap") my_map = {
    .type = BPF_MAP_TYPE_PERF_EVENT_ARRAY,
    .key_size = sizeof(u32),
    .value_size = sizeof(u32),
    .max_entries = 1024,
    .pinning = 0,
    .namespace = "",
};

SEC("probes/sys_setuid")
int kprobe__sys_setuid(struct pt_regs *regs)
{
    return 0;
}

Trait Implementations

Returns a copy of the value. Read more

Performs copy-assignment from source. Read more

Formats the value using the given formatter. Read more

Returns the “default value” for a type. Read more

Auto Trait Implementations

Blanket Implementations

Gets the TypeId of self. Read more

Immutably borrows from an owned value. Read more

Mutably borrows from an owned value. Read more

Performs the conversion.

Performs the conversion.

The resulting type after obtaining ownership.

Creates owned data from borrowed data, usually by cloning. Read more

🔬 This is a nightly-only experimental API. (toowned_clone_into)

Uses borrowed data to replace owned data, usually by cloning. Read more

The type returned in the event of a conversion error.

Performs the conversion.

The type returned in the event of a conversion error.

Performs the conversion.