I'm currently working on a use case where I'm running an eBPF program inside a Docker container. I want to filter requests based on the process ID (PID), but I've encountered an issue with the pids obtained from my hooks(refer). Specifically, I've put a hook on cgroup/connect4, but when I try to load the program, I receive the error message unknown func bpf_get_ns_current_pid_tgid#120
.
However, when I use the bpf_get_ns_current_pid_tgid function within a kprobe method, it works fine. I suspect that bpf_get_ns_current_pid_tgid might not be supported in every eBPF program type.
Could anyone provide information on which eBPF program types support the bpf_get_ns_current_pid_tgid helper function? I would greatly appreciate any insights or references to documentation that can help clarify this compatibility issue.
Thank you in advance for your assistance!
You are correct, not all helper functions are available in all contexts. The bpf_get_ns_current_pid_tgid
function is only available in the following program types:
BPF_PROG_TYPE_KPROBE
BPF_PROG_TYPE_LSM
BPF_PROG_TYPE_PERF_EVENT
BPF_PROG_TYPE_RAW_TRACEPOINT
BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE
BPF_PROG_TYPE_SYSCALL
BPF_PROG_TYPE_TRACEPOINT
BPF_PROG_TYPE_TRACING
However, if its the PID of the calling process you can use the bpf_get_current_pid_tgid
helper which is available in the following program types:
BPF_PROG_TYPE_CGROUP_SOCK
BPF_PROG_TYPE_CGROUP_SOCK_ADDR
BPF_PROG_TYPE_KPROBE
BPF_PROG_TYPE_LSM
BPF_PROG_TYPE_PERF_EVENT
BPF_PROG_TYPE_RAW_TRACEPOINT
BPF_PROG_TYPE_RAW_TRACEPOINT_WRITABLE
BPF_PROG_TYPE_SK_MSG
BPF_PROG_TYPE_SYSCALL
BPF_PROG_TYPE_TRACEPOINT
BPF_PROG_TYPE_TRACING
For other helper functions you can run the bpftool feature
command to figure this out of any helper function on your local system.
Alternatively you can find the struct bpf_verifier_ops
for the program type you are interested in. Then look at the *_func_proto function indicated by the .get_func_proto
field. sock_addr_func_proto in this case, which reveals what helper calls are allowed. The advantage of going to the sources is that they also show additional requirements such as kconfig settings, attachment types and runtime mode restrictions not detailed in the bpftool output
EDIT (Nov 22, 2024):
As of kernel v6.10, all program types can make use of both the bpf_get_current_pid_tgid
and bpf_get_ns_current_pid_tgid
. See the commit and patch set